home - connectvirginia connectvirginia€¦ · web viewa portal provided by connectvirginia to...

Policy and Procedure Manual

Table of Contents# Policy/Procedure Version Effective

Board of Directors Policies and Procedures

BD-1. Board of Directors Policy and Procedure Manual

2 3/4/14

BD-2. Policy and Procedure Adoption and Amendment Process

3 3/4/14

BD-3. Role of the Board of Directors 3 3/4/14BD-4. Director Expectations 2 3/4/14BD-5. Director Confidentiality Policy 1 3/4/14BD-6. Conflicts of Interest 1 3/4/14BD-7. Director Compensation 1 3/4/14BD-8. Committees 3 3/4/14BD-9. Rules of Order 3 3/4/14BD-10. Expense Reimbursement 1 3/4/14BD-11. Public Participation/Communications 3 12/9/14BD-12. Lobbying and Political Activity 1 3/4/14

BD-13.Board Oversight of Procurement for Technology or Services

1 5/1/16

General HIPAA Policies

H-1. Workforce Member Confidentiality and Compliance Statement

2 9/18/12

H-2. Workforce Member Discipline 1 1/20/12

H-3. Message Content Incident, Breach and Security Incident Response Procedures

4 12/9/14

H-4. Business Associate Agreements 4 12/9/14

HIPAA Privacy PoliciesHP-1. Uses and Disclosures of PHI 3 3/12/13HP-2. Minimum Necessary Standard 2 3/12/13HP-3. De-Identification of PHI 2 9/18/12HP-4. Access of Individuals to PHI 2 9/18/12HP-5. Amendment of PHI 2 9/18/12HP-6. Accounting of Disclosures of PHI 4 12/9/14HP-7. Assigned Privacy Responsibility 2 12/9/14

HIPAA Security PoliciesAdministrative Safeguards

HS-1. Security Risk Management, Evaluation and Updates

2 9/18/12

i Table of Contents

HS-2. Information System Activity Review 3 12/9/14HS-3. Assigned Security Responsibility 3 12/9/14HS-4. Workforce Member Security 2 9/18/12HS-5. Information Access Management 3 12/9/14HS-6. Suspension and Termination Procedures 4 12/9/14HS-7. Security Awareness and Training 1 1/20/12HS-8. Security Reminders 1 1/20/12HS-9. Malicious Software 1 1/20/12

HS-10. Log-In Monitoring and Automatic Log-Off 2 9/18/12HS-11. Password Management 2 3/12/13HS-12. Contingency Plan 3 12/9/14HS-13. Data Backup Plan and Disaster Recovery Plan 2 9/18/12HS-14. Emergency Mode Operation Plan 1 1/20/12HS-15. Applications and Data Criticality Analysis 2 9/18/12

Physical SafeguardsHS-16. Facility Access and Security 2 9/18/12HS-17. Workstation Use and Security 1 1/20/12HS-18. Device and Media Controls 2 9/18/12HS-19. Technical Access Controls 2 3/12/13HS-20. Integrity 2 9/18/12HS-21. Person or Entity Authentication 3 3/12/13HS-22. Transmission Security 2 12/9/14HS-23. Availability 1 1/20/12

Operational PoliciesO-1. Subpoena Response 1 1/20/12

ConnectVirginia EXCHANGECE-1. ConnectVirginia EXCHANGE Permitted

Purposes2 12/9/14

CE-2. ConnectVirginia EXCHANGE Node Eligibility Criteria

1 9/18/12

CE-3. ConnectVirginia EXCHANGE Application Review Policy

2 12/9/14

CE-4. ConnectVirginia EXCHANGE Node Suspension and Termination

2 12/9/14

CE-5. Dispute Resolution Process 1 9/18/12CE-6. Consent 3 12/9/14

CE-7. Auditing and Monitoring 1 9/18/12

CE-8. Sensitive Data 2 12/9/14

CE-9. ConnectVirginia’s Use and Disclosure of PHI in ConnectVirginia EXCHANGE

2 12/9/14

ii Table of Contents

CE-10. Agreements with ConnectVirginia EXCHANGE Nodes

2 12/9/14

CE-11. ConnectVirginia EXCHANGE Fees 2 12/9/14

ConnectVirginia Portals

PORT-1. ConnectVirginia Portal User Information Confidentiality

1 12/9/14

PORT-2. Agreements with ConnectVirginia Portal Participants and Users

1 12/9/14

PORT-3. ConnectVirginia Portal Participant Enrollment 1 12/9/14

PORT-4. ConnectVirginia Portal User Roles 1 12/9/14

PORT-5. ConnectVirginia’s Use and Disclosure of PHI in ConnectVirginia Portals

1 12/9/14

PORT-6. ConnectVirginia Portal Auditing, Monitoring and Attestations of Compliance

1 12/9/14

PORT-7. ConnectVirginia Portal Participant Suspension 1 12/9/14

PORT-8. ConnectVirginia Portal User Suspension and Termination

1 12/9/14

PORT-9. ConnectVirginia Portal Log-in and Log-off 1 12/9/14

PORT-10. ConnectVirginia Portal Password Management 1 12/9/14

PORT-11. ConnectVirginia Portal Help Desk 1 12/9/14

PORT-12. ConnectVirginia Portal Training 1 12/9/14

PORT-13. Breach and Security Incident Response Procedures for Portal Participants and Users

1 12/9/14

PORT-14. Use of the CVEAM Portal 1 12/9/14

PORT-15. Deletion of ConnectVirginia Encounter Alert Reports

1 12/9/14

PORT-16. Use of the Patient Search Service through the STREAMLINE Portal

1 12/9/14

PORT-17. Establishing a Relationship in the STREAMLINE Portal

1 11/16/15

ConnectVirginia Public Health Reporting PathwayPHRP-1. Certificate Validation 1 2/4/14

PHRP-2. Agreements with Registrants 1 2/4/14

PHRP-3. ConnectVirginia Public Health Reporting Audit Requests

1 2/4/14

PHRP-4. ConnectVirginia Registrant Onboarding 2 12/9/14

iii Table of Contents

PHRP-5. ConnectVirginia Registrant Suspension and Termination

1 2/4/14

PHRP-6. ConnectVirginia Public Health Reporting Data Encryption

1 2/4/14

iv Table of Contents

Introduction to the Policy and Procedure Manual

ConnectVirginia is the Statewide Health Information Exchange (HIE) for the Commonwealth of Virginia. It provides a secure, confidential, electronic system to support the exchange of patient medical records among health care providers, both here in Virginia and beyond. ConnectVirginia will provide health care providers with various ways to send and/or receive patient records, including but not limited to ConnectVirginia EXCHANGE the ConnectVirginia Encounter Alerts Messaging Portal, the ConnectVirginia STREAMLINE Clinical Portal, and the ConnectVirginia Public Health Reporting Pathway (PHRP).

This Policy and Procedure Manual contains policies and procedures that implement the policy decisions which underlie ConnectVirginia. They will inform all ConnectVirginia Customers of the “rules of the road” for the Network, in addition to the trust agreement(s) that each ConnectVirginia Customer signs.

Board of Directors Policies and Procedures

The ConnectVirginia Board of Directors (Board) is responsible for setting the overall strategic direction for ConnectVirginia as well as overseeing its development and implementation. Working with the ConnectVirginia Executive Director and the other strategic advisors, the ConnectVirginia Board will guide the implementation of technical and policy components that are critical to a successful health information exchange.

The Board Policies and Procedures describe the ways in which the ConnectVirginia Board will operate to maximize its effectiveness and transparency.

HIPAA Privacy and SecurityOverview

Because ConnectVirginia is in the business of helping providers securely exchange health information, ConnectVirginia has written Privacy and Security Policies and Procedures to affirm its commitment to comply with the applicable provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The net effect of these laws is that ConnectVirginia is required to comply with certain provisions of the HIPAA Privacy and Security Regulations. The HIPAA Policies and Procedures included in this Manual provide the framework through which ConnectVirginia will comply.

v Introduction

HIPAA Privacy Policies and ProceduresThe HIPAA Privacy Regulations provide rules regarding the use and disclosure of PHI, as well as specific rules regarding an individual’s rights to access PHI about himself. As a Business Associate, ConnectVirginia is required to follow all requirements of the HIPAA Privacy Regulations. ConnectVirginia’s Privacy Officer will oversee its compliance with the HIPAA Privacy Regulations and its efforts to protect the privacy of all PHI that is exchanged through the Network. ConnectVirginia will consistently monitor, and periodically audit, its Privacy practices to ensure compliance with the Privacy Policies and Procedures.

HIPAA Security Policies and ProceduresUnder the HIPAA Security Regulations, as a Business Associate, ConnectVirginia is required to implement administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of the ePHI that is exchanged through the Network. These safeguards are designed to:

1. Ensure the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains, or transmits;

2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;

3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Regulations; and,

4. Ensure compliance with the HIPAA Security Regulations by its workforce.

The Security Policies and Procedures in this Manual address ConnectVirginia’s obligations under the HIPAA Security Regulations. In designing these policies and procedures, ConnectVirginia has considered:

1. ConnectVirginia’s size, complexity, and capabilities;2. ConnectVirginia technical infrastructure, hardware, and software security

capabilities;3. The costs of security measures; and4. The probability and criticality of potential risks to ePHI.

ConnectVirginia’s Security Officer will oversee ConnectVirginia’s initiatives to create and maintain appropriate and reasonable policies, procedures, and controls to protect the security of ePHI exchanged through the Network.

vi Introduction

Network Operations Policies and ProceduresThe ConnectVirginia Network consists of multiple components – including, but not limited to, the ConnectVirginia Encounter Alerts Messaging Portal, the STREAMLINE Clinical Portal, ConnectVirginia EXCHANGE, and the ConnectVirginia Public Health Reporting Pathway. While these components are separate and distinct from each other, there are some operational similarities. The Network Operations Policies and Procedures include general policies and procedures that describe how the overall ConnectVirginia Network will be operated.

ConnectVirginia EXCHANGE Operational Policies and Procedures

ConnectVirginia EXCHANGE facilitates the onboarding to eHealth Exchange, which provides a secure method for ConnectVirginia EXCHANGE Nodes and their Node Users to query and retrieve patient data across all ConnectVirginia EXCHANGE Nodes as well as through other eHealth Exchange Participants. The ConnectVirginia EXCHANGE Policies and Procedures govern how this service will be used, operated and managed.

ConnectVirginia Portal Operational Policies and Procedures

There are currently two distinct portals included in the ConnectVirginia Network – the ConnectVirginia STREAMLINE Clinical Portal and the ConnectVirginia Encounter Alerts Messaging Portal (CVEAM). Additional portals may be added to the ConnectVirginia Network in the future. The ConnectVirginia Portal Operational Policies and Procedures govern how all ConnectVirginia Portals will be used, operated and managed, as well as providing specific policies for the use of each individual portal provided through the ConnectVirginia Network.

ConnectVirginia Public Health Reporting Pathway Operational Policies and Procedures

The ConnectVirginia Public Health Reporting Pathway (PHRP) allows participants to electronically submit data directly to the Virginia Department of Health to satisfy reporting requirements. The ConnectVirginia Public Health Reporting Operational Policies and Procedures govern how this service will be used, operated and managed.

vii Introduction

Defined Terms

For the purposes of the ConnectVirginia Policies and Procedures, the following terms shall have the meaning ascribed to them below. Any capitalized terms used herein that are not defined shall have the meaning ascribed to them in the Trust Agreement or the applicable statute or regulation.

Addressable: Addressable refers to implementation specifications contained within certain HIPAA Regulations which ConnectVirginia is not required to implement. ConnectVirginia must perform an assessment to determine whether the addressable implementation specification is a reasonable and appropriate safeguard for implementation in its efforts to protect unauthorized use, disclosure, and access of PHI or ePHI. If it is not reasonable and appropriate, ConnectVirginia must document the reasons supporting this conclusion.

Administrative Safeguards: Administrative Safeguards are actions, policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of Users in relation to the protection of ePHI.

Applicable Law: means (i) for ConnectVirginia Customers, all applicable statutes and regulations of the State(s) or jurisdiction(s) in which the Customer operates, as well as all applicable Federal statutes, regulations, standards and policy requirements; and (ii) for ConnectVirginia, all applicable Virginia statutes and regulations as well as all applicable Federal statutes, regulations, standards and policy requirements.

Applicant: An organization that has submitted an application to become a ConnectVirginia EXCHANGE Node.

Breach: The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except in the case of (1) any unintentional acquisition, access, or use of PHI, made in good faith and in the scope of the professional relationship, by a Workforce Member or individual acting under the authority of ConnectVirginia Customer and the PHI is not further used, acquired, or disclosed; (2) any inadvertent disclosure from an individual who is otherwise authorized to access PHI at a facility operated by ConnectVirginia or a ConnectVirginia Customer to another similarly situated individual at the same facility and any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person; or (3) a disclosure of PHI where ConnectVirginia has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Business Associate: A Business Associate is a person or entity who, on behalf of a Covered Entity or another Business Associate, performs, or assists in the performance of, a function or activity involving the use or disclosure of protected health information, including, but not limited to, facilitation of the exchange of health information; claims processing or

viii Definitions

administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; or practice management.

Certification Testing: The tests and demonstrations of a ConnectVirginia EXCHANGE Node’s system and processes used for interoperable health information exchange, to assess conformity with the Specifications and Certification and Onboarding Plan for eHealth Exchange.

ConnectVirginia Customer: An individual or organization who has been authorized to exchange information through the ConnectVirginia Network. This includes ConnectVirginia EXCHANGE Nodes, ConnectVirginia EXCHANGE Node Users, ConnectVirginia Portal Participants, ConnectVirginia Portal Users, and PHRP Registrants.

ConnectVirginia Customer Agreements: Those agreements which govern the relationships between ConnectVirginia and its Customers. These include, but are not limited to, the ConnectVirginia EXCHANGE Trust Agreement, the ConnectVirginia Portal Master Services Agreement, the CVEAM End User License Agreement, the STREAMLINE Clinical Portal End User License Agreement, and the ConnectVirginia Public Health Reporting Agreement.

ConnectVirginia Encounter Alerts Messaging Portal (CVEAM): A portal provided by ConnectVirginia to CVEAM Users that allows the User to send patient subscription lists and receive encounter alert reports for their subscribed patients utilizing an Internet-based service provided by ConnectVirginia.

ConnectVirginia EXCHANGE: The service that utilizes the Onboarding and Certification Specifications established by ConnectVirginia to facilitate the onboarding of ConnectVirginia EXCHANGE Nodes to eHealth Exchange.

ConnectVirginia EXCHANGE Node: An organization that has met the eligibility criteria for participation in ConnectVirginia EXCHANGE and has been accepted as a ConnectVirginia EXCHANGE Node by the ConnectVirginia Board of Directors. ConnectVirginia EXCHANGE Nodes will act as both a Submitter and a Recipient when using ConnectVirginia EXCHANGE.

ConnectVirginia EXCHANGE Node User: Any individual or organization who has been authorized to use ConnectVirginia EXCHANGE through a ConnectVirginia EXCHANGE Node’s System in a manner defined by the ConnectVirginia EXCHANGE Node. “ConnectVirginia EXCHANGE Node Users” may include, but are not limited to, individual Health Care Providers; health systems; Health Plans; and employees, contractors, or agents of the node. A ConnectVirginia EXCHANGE Node User may act as either a Submitter, Recipient or both when using ConnectVirginia EXCHANGE.

ConnectVirginia Network: The Internet-based network established by ConnectVirginia that allows ConnectVirginia Customers to exchange information with each other and others, as permitted by ConnectVirginia. The ConnectVirginia Network may include, but not be limited to, the STREAMLINE Clinical Portal, the CVEAM Portal, ConnectVirginia EXCHANGE, and the

ix Definitions

Public Health Reporting Pathway and may be modified by ConnectVirginia from time to time in its discretion.

ConnectVirginia STREAMLINE Clinical Portal: A portal provided by ConnectVirginia to STREAMLINE Portal Users which allows the User to conduct a search of and retrieve information about individuals that is available through a ConnectVirginia EXCHANGE Node or Partner Network Participant.

ConnectVirginia STREAMLINE Portal Participant: An organization that has entered into the ConnectVirginia Portal Master Services Agreement with ConnectVirginia and uses or intends to use the STREAMLINE Portal Service.

ConnectVirginia STREAMLINE Portal User: An individual who has been authorized by a ConnectVirginia STREAMLINE Portal Participant to access the ConnectVirginia STREAMLINE Clinical Portal.

ConnectVirginia Partner Network: Any electronic data exchange network with which ConnectVirginia has a relationship which allows ConnectVirginia Customers to Transact Message Content with the ConnectVirginia Partner Network Participants and vice versa. By way of example only, since ConnectVirginia EXCHANGE is a participant in the eHealth Exchange, then eHealth Exchange is a “ConnectVirginia Partner Network.”

ConnectVirginia Partner Network Participant: Any individual or organization who has been authorized to use a ConnectVirginia Partner Network and has the ability to Transact Message Content with ConnectVirginia Customers through ConnectVirginia. By way of example only, as eHealth Exchange is a ConnectVirginia EXCHANGE Partner Network, then each of the participants in eHealth Exchange could be a “ConnectVirginia Partner Network Participant.”

ConnectVirginia Portal: Any online portal provided by ConnectVirginia to ConnectVirginia Customers for the purpose of sending or receiving patient records or information, including, but not limited to, the CVEAM Portal and the STREAMLINE Clinical Portal.

ConnectVirginia Portal Participant: An organization that has entered into the ConnectVirginia Portal Master Services Agreement with ConnectVirginia to electronically exchange information through one or more of the ConnectVirginia Portals.

ConnectVirginia Portal User: An individual who has been authorized by ConnectVirginia or a ConnectVirginia Portal Participant to access one or more of the ConnectVirginia Portals.

ConnectVirginia Public Health Reporting Pathway (PHRP): The service that allows ConnectVirginia Public Health Reporting Pathway Registrants the ability to transmit public health data to the Virginia Department of Health.

x Definitions

ConnectVirginia Public Health Reporting Pathway Registrant: Any individual or organization who has been authorized to use the ConnectVirginia PHRP to transmit public health data to the Virginia Department of Health.

ConnectVirginia Service: Any service offered by ConnectVirginia as a method of submitting, receiving, or transmitting electronic health information. For example, ConnectVirginia EXCHANGE and ConnectVirginia Public Health Reporting Pathway are both ConnectVirginia Services.

CVEAM Delegate: An individual under the direction and control of a CVEAM Participant who has been granted access to the Participant’s CVEAM account.

CVEAM Participant: An organization that has entered into the ConnectVirginia Portal Master Services Agreement with ConnectVirginia and uses or intends to use the CVEAM Portal Service.

CVEAM Portal User: Any individual who has been authorized by ConnectVirginia or a CVEAM Participant to access the CVEAM Portal.

CVEAM Portal User Information: Demographic information about CVEAM Users provided to ConnectVirginia during the CVEAM enrollment process or in accordance with the CVEAM End User License Agreement.

CVEAM Site Administrator: An individual who is named on the enrollment form for each CVEAM account that is responsible for sending the patient subscription list to ConnectVirginia and for overseeing any CVEAM Delegates assigned to that account.

Contingency Event: A Contingency Event is an unplanned for event, such as an emergency or disaster, which may require the activation of ConnectVirginia’s Contingency Plan, Data Back-Up Plan, Disaster Recovery Plan, or Emergency Operations Plan.

Covered Entity: A Covered Entity is (i) a health plan, (ii) a health care clearinghouse, or (iii) a health care provider who transmits any health information in any form, including in electronic form. For purposes of this Policy and Procedure Manual, Covered Entity means ConnectVirginia Customers who utilize the Network, including, but not limited to, health care providers, medical practices, and laboratories.

Dispute: Any controversy, dispute, or disagreement arising out of or relating to the use of the Network.

Electronic Protected Health Information or ePHI: Electronic PHI means PHI which is either transmitted by electronic media or maintained in electronic media.

Health Care Operations: Health Care Operations shall have the meaning set forth at 45 C.F.R. § 164.501 of the HIPAA Regulations.

xi Definitions

HIPAA Regulations: HIPAA Regulations means the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations promulgated thereunder, and the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. §§ 17921-17954) and the rules or regulations promulgated thereunder.

Message: An electronic transmission of Message Content Transacted between ConnectVirginia EXCHANGE Nodes, ConnectVirginia EXCHANGE Node Users and ConnectVirginia EXCHANGE Partner Network Participants using ConnectVirginia EXCHANGE. Messages are intended to include all types of electronic transactions as specified in the Onboarding and Certification Specifications, including the data or records transmitted with those transactions.

Message Content: That information contained within a Message or accompanying a Message sent by a ConnectVirginia EXCHANGE Node, ConnectVirginia EXCHANGE Node User or Partner Network Participant through ConnectVirginia EXCHANGE. This includes, but is not limited to, Protected Health Information (PHI), de-identified data (as defined in the HIPAA Regulations at 45 C.F.R. § 164.514), individually identifiable information, pseudonymized data, metadata, Digital Credentials, and schema.

Message Content Incident: The unauthorized use of, acquisition of, access to, or disclosure of Message Content while Transacting such Message Content through ConnectVirginia EXCHANGE or the, the unauthorized use of, acquisition of, access to, or disclosure of Message Content to ConnectVirginia EXCHANGE. The term ‘‘Message Content Incident’’ does not include the following:

(i) any unintentional acquisition, access, disclosure, or use of Message Content by an employee or individual acting under the authority of Participant Node or its Node User if—

(I) such acquisition, access, disclosure, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with Participant Node or its Node User; and(II) such Message Content is not further acquired, accessed, disclosed or used by such employee or individual; or

(ii) any acquisition, access, disclosure or use of information contained in or available through Participant Node’s System where such acquisition, access, disclosure or use was not directly related to ConnectVirginia EXCHANGE.

Payment: Payment shall have the meaning set forth at 45 C.F.R. § 164.501 of the HIPAA Regulations.

Physical Safeguards: Physical Safeguards are physical measures, policies, and procedures to protect the Network and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Privacy Officer: Privacy Officer means the individual named in the Assigned Privacy Responsibility Policy (HP-7).

xii Definitions

Protected Health Information or PHI: PHI means health information that is individually identifiable.

Required: Required refers to implementation specifications contained within certain HIPAA Regulations with which ConnectVirginia must comply.

Security Incident: Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations of the Network.

Security Officer: Security Officer means the individual named in the Assigned Security Responsibility Policy (HS-3).

Technical Safeguards: Technical Safeguards means the technology and the policy and procedures that ConnectVirginia has to protect ePHI and control access to it.

Transact: To send, request, receive, assert, respond to, submit, route, subscribe to, or publish Message Content using ConnectVirginia EXCHANGE.

Treatment: Treatment shall have the meaning set forth at 45 C.F.R. § 164.501 of the HIPAA Regulations.

Vendor: Vendor means a vendor, consultant, contractor or other non-ConnectVirginia third party who may have access to the Network for any reason or purpose (other than those who may have incidental access) or who may have access to any ConnectVirginia facilities housing the information technology assets that support the Network or related infrastructure.

Workforce Member: All persons who are under the control of ConnectVirginia, including, but not limited to, employees, independent contractors, loaned personnel, interns, and temporary personnel, and who have access to the Network or any PHI derived from the Network.

Workstation: Workstation means an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.

xiii Definitions

Board of DirectorsPolicies and Procedures

ConnectVirginia Board of Directors Policy No.: BD-1Title: Board of Directors Policy and Procedure Manual

Version: 2 Effective Date: 3/4/14

The Board of Directors shall be guided by written policies that are readily accessible to the Board of Directors and ConnectVirginia staff. The Policy and Procedure Manual shall be reviewed periodically at intervals to be determined by the Board of Directors and revised as needed.

A current copy of the Board of Directors Policy and Procedure Manual will be maintained on the ConnectVirginia website (http://www.connectvirginia.org).

Regulatory Reference: None.

2 Board of Directors Policies and Procedures

http://www.connectvirginia.org/

ConnectVirginia Board of Directors Policy No.: BD-2Title: Policy and Procedure Adoption and Amendment Process


Purpose Statement: The Policies and Procedures contained in this manual supplement the ConnectVirginia Bylaws related to the rights and responsibilities for the oversight and operation of ConnectVirginia. Being of a dynamic nature, policies are subject to revision by the Board of Directors. ConnectVirginia will continuously review, and as necessary, revise all of its Policies and Procedures so that they remain current with the latest developments in the rapidly evolving HIE environment. It might be necessary to revise Policies and Procedures to comply with changes to the HIPAA Regulations; to incorporate new technologies that protect the confidentiality, integrity and availability of ePHI; to address any threats to the privacy or security of PHI that ConnectVirginia may encounter in the future; or to reflect any new governance or operational practices that are established.

Policy/Procedure:

1. The ConnectVirginia Board of Directors has the authority to approve all new, amended, or replaced ConnectVirginia Policies and Procedures and to repeal any existing ConnectVirginia Policies and Procedures. The ConnectVirginia Board of Directors may delegate to the Chief Executive Officer or a subcommittee of the Board of Directors the ability to approve non-substantive changes to the ConnectVirginia Policies and Procedures. Notwithstanding the foregoing, no change to a Policy and Procedure shall be made that may have a financial, technical or operational impact on ConnectVirginia EXCHANGE Nodes, unless the ConnectVirginia EXCHANGE Nodes have been consulted about the change and information provided by the ConnectVirginia EXCHANGE Nodes has been factored into the change.

2. Any Director or ConnectVirginia Customer may submit in writing to ConnectVirginia a request for the development of a new Policy and Procedure, or a request for the amendment or repeal of an existing Policy and Procedure. All such requests shall identify (i) the Policy and Procedure that is the subject of the requested change (if any), (ii) the type of Policy and Procedure sought (if it is a request for a new Policy and Procedure), (iii) a thorough description of why the request is necessary, and (iv) an analysis of the expected impact of adopting the new Policy and Procedure or modifying/repealing an existing Policy and Procedure.

3. The Chief Executive Officer will consider any requests that meet the submission criteria set forth above within thirty (30) days following receipt of such request.

a. If, after considering the request, the Chief Executive Officer determines that the request does not have merit or lacks sufficient detail, it will communicate this determination to the requestor.

b. If, after considering the request, the Chief Executive Officer determines that the request has merit, it will forward the request to a subcommittee or to staff to review the request and make a recommendation for action to the Chief Executive Officer. If such request


involves a change to a Policy and Procedure that may have a financial, technical or operational impact on ConnectVirginia EXCHANGE Nodes, then the subcommittee or staff responsible for making a recommendation to the Chief Executive Officer will consult with the ConnectVirginia EXCHANGE Nodes about the request and factor any feedback received from the ConnectVirginia EXCHANGE Nodes into the recommendation.

4. If the Chief Executive Officer approves a recommendation of a subcommittee or staff to adopt a new, amended, or replaced Policy and Procedure or repeal a Policy and Procedure, it will forward such recommendation to the Board of Directors. The Board of Directors will then vote on whether to approve the recommended Policy and Procedure. If it is approved, the Board of Directors will determine the effective date of such Policy and Procedure. To the extent that the Policy and Procedure is applicable to ConnectVirginia EXCHANGE Nodes, the Board of Directors will determine the effective date in accordance with the ConnectVirginia EXCHANGE Trust Agreement.

5. ConnectVirginia will provide notice to ConnectVirginia EXCHANGE Nodes of such new, amended, repealed or replaced Policies and Procedure in accordance with the ConnectVirginia EXCHANGE Trust Agreement and will use its best efforts to provide notice of any applicable new, amended, repealed or replaced Policies and Procedures to affected ConnectVirginia Customers prior to the effective date of any such changes.

6. All Policies and Procedures and all documentation recording any changes or modifications to the Privacy and Security Policies and Procedures will be maintained for at least six years.

Responsibility: ConnectVirginia, Chief Executive Officer, ConnectVirginia Board of Directors, ConnectVirginia Customers



ConnectVirginia Board of Directors Policy No.: BD-3Title: Role of the Board of Directors Version: 3 Effective Date: 3/4/14

As set forth in the ConnectVirginia Bylaws, the Board of Directors is charged with governing ConnectVirginia and its network functions. This means that the Board is generally responsible for (i) setting the overall strategic direction of ConnectVirginia; (ii) making important policy decisions that will impact ConnectVirginia operations; and (iii) overseeing the Chief Executive Officer as he manages the establishment and operation of ConnectVirginia. These responsibilities, which are explained more fully below, are critically important to the success of ConnectVirginia.

Specifically, the ConnectVirginia Board of Directors will be responsible for the following:

Setting the overall strategic direction for ConnectVirginia. Establishing goals, objectives and performance measures for ConnectVirginia. Facilitating efforts to convene health care stakeholders to create trust and consensus on

an approach for statewide health information exchange in Virginia that complies with applicable state and federal policies and laws.

Determining acceptable uses for ConnectVirginia that are driven by the value use cases for statewide health information exchange, the value use cases for nationwide health information exchange and considerations related to privacy and security of health information.

Managing and maintaining financial sustainability for ConnectVirginia. Providing oversight and holding ConnectVirginia Customers accountable for complying

with all participation requirements. Interpreting and applying standards, policies and agreements for health information

exchanges that are recommended by the Commonwealth and that apply both to public and private sector entities.

Approving the design, implementation and administration of a certification process for ConnectVirginia Customers to ensure compliance with Virginia and national health information exchange standards, policies and agreements.

Coordinating integration and use of ConnectVirginia amongst other public and private sector health information technology related projects within the Commonwealth.

Recommending policy changes, as appropriate and necessary, to Commonwealth executive, legislative and judicial branches to reduce barriers to participation in ConnectVirginia and enhance privacy and security protections for the health information that is exchanged through ConnectVirginia.

Working with HITSAC and VITA, and national and regional interstate governance bodies to provide recommendations for the resolution of issues of standards harmonization, interstate/national policy, technical interoperability and applicable current and future federal and state regulations.

Contracting with Vendors to provide any additional services that are necessary to build, maintain and operate ConnectVirginia.


Enforcing accountability with Vendors contracted to ConnectVirginia for meeting designated service metrics and imposing penalties as contractually appropriate

Determining how ConnectVirginia will be represented in Dispute resolution.

In fulfilling its responsibilities for the governance of the ConnectVirginia network functions, the Board of Directors will use the following set of overarching principles that were adopted by the Federal Health Information Technology Policy Committee in December 2010.

1. Transparency and openness: The foremost basis for establishing trust is engaging in governance activities that are transparent and open to stakeholders. The Board of Directors will support the engagement of the general public and those exchanging information.

2. Inclusive participation and adequate representation: The Board of Directors will encourage robust participation through appropriate means by a diverse array of stakeholders, including consumers.

3. Effectiveness and efficiency: The Board of Directors will be organized and operate in a streamlined manner with lean support structures to promote effectiveness, efficiency and on-going sustainability.

4. Accountability: Those charged with governance of ConnectVirginia occupy a position of public trust. Individuals and organizations who participate in the governance process must recognize that they individually, as well as the Board of Directors as a whole, are accountable to the stakeholders and, more broadly, the public in the discharge of their duties.

5. Federated governance and devolution: Governance of a “network of networks,” like ConnectVirginia, is and will continue to be inherently complex and requires a diverse range of competencies and perspectives. Governance decisions should be made by those closest to the issue and with the greatest stake in successful resolution. The ConnectVirginia Board of Directors should only perform those functions that require a centralized approach and should allow ConnectVirginia Customers to perform governance functions that are better addressed at the regional or local level.

6. Clarity of mission and consistency of actions: The Board of Directors should clearly document its rights, responsibilities, obligations, and objectives and make these available to all stakeholders. Decisions made by the Board of Directors should be consistent with these rights, responsibilities, obligations, and objectives.

7. Fairness and due process: All processes established by the Board of Directors must be fair, responsive and assure due process protections for those that participate or are affected by the resulting decisions.

8. Promote and support innovation: The Board of Directors should make decisions that promote and support innovation whenever possible. In addition, to the extent possible,


ConnectVirginia should minimize administrative burdens on ConnectVirginia Customers to allow for innovation without compromising trust.

9. Evaluation, learning and continuous improvement: The Board of Directors should consistently evaluate its performance against appropriate performance and effectiveness measures and improve its practices based on experience.

Regulatory References: None.


ConnectVirginia Board of Directors Policy No.: BD-4Title: Director Expectations Version: 2 Effective Date: 3/4/14

Directors are responsible, both individually and collectively, for contributing to the effective governance of ConnectVirginia and for fulfilling the responsibilities of the Board of Directors as outlined in the Role of the Board of Directors Policy (BD-3). To that end, Directors are responsible to:

1. Learn about ConnectVirginia, read all materials provided to Directors about ConnectVirginia, and keep up-to-date on ConnectVirginia activities, programs, and management.

2. Be familiar with and act in accordance with the Board of Directors Policy and Procedure Manual.

3. Understand and use best efforts to support ConnectVirginia so that it reaches its goals.

4. Prepare for Board meetings by diligently reviewing all materials provided to Directors in advance of the meeting.

5. Attend as many Board of Directors meetings in-person as practical, and participate in all such meetings using fair, independent judgment and due care in conducting the business of ConnectVirginia.

6. As appropriate, serve on committees or act as a liaison to Board Advisory Committees.

7. Act as an informed advocate of ConnectVirginia by promoting its mission, generating good will for ConnectVirginia, and encouraging participation by relevant stakeholders.

8. Always exercise Board of Director powers in the interest of ConnectVirginia, and not for the interest of the Director or others.

9. Maintain and promote high ethical standards including good-faith Board of Director decision making and avoid an actual or perceived conflict of interest with other activities, interests, and/or organizations with which the Director may be involved.

10. Provide constructive input and respect the diverse opinions of others.

11. Be accessible, at least by phone or e-mail, to staff and other Directors as needed.

12. Agree that in the event, for whatever reason, a Director can no longer fulfill his/her duties and responsibilities as a Director, such Director will immediately notify the Chairperson and resign from the Board of Directors. Notice of resignation shall be effective when delivered unless the notice specifies a later effective time. If the resignation specifies an effective time which is later than the time on which the notice is delivered, the Board of Directors may choose to fill the pending vacancy so long as the successor does not take office until the effective time.


To assist the Directors in fulfilling their responsibilities, ConnectVirginia staff will provide each Director with the following:

1. Access to the management team of ConnectVirginia, as needed for proper operation of the Board of Directors

2. Ample notice of all Board meetings

3. Minutes of all Board meetings

4. Relevant information to conduct his or her job as a Director

5. Respect for his or her time

6. The use of his or her talent effectively

7. Straightforward and thorough responses to any questions necessary to carry out his or her responsibilities to ConnectVirginia.



ConnectVirginia Board of Directors Policy No.: BD-5Title: Director Confidentiality Policy Version: 1 Effective Date: 3/4/14

ConnectVirginia and its Directors, Officers, committee members, staff, consultants and volunteers (“Personnel”) may only use and disclose ConnectVirginia’s Confidential Information as authorized by ConnectVirginia in the conduct of ConnectVirginia’s affairs, and shall make reasonable efforts to prevent unauthorized disclosures of ConnectVirginia’s Confidential Information.

ConnectVirginia Confidential Information shall include all such information relating to

(i) ConnectVirginia’s Personnel, donors, potential donors, clients and partners;

(ii) ConnectVirginia’s operations, governance, participants and users; or

(iii) ConnectVirginia’s operations, policies, plans, goals, or objectives.

ConnectVirginia Confidential Information shall not include information previously known to the general public or previously recognized as standard practice in the field.

All files, documents, and working papers of ConnectVirginia are the property of ConnectVirginia. When Personnel cease to be employed by or affiliated with ConnectVirginia and its Board of Directors, such Personnel shall return to ConnectVirginia all ConnectVirginia Confidential Information and all materials supplied to them by ConnectVirginia, including, but not limited to, agendas, minutes and supporting documents.

Any Personnel who purposely, or through a failure to exercise reasonable care, causes ConnectVirginia Confidential Information to be disclosed improperly will be subject to disciplinary action, up to and including termination.

ConnectVirginia shall include confidentiality provisions in legal agreements it executes with service providers, suppliers, and partners to protect ConnectVirginia Confidential Information.



ConnectVirginia Board of Directors Policy No.: BD-6Title: Conflict of Interest Version: 1 Effective Date: 3/4/14

Directors, Officers and committee members (“Covered Persons”) shall always act in the best interests of ConnectVirginia in carrying out their duties. In order to fulfill this obligation, Covered Persons shall avoid situations in which they are directly involved in matters on behalf of ConnectVirginia in which they have a personal or financial interest. Covered Persons shall disclose to ConnectVirginia all possible conflicts of interests in accordance with this policy. This policy is intended to supplement, but not replace, any applicable state and federal laws governing conflict of interest.

For the purposes of this policy, a Covered Person shall be deemed to have a Financial Interest in a matter if the Covered Person has, directly or indirectly, through business, investment, or family:

a. An ownership or investment interest in any entity with which ConnectVirginia has a current or proposed transaction or arrangement,

b. A compensation arrangement with ConnectVirginia or with any entity or individual with which ConnectVirginia has a transaction or arrangement, or

c. A potential ownership or investment interest in, or compensation arrangement with, any entity or individual with which ConnectVirginia is negotiating a transaction or arrangement.

Compensation includes direct and indirect remuneration as well as gifts or favors that are not insubstantial.

A Financial Interest does not necessarily create a conflict of interest. A Covered Person who has a Financial Interest may have a conflict of interest only if the ConnectVirginia Board of Directors decides that a conflict of interest exists.

Disclosure

A Covered Person shall disclose the existence of any personal or Financial Interest in any matter being considered by the Board of Directors or any committee and shall refrain from voting on such matter. A Covered Person may participate in the discussion of a matter in which they have a personal or Financial Interest so long as there is full disclosure of the interest.

Annual Attestation

Each Covered Person will be required to annually sign the Conflicts of Interest Policy Acknowledgement Statement, attached as Exhibit A, attesting that he or she has read and understands this Conflicts of Interest Policy. Each Director will also be required to annually complete the Conflicts of Interest Disclosure Form, attached as Exhibit B.


Violations of the Conflicts-of-Interest Policy

1. If the ConnectVirginia Board of Directors has reasonable cause to believe a Covered Person has failed to disclose a personal or Financial Interest in a matter under consideration by the Board of Directors, it shall inform the individual of the basis for such belief and afford the individual an opportunity to explain the alleged failure to disclose.

2. If, after hearing the individual’s response and after making further investigation as warranted by the circumstances, the ConnectVirginia Board of Directors determines the individual has failed to make any required disclosure, it shall take appropriate disciplinary and corrective action.



Exhibit A

CONNECTVIRGINIA

ANNUAL CONFLICTS OF INTEREST POLICY STATEMENT

Pursuant to the applicable provisions of the Conflicts of Interest Policy (“Policy”) of ConnectVirginia HIE, Inc., a Virginia nonstock corporation, the individual who executes this statement affirms that such individual:

1. Has received a copy of the Policy.

2. Has read and understands the Policy.

3. Agrees to comply with the Policy.

____________________________________Signature

____________________________________Printed Name

_________________________________Title(s) or Office(s)

____________________________________Date


Exhibit B

CONNECTVIRGINIA

ANNUAL CONFLICTS OF INTEREST DISCLOSURE FORM

A. I am not aware of any relationship or interest or situation involving my relatives or myself that might result in, or give the appearance of being, a conflict of interest between such family member or me on one hand and ConnectVirginia on the other.

Initials: ______

B. The following are relationships, interests, or situations involving me or a relative that I consider might result in or appear to be an actual, apparent, or potential conflict of interest between such family members or myself on one hand and the ConnectVirginia on the other. Initials: _______

Corporate (either nonprofit or for-profit) directorships, positions, and employment:

________________________________________________________________________

Memberships in the following organizations:

________________________________________________________________________

Contracts, business activities, and investments with or in the following organizations:

________________________________________________________________________

Other relationships and activities:

________________________________________________________________________

My primary business or occupation at this time:

________________________________________________________________________

I have read and understand ConnectVirginia’s Conflict-of-Interest Policy and agree to be bound by it. I will promptly inform the Chairperson of ConnectVirginia of any material change that develops in the information contained in the foregoing statement.

________________________ ________________________ ____________

Type/Print Name Signature Date


ConnectVirginia Board of Directors Policy No.: BD-7Title: Director Compensation Version: 1 Effective Date: 3/4/14

Compensation for Serving on the Board of DirectorsNo compensation of any kind shall be paid to any Director for the performance of his or her duties as a ConnectVirginia Director. Directors may be allowed reasonable reimbursement of expenses incurred in the performance of their duties pursuant to prior approval from ConnectVirginia Board of Directors.

Compensation for Services Outside the Duties of a Board DirectorSubject to the ConnectVirginia Conflict of Interest Policy, this policy shall not in any way limit reasonable compensation for payment for services provided to ConnectVirginia by the Director in any capacity separate from his or her responsibilities as a Director, provided that there is full disclosure of the terms of such compensation and the arrangement has been approved by the ConnectVirginia Board of Directors. The provisions of this section shall not in any way limit reimbursement of or payment for services provided to ConnectVirginia by any organization with which a Director is affiliated.



ConnectVirginia Board of Directors Policy No.: BD-8Title: Committees Version: 3 Effective Date: 3/4/14

Standing Committees

To assist the Board of Directors in accomplishing its work, the Board of Directors has deemed it advisable to establish the following standing committees.

The Executive Committee, the composition and responsibilities of which are specified in the Bylaws.

The Privacy & Security Committee, which will be responsible for monitoring ConnectVirginia’s compliance with applicable laws and regulations. The Privacy & Security Committee will also serve as the initial governance link in the Breach reporting protocol. The Privacy & Security Committee may include non-Directors and will provide quarterly reports to the Board of Directors and, to the extent necessary, make recommendations to the Board of Directors on issues related to compliance.

The Board of Directors may establish any additional standing committee(s) that it deems necessary to address a specific on-going subject or issue.

General Organizational Parameters for Standing Committees

1. Membership - Each member of a standing committee shall be appointed by the Board of Directors following the first meeting of the calendar year and shall serve a term of one year or until a successor is appointed.

2. Scope of Work - Work undertaken by each committee shall be at the direction of the Board of Directors. When a committee desires to conduct self-initiated work, the Committee Chairperson will present a proposal to the Board of Directors for approval.

3. Authority - The committee shall have the authority to set agendas, conduct fact finding, and make recommendations to the Board of Directors for action. With the approval of the Board of Directors, the Chairperson may refer appropriate issues to the Committee for review and discussion and preparation of recommendations, as appropriate.

4. Reporting Requirements - Each committee will be given five minutes on the Board of Directors' agenda following each committee meeting to report on their work, submit proposals for self-initiated work and such other matters as the committee deems necessary. Committees may request additional time on the agenda if needed. Minutes of the meeting shall be approved by the committee, kept on file with the Board Secretary and distributed to the Board of Directors.


Ad Hoc Committees

The Board of Directors may establish ad hoc committees to address a specific subject or issue. Such committees may include Directors and other individuals, including staff and stakeholders. Whenever an ad hoc committee is established, the purpose of the committee, its scope of work and its time frame for completion shall be clearly defined. Generally, the scope will be defined in terms of the outcome or product requested from the committee. Ad hoc committees will be established and individuals appointed to such committees only by approval of the Board of Directors.

Board of Directors Advisory Committees

The Board of Directors believes strong communication and stakeholder outreach is essential to the success of ConnectVirginia. Accordingly, the Board of Directors may establish Board of Directors Advisory Committees for the purpose of receiving input and recommendations from stakeholders on specific topics to support the goals and objectives of ConnectVirginia.

Participation on Board of Directors Advisory Committees will be open to all interested individuals within the Commonwealth. Members of these committees will serve without compensation. Members shall attend at least 75 percent of all meetings each year unless additional absences are excused by the Chairperson of the committee.

The Chief Executive Officer shall provide reasonable staff support and assistance to Board of Directors Advisory Committees. Recommendations of these committees are advisory only. All final decisions rest solely with the Board of Directors.

Work Groups

The Board of Directors, the Chief Executive Officer or the Executive Director may establish Work Groups for the purpose of providing feedback on specific topics. These Work Groups shall be organized by the Board of Directors, the Chief Executive Officer or the Executive Director as they deem appropriate for the topic to be addressed.



ConnectVirginia Board of Directors Policy No.: BD-9Title: Rules of Order Version: 3 Effective Date: 3/4/14

The Board of Directors shall observe customarily accepted processes for the conduct of meetings. The normal order of business at a regular meeting of the Board of Directors shall be as outlined below. The Chairperson shall, with the consent of the Board of Directors, have the latitude to reorder the agenda at any specific meeting to accommodate specific circumstances.

I. Call to Order

II. Adoption of Meeting Agenda and Approval of Meeting Minutes

III. Chairperson’s Report

IV. Standing Committee Reports (if needed)

V. Executive Director's Report

VI. Old Business and Action Items

VII. New Business and Reports to the Board of Directors

VIII. Future Business

IX. Adjournment



ConnectVirginia Board of Directors Policy No.: BD-10Title: Expense Reimbursement Version: 1 Effective Date: 3/4/14

Policy Statement: ConnectVirginia will not reimburse Directors for their expenses associated with attending Board meetings and conducting ConnectVirginia business. The Board of Directors may, however, approve exceptions to this policy on a case-by-case basis.



ConnectVirginia Board of Directors Policy No.: BD-11Title: Public Participation/Communications


Public Participation in Board of Directors Meetings

The Board of Directors may, in its sole discretion, permit members of the public to attend meeting of the Board of Directors. The Board shall have the ability to convene any meeting of the Board of Directors into executive session at any time for any reason without prior notice.

Public Communications to the Board of Directors Generally

Members of the public may present their views on issues of public concern which relate to ConnectVirginia by submitting written or electronic comments to the Board of Directors. Community input does not require Directors or the Executive Director to discuss or respond to the inputs nor act on a request or proposal.

Procedures For Written or Electronic Communications to the Board of Directors

The ConnectVirginia Board of Directors welcomes communications from the public regarding issues of general importance to ConnectVirginia. Written comments may be presented to the Board of Directors at any time by mail or delivery to the Executive Director of ConnectVirginia, 4900 Cox Rd, Suite 245, Glen Allen, Virginia 23060. Electronic communications may be addressed to the entire Board of Directors at the following address [email protected].



mailto:[email protected]

ConnectVirginia Board of Directors Policy No.: BD-12Title: Lobbying and Political Activity Version: 1 Effective Date: 3/4/14

ConnectVirginia encourages individual participation in civic affairs. However, as a charitable organization, ConnectVirginia may not participate in lobbying acts or make contributions to any candidate for public office or political committee and may not intervene in any political campaign on behalf of or in opposition to any candidate for public office.

To avoid any appearance that ConnectVirginia is engaging in prohibited lobbying or political activities, ConnectVirginia personnel must:

Refrain from making any contributions to any candidate for public office or political committee on behalf of ConnectVirginia.

Refrain from making any contributions to any candidate for public office or political committee in a manner that may create the appearance that the contribution is on behalf of ConnectVirginia.

Refrain from using any organizational financial resources, facilities, or personnel to endorse or oppose a candidate for public office.

Clearly communicate that we are not acting on behalf of the organization, if identified as a Director of ConnectVirginia, while engaging in political activities in an individual capacity.

Refrain from engaging in political activities in a manner that may create the appearance that such activity is by or on behalf of ConnectVirginia.



ConnectVirginia Board of Directors Policy No.: BD-13Title: Board Oversight of Procurement for Technology or Services


Purpose Statement: The ConnectVirginia board of directors has the duty to provide appropriate stewardship over the corporation’s resources. This includes taking steps to assure that the corporation is getting the best value for its technology purchases and other services.

Policy/Procedure:

To support the ConnectVirginia board of directors in making decisions for the purchase of technology and other services, management shall do the following:

1. Develop objective business and technology requirements. 2. Identify at least 3 different vendors for each project, one of which may be Envera Health. If

there are not 3 vendors that can provide a specific service, then management shall identify 2 different vendors, one of which may be Envera Health, provided that management certifies to the board that it diligently sought out 3 vendors.

3. If management concludes that there are no vendors, other than Envera, that can provide the service, it will present its analysis supporting this conclusion to the board of directors.

4. In making recommendations for any technology for products and services, management will provide the board with sufficient information to permit the board to independently evaluate management’s recommendation should it elect to do so.

Once an acceptable vendor has been identified and approved by the board of directors, management, in conjunction with ConnectVirginia legal counsel, shall engage in negotiations with the vendor to develop an appropriate contract. The board designated liaison with ConnectVirginia shall be involved in these negotiations as well. Once a contract has been developed, it shall be submitted to the executive committee of the board of directors for review, further negotiation or a recommendation to the ConnectVirginia board that the contract be approved.

Responsibility: ConnectVirginia, Chief Executive Officer, ConnectVirginia Board of Directors



General HIPAAPolicies and Procedures

ConnectVirginia General HIPAA Policies Policy No.: H-1Title: Workforce Member Confidentiality and Compliance Statement


Purpose Statement: All Workforce Members are required to certify in writing, by signing the Workforce Member Confidentiality and Compliance Statement provided below, that they have received, read, received training on, understand and agree to follow the policies in the manual that has been provided to them and all applicable provisions of HIPAA and the HITECH Act. Also, as part of their compliance with these Policies and Procedures, Workforce Members must certify that they will protect the confidentiality of PHI, including ePHI, and that they will report any unauthorized disclosures of PHI or ePHI and other Security Incidents to the Privacy Officer or Security Officer, as specified in this manual.

Policy/Procedure:

1. All Workforce Members will sign the Workforce Member Confidentiality and Compliance Statement provided below prior to being given access to PHI, ePHI or the Network and annually thereafter.

2. The Privacy Officer will maintain a record on each Workforce Member that includes the original, signed Workforce Member Confidentiality and Compliance Statements.

3. The Privacy Officer will return a copy of the signed Workforce Member Confidentiality and Compliance Statement to the Workforce Member.

4. Any Workforce Member that refuses to sign the Workforce Member Confidentiality and Compliance Statement will be sanctioned in accordance with the Workforce Member Discipline Policy (H-2).

WORKFORCE MEMBER HIPAA CONFIDENTIALITY AND COMPLIANCE STATEMENT

I, ____________________, acknowledge that I have received, read, received training on, understand and agree to follow the ConnectVirginia HIPAA Privacy and Security Policies and Procedures that have been given to me for my review. Also, I acknowledge that during the course of performing my assigned duties at ConnectVirginia, I may have access to, use, or disclose Protected Health Information (PHI) or electronic PHI (ePHI). I agree to handle such information in a confidential manner at all times during and after my employment and commit to the following obligations:

1. I will use and disclose PHI, including ePHI, only in connection with and for the purpose of performing my assigned job functions.

2. I will request, obtain, or communicate PHI, including ePHI, only as necessary to perform my assigned job functions and will refrain from requesting, obtaining or communicating more PHI, including ePHI, than is necessary to accomplish such functions.

24 General HIPAA Policies and Procedures

3. I will take reasonable care to properly secure PHI, including ePHI, on my Workstation and will take steps to ensure that others cannot view or access such information.

4. I will use and disclose PHI, including ePHI, solely in accordance with the applicable federal and state laws and regulations and all ConnectVirginia HIPAA Privacy and Security Policies and Procedures. I also agree, in a timely manner, to familiarize myself with any periodic updates or changes to these policies.

5. I will immediately report any unauthorized use or disclosure of PHI, including ePHI, that I become aware of to the appropriate ConnectVirginia Official.

6. I understand and agree that my failure to fulfill any of the obligations set forth in this Statement and any failure to comply with the ConnectVirginia’s HIPAA Privacy and Security Policies and Procedures will result in my being subject to appropriate disciplinary action, up to and including, the termination of my employment.

___________________________________ ____________________________________Workforce Member’s Signature Privacy Officer’s Signature

___________________________________ ____________________________________Workforce Member’s Printed Name Date

___________________________________Workforce Member’s Job Function/Department

___________________________________Date

Responsibility: Privacy Officer; Workforce Member

Regulatory Category: Privacy Regulations; Security Regulations


ConnectVirginia General HIPAA Policies Policy No.: H-2Title: Workforce Member Discipline Version: 1 Effective Date: 1/20/12

Purpose Statement: ConnectVirginia will discipline Workforce Members, as necessary, for violations of its HIPAA Privacy and Security Policies and Procedures.

Policy/Procedure:

MINOR OCCURRENCES

If the Privacy or Security Officer determines that a Workforce Member’s acts or omissions resulted in a relatively minor violation of these HIPAA Privacy and Security Policies and Procedures and no significant violation of any law or regulation, the respective Officer will determine whether or not further education, clarification, or other corrective actions are needed.

SIGNIFICANT VIOLATIONS

If the Privacy or Security Officer determines that a Workforce Member’s acts or omissions resulted in a significant violation of these HIPAA Privacy and Security Policies and Procedures or a violation of any law or regulation, the respective Officer will report the findings to the ConnectVirginia Executive Director and will recommend appropriate disciplinary action. The ConnectVirginia Executive Director will then determine the scope of any disciplinary steps to be taken.

DISCIPLINARY ACTION

1. Disciplinary action should be commensurate with the seriousness of the security or privacy violation. Discipline may take one or more forms, including, but not limited to:

a. Oral counseling and admonishment

b. Written reprimand

c. Requiring the Workforce Member to attend training

d. Reassignment

e. Demotion and/or reduction in pay

f. Suspension without pay

g. Termination of employment

2. The Executive Director will consult with legal counsel at his discretion to determine what disciplinary action is appropriate.

Responsibility: Privacy Officer; Security Officer; Executive Director


Regulatory Category: Privacy Regulations

Regulatory Reference: 45 C.F.R. §164.308(a)(1)(ii)(C), Sanction Policy [Implementation Specification; Required]


ConnectVirginia General HIPAA Policies Policy No.: H-3Title: Message Content Incident, Breach and Security Incident Response Procedures


HITECH Act Language:

“A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach. Such notice shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.”

“For purposes of this section, a breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which such breach is known to such entity or associate, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate, respectively) or should reasonably have been known to such entity or associate (or person) to have occurred.”

“Subject to subsection (g), all notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved (or business associate involved in the case of a notification required under subsection (b)).”

HIPAA Privacy Rule Language: Except for the exceptions set forth in the definition of “Breach” (see Definitions), “an acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and(iv) The extent to which the risk to the protected health information has been

mitigated.”

HIPAA Security Rule Language: “Implement policies and procedures to address security incidents.”


Purpose Statement: In the unlikely event that ConnectVirginia experiences a Breach, it will take all reasonable and appropriate steps to protect the confidentiality, integrity and availability of ePHI and the Network. ConnectVirginia will promptly identify, report, track, and respond to Security Incidents and potential Breaches. Awareness of, response to, and creation of reports about Security Incidents and Breaches are integral parts of ConnectVirginia’s efforts to comply with the HIPAA Regulations.

Policy/Procedure:

SECURITY INCIDENTS

1. A “Security Incident” is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations through the Network.

2. The following incidents are examples of potential Security Incidents. This list is not exclusive. The Security Officer will determine when a Security Incident has or is likely to have occurred.

a. Stolen or otherwise inappropriately obtained passwords that are used to access the Network;

b. Corrupted backup tapes that do not allow restoration of ePHI through the Network;

c. Virus attacks that interfere with the operations of the Network;

d. Physical break-ins to ConnectVirginia’s facilities which may lead to the theft of electronic media containing ePHI;

e. ConnectVirginia’s failure to terminate the account of a former ConnectVirginia Customer that is then used by an unauthorized individual to access the Network;

f. and/or

g. Allowing electronic media containing ePHI, such as a computer hard drive or laptop, to be accessed by a ConnectVirginia Customer who is not authorized to access such ePHI prior to removing the ePHI stored on the media.

BREACHES

1. A Breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except in the case of (1) any unintentional acquisition, access, or use of PHI, made in good faith and in the scope of the professional relationship, by a Workforce Member or individual acting under the authority of ConnectVirginia or a ConnectVirginia Customer and the PHI is not further used, acquired, or disclosed; (2) any inadvertent disclosure from an individual who is otherwise authorized to access PHI at a facility operated by ConnectVirginia or a ConnectVirginia Customer to another similarly situated individual at the same facility and any such information received as a result of such disclosure is not further acquired,


accessed, used, or disclosed without authorization by any person; or (3) a disclosure of PHI where ConnectVirginia has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

2. The HIPAA Breach Notification Rule only applies to PHI that is “unsecured.” “Unsecured” PHI is that PHI which is not secured through a technology or methodology that the Department of Health and Human Services (HHS) has stated renders the PHI unusable, unreadable, or indecipherable to unauthorized individuals.

3. According to guidance issued by HHS in August 2009 (the most recent guidance issued by HHS on this topic as of the creation date of this Policy), PHI is secured through encryption (for ePHI) or destruction (for PHI in all other formats).

4. ConnectVirginia will take all measures necessary to secure PHI in accordance with the Device and Media Controls (HS-18), Technical Access Controls (HS-19), and Transmission Security (HS-22) Policies included in this Manual.

IDENTIFYING POTENTIAL BREACHES AND SECURITY INCIDENTS

1. ConnectVirginia will be responsible for monitoring and auditing activities (see Policies CE-7, PORT-6, and PHRP-3). ConnectVirginia will, on a regular basis, review audit reports which provide a summary of all uses of the Network.

2. The following findings in the audit reports will signal a potential Breach or Security Incident in the ConnectVirginia Portal(s):

a. A single CVEAM Portal User sending more than five messages through CVEAM within a 30 day period

b. Failed authentication attempts after five (5) unsuccessful attempts to access a ConnectVirginia Portal

c. Activity originating from an I/P address outside of the country

REPORTING POTENTIAL MESSAGE CONTENT INCIDENTS, BREACHES AND SECURITY INCIDENTS

1. Any Workforce Member, including ConnectVirginia management, must report any potential Breach or Security Incident that he or she discovers, or any other potential threat to the confidentiality, integrity, or availability of ePHI exchanged through the Network, to the Privacy Officer immediately upon discovery of the potential Breach, Security Incident or threat.

2. Any ConnectVirginia Customer will report a potential Message Content Incident, Breach or Security Incident in accordance with the requirements set forth in the applicable ConnectVirginia Agreement.

3. The individual providing notice of the potential Message Content Incident, Breach,


Security Incident or other threat may provide such notice in any format, including in writing, electronically, or orally.

4. The Privacy Officer will document the report of a potential Message Content Incident, Breach or Security Incident or threat along with the date and time that he or she was notified of such event.

5. ConnectVirginia will not take any retaliatory measures against an individual who reports a potential Message Content Incident, Breach or Security Incident or threat. If the Message Content Incident, Breach or Security Incident was created by the neglect, or deliberate action, of a User, then ConnectVirginia may impose sanctions as set forth in other Policies.

6. No ConnectVirginia Customer will prohibit or otherwise attempt to hinder or prevent another ConnectVirginia Customer from reporting a potential Message Content Incident, Breach, Security Incident or threat.

RESPONSE TO POTENTIAL MESSAGE CONTENT INCIDENTS, BREACHES AND SECURITY INCIDENTS

1. Upon becoming aware of a potential or suspected Message Content Incident, Breach or Security Incident, the ConnectVirginia Privacy Officer will immediately activate the Incident Response Team. The Incident Response Team shall be composed of the ConnectVirginia Executive Director, the ConnectVirginia Privacy Officer, the ConnectVirginia Security Officer, the ConnectVirginia Technical Expert, ConnectVirginia Legal Counsel, and the Chairperson of the Compliance Committee. The ConnectVirginia Executive Director will be the Incident Response Leader.

2. The Incident Response Team will promptly conduct an initial review of the facts surrounding the potential Message Content Incident, Breach or Security Incident to determine whether a Breach or Security Incident occurred. The Incident Response Team will strive to make an initial determination within 48 hours of becoming aware of the potential Breach or Security Incident.

3. To determine whether a Breach occurred, the Incident Response Team will conduct a “risk assessment” to examine whether there is more than a low probability of the information being compromised. In this risk assessment, the Incident Response Team will evaluate the following factors:

a. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;

b. The unauthorized person who used the PHI or to whom the disclosure was made;

c. Whether the PHI was actually acquired or viewed; and

d. The extent to which the risk to the PHI has been mitigated.

4. If the Incident Response Team determines that a Message Content Incident, Breach or


Security Incident did not occur, the ConnectVirginia Privacy Officer will document this along with all of the information that supports such conclusion and no further investigations are required. The Privacy Officer will present a summary of the Committee’s findings at the next meeting of the ConnectVirginia Board of Directors.

5. If the Incident Response Team determines that a Message Content Incident, Breach or Security Incident did occur or is likely to have occurred, then the following steps will be followed:

a. The Incident Response Team will determine the scope, magnitude and severity of the Message Content Incident, Breach or Security Incident; mechanisms for containing the Message Content Incident, Breach or Security Incident if it is on-going; mechanisms for mitigating the harmful effects of the Message Content Incident, Breach or Security Incident; and, ways to remediate the vulnerability that led to the Message Content Incident, Breach or Security Incident. The Incident Response Team will prepare these initial findings within 72 hours of becoming aware of the potential Message Content Incident, Breach or Security Incident and will update those findings as more information becomes available.

b. The Incident Response Team will determine which ConnectVirginia Customers, if any, should be involved in the investigation and mitigation activities and involve such ConnectVirginia Customers as the Committee deems appropriate.

c. The Incident Response Team will officially notify all affected ConnectVirginia Customers of a Message Content Incident, Breach or Security Incident as soon as practicable, but in all cases within ten (10) business days, after becoming aware of such Message Content Incident, Breach or Security Incident. The notification will include the following information:

i. The date of the Message Content Incident, Breach or Security Incident.

ii. The identity of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such Message Content Incident, Breach or Security Incident, if it can be determined.

iii. A description of the roles of the people involved in the Message Content Incident, Breach or Security Incident such as, but not limited to, ConnectVirginia Customers, Workforce Members, Vendors or unauthorized persons.

iv. The type of information that was breached or involved in the Message Content Incident, Breach or Security Incident, if it can be determined.

v. A brief description of the circumstances involved in the Message Content Incident, Breach or Security Incident.

d. Legal counsel will determine whether ConnectVirginia is required to make any additional notifications pursuant to applicable breach notification laws and discuss such notifications with the Incident Response Team and the affected ConnectVirginia Customers.


e. As a Business Associate, ConnectVirginia is not responsible for providing notice to any affected individuals, the Secretary, or the media, pursuant to 45 C.F.R §164.404, 164.406, and 164.408, unless ConnectVirginia and the affected ConnectVirginia Customers agree otherwise in writing.

f. If ConnectVirginia has determined that a ConnectVirginia Customer’s noncompliant behavior caused a Message Content Incident, Breach or Security Incident, ConnectVirginia will determine the appropriate corrective action to pursue, including termination of the agreement authorizing access to and use of the Network. The ConnectVirginia Customer must abide by whatever corrective action ConnectVirginia decides to pursue regarding the noncompliant behavior.

g. The Executive Director will notify the ConnectVirginia Board of Director’s Chair of the results of the Incident Response Team’s findings. The Chair will provide guidance to the Executive Director regarding how to communicate the findings to the full Board of Directors.

h. The Security Officer will retain all documentation regarding the Message Content Incident, Breach or Security Incident for six years.

OTHER MEASURES REGARDING MESSAGE CONTENT INCIDENTS, BREACHES AND SECURITY INCIDENTS

1. ConnectVirginia will provide training and awareness materials to Users, as appropriate, regarding the process for promptly identifying, reporting, tracking, and responding to potential Message Content Incidents, Breaches and Security Incidents in accordance with this Policy.

2. As deemed necessary by the Privacy Officer, ConnectVirginia will take disciplinary action, including termination if deemed necessary, in accordance with the Workforce Member Discipline Policy (H-2) against Workforce Members whose actions lead to or cause Message Content Incidents, Breaches or Security Incidents.

3. No ConnectVirginia Customer who reports a suspected Message Content Incident, Breach or Security Incident that is caused by another ConnectVirginia Customer will face retaliation from ConnectVirginia.

Responsibility: Privacy Officer, Security Officer, Executive Director, ConnectVirginia Customer, Workforce Member

Regulatory Category: Administrative Safeguards

Regulatory Reference: 45 C.F.R. §164.308(a)(6)(i), Security Incident Procedures [Standard; Required] 45 C.F.R. §164.308(a)(6)(ii), Response and Reporting (of Security Incidents) [Implementation

Specification; Required] 45 C.F.R. §164.402, Definition, Breach


ConnectVirginia General HIPAA Policies Policy No.: H-4Title: Business Associate Agreements Version: 4 Effective Date: 12/9/14

HITECH Act Language: “In the case of a business associate of a covered entity that obtains or creates protected health information pursuant to a written contract with such covered entity, the business associate may use and disclose such protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of section 164.504(e).”

HIPAA Privacy Rule Language:

Uses and Disclosures of Protected Health Information: General Rules; Standard: Disclosures to Business Associates: §164.502(e) “A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.”

“ A business associate may disclose PHI to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit PHI on its behalf, if the business associate obtains satisfactory assurances, in accordance with § 164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information.”

Uses and Disclosures: Organizational Requirements; Standard: Business Associate Contracts-§164.504(e)“The contract or other arrangement required by §164.502(e)(2) must meet the requirements of paragraph (e)(2) or (e)(3) [governmental agencies], or (e)(5) of this section, as applicable.”

“A covered entity is not in compliance with the standards of §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and if such steps were unsuccessful, terminated the contract or arrangement, if feasible.”

“The requirements of §164.504(e)(2) through (e)(4) apply to the contract or other arrangement between a business associate and a business associate that is a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.”

“A business associate is not in compliance with the standards in § 164.502(e) and this paragraph, if the business associate knew of a pattern of activity or practice of a subcontractor


that constituted a material breach or violation of the subcontractor’s obligation under the contract or other arrangement, unless the business associate took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.” “A contract between the covered entity and a business associate must:

(i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that:

(a) Not use or further disclose the information other than as permitted or required by the contract or as required by law;

(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

(ii) Provide that the business associate will:

(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;

(B) Use appropriate safeguards and comply, where applicable, with [the Security Rule] with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;

(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410;

(D) In accordance with §164.502(e)(1)(ii), ensure that any subcontractors create, receive, maintain or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

(E) Make available protected health information in accordance with §164.524;

(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526;

(G) Make available the information to provide an accounting of disclosures in accordance with §164.528;


(H) To the extent the business associate is to carry out a covered entity’s obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation.

(I) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity’s compliance with this subpart; and(J) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information, or if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.”

HIPAA Security Rule Language:

Administrative Safeguards; Standard: Business Associate Contracts and Other Arrangements--§164.308(b) “A covered entity may permit a business associate to create, receive, maintain, or transmit electronic PHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.”

“A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with §164.314(a) that the subcontractor will appropriately safeguard the information.”

“Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).”

Organizational Requirements; Standard: Business Associate Contracts and Other Arrangements--§164.314(a)“The contract must provide that the business associate will:

(A) Comply with the applicable requirements of this subpart [the Security Rule];

(B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic PHI on behalf of a business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and


(C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.”

Purpose Statement: ConnectVirginia is a Business Associate under the HIPAA Privacy Regulations because it facilitates the exchange of health information on behalf of Covered Entities. Under both the HITECH Act and its Business Associate Agreements with Covered Entities, ConnectVirginia is required to comply with the HIPAA Privacy and Security Regulations. These HIPAA Policies and Procedures document such compliance.

Policy/Procedure:

BUSINESS ASSOCIATE AGREEMENTS WITH COVERED ENTITIES

ConnectVirginia will enter into a Business Associate Agreement with each ConnectVirginia Customer that is a Covered Entity or a Business Associate of a Covered Entity when ConnectVirginia is acting as a Business Associate of such Customer. In the Business Associate Agreement, ConnectVirginia will acknowledge, among other things, that ConnectVirginia will appropriately safeguard the Network and the ePHI exchanged through the Network through the implementation of its Security Policies and Procedures that fully comply with the HIPAA Security Regulations.

CONTRACTS WITH VENDORS

1. ConnectVirginia may enter into agreements with Vendors, as permitted by its Business Associate Agreements, for services related to the Network.

2. In its agreements with Vendors, ConnectVirginia will include the mandatory Business Associate Agreement provisions including, but not limited to, requiring that Vendors:

a. Appropriately safeguard ePHI and access to the Network through privacy and security policies and procedures that are fully compliant with the HIPAA Privacy and Security Regulations;

b. Ensure that any agent, including subcontractors, to whom it provides ePHI agrees to implement reasonable and appropriate safeguards to protect it; and

c. Report to ConnectVirginia any Security Incident of which it becomes aware.

3. Agreements with Vendors must authorize the termination of the contract by ConnectVirginia if ConnectVirginia determines that the Vendor has violated a material term of the contract.

4. ConnectVirginia will terminate a contract with a Vendor if ConnectVirginia becomes aware of a pattern of activity or practice of the Vendor that constitutes a material breach or violation of the Vendor’s privacy or security obligations unless the Vendor cures the breach or ends the violation.

AGREEMENTS WITH CONNECTVIRGINIA PORTAL PARTICIPANTS AND USERS


ConnectVirginia will enter into agreements with ConnectVirginia Portal Participants and Users pursuant to the Agreements with ConnectVirginia Portal Participants and Users Policy (PORT-2).

AGREEMENTS WITH CONNECTVIRGINIA EXCHANGE NODES

Pursuant to the Agreements with ConnectVirginia EXCHANGE Nodes Policy (CE-10), ConnectVirginia will enter into the ConnectVirginia EXCHANGE Trust Agreement with each ConnectVirginia EXCHANGE Node, which will include a Business Associate Addendum.

AGREEMENTS WITH CONNECTVIRGINIA PUBLIC HEALTH REPORTING PATHWAY REGISTRANTS

Pursuant to the Agreements with Registrants Policy (PHRP-2), ConnectVirginia will enter into the ConnectVirginia Public Health Reporting Agreement with each ConnectVirginia Public Health Reporting Pathway Registrant. ConnectVirginia will not, however, enter into a Business Associate Agreement with PHRP Registrants because ConnectVirginia does not act as Business Associate when providing this service. Instead, it acts as a mere conduit for the electronic delivery of information to the Virginia Department of Health.

Responsibility: Privacy and Security Officers


Regulatory Reference: 45 C.F.R. §§164.308(b), Business Associate Contracts and Other Arrangements [Standard;

Required] 45 C.F.R. §164.314(a), Organizational Requirements 45 C.F.R. §§164.502(e) and 164.504(e), Uses and Disclosures of Protected Health

Information: General Rules; Uses and Disclosures: Organizational Requirements


HIPAA PrivacyPolicies and Procedures

ConnectVirginia HIPAA Privacy Policy No.: HP-1Title: Uses and Disclosures of PHI Version: 3 Effective Date: 3/12/13


Permitted Uses and Disclosures —§164.506 “Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4), or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations…provided that such use or disclosure is consistent with other applicable requirements of this subpart.”

Uses and Disclosures for which an Authorization Is Required —§164.508 “Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.”

Uses and Disclosures of Protected Health Information: General Rules--§ 164.502(a)(3).“A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to § 164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under § 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.”

Uses and Disclosures: Organizational Requirements--§ 164.504 ( e)(2) “A contract between the covered entity and a business associate must:

(i) Establish the permitted uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity…”

Purpose Statement: ConnectVirginia will only use or disclose PHI as permitted by its Customer Agreements.

Policy/Procedure:

1. ConnectVirginia may only use or disclose PHI to fulfill its responsibilities under the ConnectVirginia Customer Agreements. This includes, but is not limited to, performing proper management and administrative functions.

2. ConnectVirginia’s uses and disclosures of PHI in connection with the ConnectVirginia Portals are more fully described in ConnectVirginia’s Use and Disclosure of PHI in the ConnectVirginia Portals Policy (PORT-5).40 HIPAA Privacy Policies and Procedures

3. ConnectVirginia’s uses and disclosures of PHI in connection with ConnectVirginia EXCHANGE are more fully described in ConnectVirginia’s Use and Disclosure of PHI in ConnectVirginia EXCHANGE Policy (CE-9).

Responsibility: Privacy Officer


Regulatory Reference: 45 C.F.R. §164.506, Uses and Disclosures to Carry Out Treatment, Payment, or Health care

Operations [Standard; Required] 45 C.F.R. §164.508, Uses and Disclosures for which an Authorization is Required [Standard;

Required] 45 C.F.R. 164.502(a)(3), Uses and Disclosures of Protected Health Information: General

Rules 45 C.F.R. § 164.504(e)(2), Uses and Disclosures: Organizational Requirements

41 HIPAA Privacy Policies and Procedures

ConnectVirginia HIPAA Privacy Policy No.: HP-2Title: Minimum Necessary Standard Version: 2 Effective Date: 3/12/13


Uses and Disclosures of Protected Health Information: General Rules--§ 164.502(b)“When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purposes of the use, disclosure or request.”

Other Requirements Relating to Uses and Disclosures of Protected Health Information; Standard: Minimum Necessary Requirements--§ 164.514(d)“In order to comply with § 164.502(b) and this section, a covered entity must meet the requirements of paragraphs (d)(2) through (d)(5) of this section with respect to a request for, or the use and disclosure of, protected health information.

“For any type of disclosure that it makes on a routine or recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.”

“For all other disclosures, a covered entity must: (A) develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and (B) review requests for disclosure on an individual basis in accordance with such criteria.”

“A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities.

“For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.

“For all other requests, a covered entity must: (A) develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and (B) review requests for disclosure on an individual basis in accordance with such criteria.”

Purpose Statement: ConnectVirginia will use reasonable efforts to limit PHI or ePHI that it uses or discloses as part of its management and administration of the Network to the least amount


necessary (the “minimum necessary”) to accomplish the intended purpose of the disclosure. This policy encompasses PHI in any format, such as oral, electronic, or written.

Policy/Procedure:

ConnectVirginia will limit all uses and disclosures of or requests for PHI to the minimum necessary to achieve the purpose of the use, disclosure or request except for:

Disclosures made to the Secretary of Health and Human Services

Uses or disclosures required by law

Uses or disclosures required for compliance with HIPAA

INTERNAL USES

1. The Privacy Officer will assess and determine, on a yearly basis, those Workforce Members who require access to PHI in order to carry out their job functions.

2. ConnectVirginia will document its Workforce Members’ access to PHI in accordance with the Information Access Management Policy (HS-5).

3. The Privacy Officer will ensure that reasonable efforts are used to limit the access to the persons identified and for only the types of PHI which are needed to carry out their job functions.

4. For PHI that ConnectVirginia uses to perform certain management and administrative functions, ConnectVirginia will limit all uses of PHI to the minimum necessary to achieve the purpose of the particular management or administrative function.

EXTERNAL DISCLOSURES

1. For any disclosure that ConnectVirginia makes on a routine and recurring basis, ConnectVirginia will implement protocols that establish the minimum necessary amount of PHI that may be disclosed to achieve the purpose of the disclosure. On an annual basis, the Privacy Officer will:

a. Assess and determine all routine and recurring disclosures requested or made by ConnectVirginia.

b. Compose and complete a disclosure survey that identifies all routine and recurring disclosures.

c. Assess and determine the types of PHI that are disclosed for the disclosures identified on the disclosure survey.

d. For all recurring disclosures identified in the disclosure survey, the PHI disclosed will be limited to the amount reasonably necessary to achieve the purpose of the disclosure, but each disclosure does not require independent review by the Privacy


Officer.

2. For all disclosures not specifically listed on the annual disclosure survey, the disclosure request must be sent to the Privacy Officer for review and determination for compliance with the minimum necessary standard.

3. Disclosures made to public officials as required by or in accordance with the law, if the public official represents that the information requested is the minimum necessary for the stated purpose(s) do not have to be reviewed by the Privacy Officer since they are deemed to be the minimum necessary for the requested disclosure.



Regulatory Reference: 45 C.F.R. §164.514(d), Other Requirements Relating to Uses and Disclosures of PHI:

Minimum Necessary Requirements 45 C.F.R. §164.502(b), Uses and Disclosures of Protected Health Information; Standard:

Minimum Necessary


ConnectVirginia HIPAA Privacy Policy No.: HP-3Title: De-Identification of PHI Version: 2 Effective Date: 9/18/12

HIPAA Privacy Rule Language: “Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.”

Purpose Statement: If permitted by the applicable ConnectVirginia Customer Agreement, ConnectVirginia may use and disclose an individual’s health information that has been de-identified. After health information is de-identified, it is no longer subject to the requirements of the HIPAA Privacy Regulations.

Policy/Procedure:

1. All de-identification of health information will be performed at the direction and under the supervision of the Privacy Officer and in accordance with the applicable ConnectVirginia Customer Agreement.

2. The reason for the de-identification will be documented and maintained by the Privacy Officer.

3. ConnectVirginia may de-identify an individual’s health information in either of the following ways:

a. Remove all of the following identifiers from the individual’s health information:

i. Names.

ii. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes.

iii. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.

iv. Telephone numbers.

v. Fax numbers.

vi. Social Security numbers.

vii. Electronic mail address.

viii. Medical record numbers.

ix. Health plan beneficiary numbers.

x. Account numbers.

xi. Certificate/license numbers.


xii. Vehicle identifiers and serial numbers, including license plate numbers.

xiii. Device identifiers and serial numbers.

xiv. Web Universal Resource Locators (URLs).

xv. Internet Protocol (IP) address numbers.

xvi. Biometric identifiers, including finger and voice prints.

xvii. Full face photographic images and any comparable images.

xviii. Any other unique identifying number, characteristic, or code, except as permitted for re-identification.

b. If any of the above 18 identifiers are not removed, ConnectVirginia may utilize a qualified person to determine that the risk is very small that the information could be used, either by itself or in combination with other available information, by anticipated recipients to identify a subject of the information. A “qualified person” is a person:

i. with appropriate knowledge and experience applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable;

ii. who applies such methods and principles to determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and

iii. who documents the methods and results of the analysis that justify such determination.

4. No de-identified information will be disclosed if ConnectVirginia has knowledge that the information could be used alone or in combination to identify a subject of the information.

5. ConnectVirginia may assign a code or other means of record identification to allow information that has been de-identified to be re-identified by ConnectVirginia, as long as:

a. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual.

b. ConnectVirginia does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.




Regulatory Reference: 45 C.F.R. §164.514(a)-(c), De-Identification


ConnectVirginia HIPAA Privacy Policy No.: HP-4Title: Access of Individuals to PHI Version: 2 Effective Date: 9/18/12

HIPAA Privacy Rule Language: “Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.”

Purpose Statement: ConnectVirginia does not create nor maintain designated record sets on behalf of its ConnectVirginia Customers. Therefore, ConnectVirginia cannot, on behalf of its ConnectVirginia Customers, grant an individual access to PHI. This policy sets forth how ConnectVirginia shall comply with requests from an individual to inspect or obtain a copy of his or her PHI.

Policy/Procedure:

1. An individual who inquires about requesting his or her PHI will be provided a letter which indicates that ConnectVirginia does not maintain the individual’s designated record set and cannot comply with the request.

2. The individual will be instructed to contact his or her health care provider(s) to request access to PHI contained within his or her medical record.

3. The following is template language for a response letter:On [insert date], ConnectVirginia received a request from you for [a copy of or the right to access] protected health information about you that may have been exchanged through ConnectVirginia. ConnectVirginia is not a custodian of records nor does it maintain a designated record set. As a result, ConnectVirginia cannot provide you with the requested information. If you would like to access or obtain a copy of your health information, you should contact your health care providers directly and they will gladly assist you.



Regulatory Reference: 45 C.F.R. §164.524, Access of Individuals to PHI [Standard; Required]


ConnectVirginia HIPAA Privacy Policy No.: HP-5Title: Amendment of PHI Version: 2 Effective Date: 9/18/12

HIPAA Privacy Rule Language: “An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set.”

Purpose Statement: ConnectVirginia does not create nor maintain designated record sets on behalf of its ConnectVirginia Customers. Therefore, ConnectVirginia cannot, on behalf of its ConnectVirginia Customers, amend any PHI. This policy sets forth how ConnectVirginia shall comply with requests from an individual to amend his or her PHI.

Policy/Procedure:

1. In the event that ConnectVirginia receives a request from an individual to amend PHI exchanged through the Network, the individual will be provided with a letter which indicates that ConnectVirginia does not maintain medical records and cannot comply with the request to amend his or her medical record.

2. The individual will be instructed to contact his or her health care provider to request an amendment of his or her PHI.

3. The following is template language for a response letter:On [insert date], ConnectVirginia received a request from you to amend protected health information about you that may have been exchanged through ConnectVirginia. ConnectVirginia is not a custodian of records nor does it maintain a designated record set. As a result, ConnectVirginia cannot make the requested amendment. If you would like to amend your protected health information, you should contact your health care providers directly and they will gladly assist you.



Regulatory Reference: 45 C.F.R. §164.526, Amendment of Protected Health Information [Standard; Required]


ConnectVirginia HIPAA Privacy Policy No.: HP-6Title: Accounting of Disclosures of PHI Version: 4 Effective Date: 12/9/14

HIPAA Privacy Rule Language: “An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested.”

HITECH Act Language: “In applying section 164.528 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information—

“(A) the exception under paragraph (a)(1)(i) of such section [treatment, payment, and health care operations] shall not apply to disclosures through an electronic health record made by such entity of such information; and

“(B) an individual shall have a right to receive an accounting of disclosures described in such paragraph of such information made by such covered entity during only the three years prior to the date on which the accounting is requested.”

“In response to a request from an individual for an accounting, a covered entity shall…provide an accounting, as specified under paragraph (1), for disclosures of protected health information that are made by such covered entity and by a business associate acting on behalf of the covered entity.”

Purpose Statement: Individuals have a right to receive an accounting of disclosures of their PHI made for the six years prior to their request. Pursuant to the ConnectVirginia Customer Agreements, Customers are responsible for maintaining all information related to disclosures that the Customer makes through ConnectVirginia that will be needed to respond to a request for an accounting of disclosures. ConnectVirginia will only be responsible for providing information in response to a request for an accounting of disclosures for disclosures that ConnectVirginia makes, as permitted by the Business Associate Addendum or applicable ConnectVirginia Customer Agreement.

Policy/Procedure:

REQUESTS FOR ACCOUNTING MADE TO COVERED ENTITIES

1. Within 21 days of receiving the accounting request from a ConnectVirginia Customer, ConnectVirginia will provide the Customer with an accounting of all disclosures of that individual’s PHI made by ConnectVirginia during the six years (or such shorter time period as requested by the individual) prior to the request.

2. If ConnectVirginia is unable to act on the accounting request within 21 days, ConnectVirginia may extend the deadline by no more than 30 additional days if, prior to 50 HIPAA Privacy Policies and Procedures

the expiration of the initial 21 days, ConnectVirginia provides the ConnectVirginia Customer with an explanation for the delay and an estimated date of completion. The ConnectVirginia Customer will then notify the individual of the reason for the delay. ConnectVirginia may exercise only one such extension.

3. The content of the accounting provided to the ConnectVirginia Customer will consist of the same information as provided below for accounting requests made directly to ConnectVirginia. In addition, the procedures regarding Exceptions and Suspensions provided below apply regardless of whether the ConnectVirginia Customer submits the accounting request to ConnectVirginia or the individual submits the request directly to ConnectVirginia.

REQUEST FOR ACCOUNTING MADE BY INDIVIDUALS DIRECTLY TO CONNECTVIRGINIA

If an individual presents a request for an accounting of disclosures directly to ConnectVirginia, ConnectVirginia shall, within ten (10) business days, forward the request to those ConnectVirginia Customers that have exchanged the individual’s PHI through the Network during the period specified in the request for an accounting.

REQUIRED INFORMATION

1. The accounting must include all disclosures pertaining to the individual’s PHI made by ConnectVirginia to a third party during the six years (or such shorter time period as requested by the individual) prior to the request, unless an exception applies.

2. For each disclosure, the following information must be included:

a. The date of the disclosure.

b. The name and address, if known, of the recipient of the PHI.

c. A brief description of the PHI disclosed.

d. A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure. Alternatively, ConnectVirginia may include a written request from the third party for the information disclosed.

EXCEPTIONS

The following disclosures of PHI are not required to be included in a requested accounting:

1. Disclosures made to carry out treatment, payment, and health care operations.

2. Disclosures made to individuals of PHI about them.

3. Disclosures made incident to a use or disclosure otherwise permitted or required by HIPAA.


4. Disclosures made pursuant to an authorization.

5. Disclosures made for the Covered Entity’s facility directory or to persons involved in the individual’s care.

6. Disclosures made for national security or intelligence purposes.

7. Disclosures made to correctional institutions or law enforcement officials.

8. Disclosures made as part of a limited data set.

9. Disclosures that occurred 6 years prior to the request.

SUSPENSION OF AN INDIVIDUAL’S RIGHT TO AN ACCOUNTING

ConnectVirginia must suspend an individual’s right to receive an accounting of disclosures made to a health oversight or law enforcement agency if that agency requests that ConnectVirginia do so.

1. The agency requesting suspension must submit a written statement that ConnectVirginia’s provision of a requested accounting to an individual would be reasonably likely to impede the activities of the agency. The statement must also state the duration of the requested suspension.

2. If the agency requesting suspension does not submit a written statement, but rather requests the suspension orally, ConnectVirginia must:

a. Document the identity of the agent and agency requesting the suspension and the reason for it. ConnectVirginia will include the badge number or a copy of the agent’s credentials in the documented record.

b. Effect a temporary suspension of the individual’s right to an accounting of disclosures made to that agency.

c. Limit the duration of the suspension to 30 days or less from the time of the oral request, unless a written request is provided during that time.

DOCUMENTATION AND RETENTION

ConnectVirginia must retain the following documents for at least six years:

1. The information required to be included in a requested accounting.

2. Copies of written accountings provided to individuals.

3. Designation of persons responsible for processing requests for accountings made by individuals.




Regulatory Reference: 45 C.F.R. §164.528, Accounting of Disclosures of Protected Health Information [Standard;

Required]


ConnectVirginia HIPAA Privacy Policy No.: HP-7Title: Assigned Privacy Responsibility Version: 2 Effective Date: 12/9/14

HIPAA Privacy Rule Language: “A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.”

Purpose Statement: ConnectVirginia will designate a Privacy Officer who will be responsible for the implementation and day-to-day administration and oversight of ConnectVirginia’s compliance with the HIPAA Privacy Regulations. The Privacy Officer will also develop Workforce Member and User training programs regarding the privacy of PHI, update and implement these Privacy Policies and Procedures, and serve as the designated decision-maker for issues and questions involving interpretation of the HIPAA Privacy Regulations.

Policy/Procedure:

1. The Privacy Officer is responsible for the following tasks:

a. Inventorying the uses and disclosures of all PHI;

b. Ensuring that legal issues in drafting compliance documents are addressed or engage competent legal counsel to draft such documents;

c. Administering sanctions upon Workforce Members for violations of these Privacy Policies and Procedures;

d. Developing, updating, and revising these Privacy Policies and Procedures as necessary to comply with the HIPAA Privacy Regulations;

e. Developing a privacy training program for Workforce Members and ConnectVirginia Customers;

f. Establishing procedures to monitor internal privacy compliance;

g. Keeping up to date on the latest privacy developments and federal and state laws and regulations;

h. Coordinating with the Security Officer in evaluating and monitoring operations and systems development for Privacy and Security requirements;

i. Serving as ConnectVirginia’s liaison to regulatory bodies for matters relating to privacy;

j. Coordinating any audits of the Secretary of HHS or any other governmental or accrediting organization regarding ConnectVirginia’s compliance with state or federal privacy laws or regulations; and

k. Other tasks that are necessary to ensure the privacy of PHI.

2. ConnectVirginia’s Privacy Officer’s name and contact information is:Name: Sandy McCleaf


Email: [email protected] (work): (804) 955-1788



Regulatory Reference: 45 C.F.R. §164.530(a), Personnel Designations [Standard; Required]


HIPAA SecurityPolicies and Procedures

ConnectVirginia HIPAA Security Policy No.: HS-1Title: Security Risk Management, Evaluation and Updates


HIPAA Security Rule Language: “Implement policies and procedures to prevent, detect, contain, and correct security violations.”

“Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic PHI that establishes the extent to which an entity’s security and procedures meet the requirements of this subpart.”

“Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.”

Purpose Statement: ConnectVirginia, under the HIPAA Security Regulations, is required to periodically evaluate its security safeguards and implement a security management process. Implementation of this security management process will assist ConnectVirginia in ensuring the confidentiality, integrity, and availability of ePHI and the Network. ConnectVirginia will create and maintain appropriate and reasonable policies, procedures, and controls to prevent, detect, contain, and correct security violations.

Policy/Procedure:

EVALUATION AND RISK ANALYSIS

1. At least once per year, ConnectVirginia will convene a workgroup of at least four (4) individuals to conduct an accurate and thorough evaluation of ConnectVirginia’s security safeguards and an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI accessed through the Network.

2. The workgroup will consist of at least the Security Officer, individuals representing ConnectVirginia’s information technology department or ConnectVirginia’s technology Vendor, individuals familiar with the Network, and legal counsel for ConnectVirginia.

3. The workgroup will conduct the following activities:

a. A review of ConnectVirginia’s Security Policies and Procedures to evaluate their appropriateness and effectiveness in protecting against any reasonably anticipated threats or hazards to the privacy and security of ePHI exchanged through the Network.

b. A gap analysis to compare ConnectVirginia’s Security Policies and Procedures against actual practices.

c. An identification of threats and risks to the Network (“Risk Analysis”), including the

57 HIPAA Security Policies and Procedures

following:

i. Potential security risks to the Network, including those Security Incidents specifically identified in the Message Content Incident, Breach and Security Incident and Response Procedures Policy (H-3);

ii. The probability of the occurrence of risks which may affect the Network;

iii. The magnitude of the identified risk to the Network;

iv. The criticality of each Network function to ConnectVirginia’s operations during or after an emergency or disaster pursuant to the Applications and Data Criticality Analysis Policy (HS-15);

v. The frequency of reviews and audits of the Network pursuant to the Information System Activity Review Policy (HS-2);

vi. The training, and the frequency of such training, to be offered to ConnectVirginia Customers and Workforce Members regarding the security of ePHI;

vii. The need to do penetration testing of the security of the Network; and

viii. The need to engage third parties to evaluate the risks and vulnerabilities to the Network.

d. An assessment of whether established security controls reasonably and appropriately protect against the risks identified for the Network.

4. The evaluation and risk analysis process will be documented and the findings will be reported to the ConnectVirginia Board of Directors.

RISK MANAGEMENT

1. In an effort to reduce risks and vulnerabilities to ePHI exchanged through the Network, ConnectVirginia will update its Security Policies and Procedures if the results of the evaluation show that such updates are needed and will create a Risk Management Plan to address risks identified in the annual Risk Analysis.

2. In addition to updating the Security Policies and Procedures and Risk Management Plan after each Risk Analysis, ConnectVirginia will also update the Policies and Procedures and Plan as needed:

a. After any Security Incident to minimize the likelihood of a similar Security Incident occurring in the future;

b. After a new use of the Network is authorized;

c. In response to the addition of any new Network functionality;

d. In response to environmental or operational changes (e.g. significant new threats or risks to the security of ePHI; changes to ConnectVirginia’s organizational or technical


infrastructure; changes to information security requirements or responsibilities; or availability of new security technologies or recommendations).

3. In developing each Risk Management Plan, ConnectVirginia will consider the following:

a. The security measures that are already in place to address the risk;

b. Additional security measures that can reasonably and appropriately be put in place to address the risk;

c. Communication of the security measures and Risk Management Plan to Workforce Members, ConnectVirginia Customers, and Vendors; and

d. The need to engage other resources to assist in the implementation of the Risk Management Plan.

Responsibility: Security Officer


Regulatory Reference: 45 C.F.R. §164.308(a)(1)(i), Security Management Process [Standard; Required] 45 C.F.R. §164.308(a)(1)(ii)(A), Risk Analysis [Implementation Specification; Required] 45 C.F.R. §164.308(a)(1)(ii)(B), Risk Management [Implementation Specification; Required] 45 C.F.R. §164.308(a)(8), Evaluation [Standard; Required] 45 C.F.R. §164.316(b)(2)(iii), Updates [Implementation Specification; Required]


ConnectVirginia HIPAA Security Policy No.: HS-2Title: Information System Activity Review Version:

3Effective Date: 12/9/14

HIPAA Security Rule Language: “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Purpose Statement: ConnectVirginia will implement hardware, software, and/or procedural mechanisms that record and examine the activity of Workforce Members and ConnectVirginia Customers in the Network to enable ConnectVirginia to detect potentially problematic activity in the Network. These audit controls will allow ConnectVirginia to:

1. Identify questionable access to and exchange activities in the Network;

2. Investigate Message Content Incidents, Breaches and Security Incidents;

3. Respond to potential weaknesses in the Network’s architecture; and

4. Assess the effectiveness of ConnectVirginia Security Policies and Procedures.

Policy/Procedure:

FREQUENCY OF THE NETWORK ACTIVITY REVIEW

1. ConnectVirginia will conduct monthly audits of all uses of the Network.

2. ConnectVirginia will identify and document the names of Workforce Members who will review monthly audit reports.

3. ConnectVirginia will retain monthly audit reports for six (6) years after the date they are created.

AUDIT REPORT CONTENT

1. For each ConnectVirginia service, ConnectVirginia will identify the data to be captured in the monthly audit reports. Please see the corresponding auditing and monitoring policies for each ConnectVirginia Service in the applicable policy sections of this manual for more details.

2. Within two weeks of receiving the monthly audit report, a designated ConnectVirginia Workforce Member will review the report.

3. If ConnectVirginia uncovers any indications of improper use of the Network, it will follow the Message Content Incident, Breach and Security Incident Response


Procedures Policy (H-3).

4. As patterns are identified and anomalous behavior becomes more apparent in the monthly audit reports, ConnectVirginia may establish thresholds for each type of activity captured in the audit report. The thresholds will signify the level at which certain behavior warrants further inspection and may signal a Message Content Incident, Breach or Security Incident or failure to comply with ConnectVirginia’s policies and procedures. As thresholds are established or revised, this Policy or other related Policies will be revised accordingly.



Regulatory Reference: 45 C.F.R. §164308(a)(1)(ii)(D), Information System Activity Review [Implementation

Specification; Required] 45 C.F.R. §164.312(b), Audit Controls [Standard; Required]


ConnectVirginia HIPAA Security Policy No.: HS-3Title: Assigned Security Responsibility Version: 3 Effective Date: 12/9/14

HIPAA Security Rule Language: “Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.”

Purpose Statement: Under the HIPAA Security Regulations and the HITECH Act, ConnectVirginia is required to designate a Security Official who is responsible for the development and implementation of its Security Policies and Procedures. This policy reflects ConnectVirginia’s commitment to comply with such regulations. In addition, the appointment of the Security Officer will provide organizational focus to, and highlight the importance of, ConnectVirginia’s efforts to protect the confidentiality, privacy and security of the ePHI.

Policy/Procedure:

1. The Security Officer will perform the following duties, including taking all reasonable and appropriate measures to:

a. Ensure and confirm that ConnectVirginia is compliant with applicable federal, state, and local laws pertaining to the security of ePHI;

b. Guide the development, documentation, and dissemination of appropriate security policies and procedures that govern the use of the Network;

c. Ensure that any updates to the Network have options that support required and/or Addressable implementations of the HIPAA Security Regulations and ConnectVirginia’s internal security requirements;

d. Approve and oversee the administration, implementation, and selection of ConnectVirginia’s security controls for the Network;

e. Implement and oversee the security training of Users, and ensure that Users receive such training on a periodic basis as deemed necessary pursuant to ConnectVirginia’s Security Risk Management, Evaluation and Updates Policy (HS-1);

f. Facilitate the yearly Risk Analysis and creation of a Risk Management Plan under ConnectVirginia’s Security Risk Management, Evaluation and Updates Policy (HS-1);

g. Ensure that the Network activity is monitored and audited to identify Security Incidents and malicious activity as set forth in the Information System Activity Review Policy (HS-2);

h. Ensure that the threats and risks to the confidentiality, integrity, and availability of ePHI are monitored and evaluated; and

i. Oversee the development and implementation of an effective Security Incident response policy and related procedures as set forth in the Message Content Incident, Breach and Security Incident Response Procedures Policy (H-3).


2. ConnectVirginia’s Security Officer isName: Sandy McCleafEmail: [email protected] (work): (804) 955-1788



Regulatory Reference: 45 C.F.R. §164.308(a)(2), Assigned Security Responsibility [Standard; Required]


ConnectVirginia HIPAA Security Policy No.: HS-4Title: Workforce Member Security Version: 2 Effective Date: 9/18/12

HIPAA Security Rule Language: “Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic PHI, as provided under paragraph (a)(4) [information access management] of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic PHI.”

Purpose Statement: To protect the confidentiality, integrity, and availability of ePHI, ConnectVirginia will implement reasonable and appropriate safeguards to prevent unauthorized access to ePHI while ensuring that properly authorized Workforce Members can exchange ePHI through the Network.

Policy/Procedure:

WORKFORCE CLEARANCE

1. Security privileges will be identified and defined for each Workforce Member who is granted access to the Network.

2. Based on the level of privileges to be granted to candidates for employment, Human Resources personnel will perform appropriate and reasonable verifications checks on the candidate.

3. Verification checks may include, but are not limited to:

a. Character references;

b. Confirmation of claimed academic and professional qualifications;

c. Credit checks; or

d. Criminal background checks.

4. Upon accepting an offer of employment, each Workforce Member who will have access to the Network will sign the Workforce Member Confidentiality and Compliance Statement as required pursuant to the Workforce Member Confidentiality and Compliance Statement Policy (H-1).

SUPERVISION OF WORKFORCE MEMBERS

1. The Security Officer will take reasonable and appropriate steps to ensure that Workforce Members who have the ability to access the Network, or those who work in areas where ePHI might be accessed, will be properly supervised. ConnectVirginia will ensure that Workforce Members only access the ePHI that they are authorized to access pursuant to their job responsibilities.


2. ConnectVirginia will ensure that appropriate sanctions are taken against Workforce Members who improperly access ePHI, or who inappropriately grant access to ePHI to others. Sanctions will be instituted in accordance with the ConnectVirginia Workforce Member Discipline Policy (H-2).

ACCESS TO EPHI

ConnectVirginia will authorize, establish and modify, as appropriate, each Workforce Member’s access to ePHI in accordance with the Information Access Management Policy (HS-5).

TERMINATION OF ACCESS TO EPHI

ConnectVirginia will terminate a Workforce Member’s access to ePHI, either in the event of a Workforce Member’s resignation or a Workforce Member’s termination by ConnectVirginia, in accordance with the Suspension and Termination Procedures Policy (HS-6).

Responsibility: Security Officer; Human Resources; Workforce Members


Regulatory Reference: 45 C.F.R. §164.308(a)(3)(i), Workforce Security [Standard; Required] 45 C.F.R. §164.308(a)(3)(ii)(A), Authorization and/or Supervision [Implementation

Specification; Addressable] 45 C.F.R. §164.308(a)(3)(ii)(B), Workforce Clearance Procedure [Implementation

Specification; Addressable]


ConnectVirginia HIPAA Security Policy No.: HS-5Title: Information Access Management Version: 3 Effective Date: 12/9/14

HIPAA Security Rule Language: “Implement policies and procedures for authorizing access to electronic PHI that are consistent with the applicable requirements of subpart E of this part.”

Subpart E refers to the HIPAA Privacy rules, located at 45 C.F.R. §164.500 et seq.

Purpose Statement: ConnectVirginia strives to protect the confidentiality, integrity, and availability of ePHI by taking reasonable steps to appropriately manage access to the Network. Safeguarding access to the Network by taking reasonable and appropriate steps is integral to ConnectVirginia’s compliance efforts under the HIPAA Security Regulations.

Policy/Procedure:

ESTABLISHING ACCESS TO EPHI FOR CONNECTVIRGINIA WORKFORCE MEMBERS

1. ConnectVirginia will ensure that only authorized Workforce Members will have access to the Network.

2. ConnectVirginia will document the various levels of access to the Network that each Workforce Member will have based upon the job function requirements of each position.

3. Workforce Members will not be granted access to, and must not attempt to access, the Network until the Workforce Member has been properly cleared in accordance with the Workforce Member Security Policy (HS-4).

4. Once a Workforce Member has been granted access to the Network, the Security Officer will give notice of such access to the ConnectVirginia Technical Domain Manager, or her designee.

5. The Technical Domain Manager, or designee, will then assign the Workforce Member a unique username and temporary password to activate the Workforce Member’s level of access to the Network.

6. Once the Workforce Member receives his or her temporary password, the Workforce Member will change his or her password in accordance with the Password Management Policy (HS-11).

REVIEW AND MODIFICATION OF WORKFORCE MEMBERS’ ACCESS TO EPHI

1. ConnectVirginia will periodically review Workforce Members’ access privileges to the Network.

2. ConnectVirginia may modify, if necessary, a Workforce Member’s access privileges to the Network.


a. When a Workforce Member’s access to the Network must be modified, either because of a change in the Workforce Member’s job function or the Workforce Member’s termination, ConnectVirginia will document such modifications.

b. Such documentation may include:

i. The date and time of the modification;

ii. The identification of the Workforce Member whose access is being modified;

iii. A description of the Workforce Member’s modified access rights; and

iv. The reason for the modification of the Workforce Member’s access rights.

ACCESS TO CONNECTVIRGINIA SERVICES

For each ConnectVirginia service, ConnectVirginia will provide access in accordance with applicable policy. Please see the corresponding access policies for each ConnectVirginia Service in the applicable policy sections of this manual for more details.

Responsibility: Security Officer; Technical Domain Manager (or designee); ConnectVirginia Customers


Regulatory Reference: 45 C.F.R. §164.308(a)(4)(i), Information Access Management [Standard; Required] 45 C.F.R. §164.308(a)(4)(ii)(B), Access Authorization [Implementation Specification;

Addressable] 45 C.F.R. §164.308(a)(4)(ii)(C), Access Establishment and Modification [Implementation



ConnectVirginia HIPAA Security Policy No.: HS-6Title: Suspension and Termination Procedures


HIPAA Security Rule Language: “Implement procedures for terminating access to electronic PHI when the employment of, or other arrangement with, a workforce member ends or as required by determinations as specified in paragraph (a)(3)(ii)(B) [workforce clearance] of this section.”

Purpose Statement: When a Workforce Member’s employment or other arrangement ends or the Workforce Member’s access to ePHI is no longer appropriate, ConnectVirginia will terminate the Workforce Member’s access to ePHI.

Policy/Procedure:

TERMINATION PROCEDURES UPON A WORKFORCE MEMBER’S RESIGNATION

1. When a Workforce Member provides notice of his or her intention to end employment with ConnectVirginia, the Human Resources Manager and the Workforce Member’s supervisor will give reasonable notice to the ConnectVirginia Technical Domain Manager (or her designee), so that the departing Workforce Member’s access to the Network can be terminated when he or she ends employment or other arrangement.

2. ConnectVirginia will document the following information regarding the departing Workforce Member:

a. Date and time of receiving the Workforce Member’s notice to end employment or other arrangement at ConnectVirginia;

b. Date of the Workforce Member’s planned departure;

c. Description of the Workforce Member’s access to the Network that must be terminated; and

d. Date, time, and description of the actions taken to terminate the departing Workforce Member’s access to the Network.

TERMINATION PROCEDURES UPON A WORKFORCE MEMBER’S TERMINATION BY CONNECTVIRGINIA

1. When a Workforce Member is terminated, ConnectVirginia will immediately remove or disable the Workforce Member’s access privileges to the Network before the Workforce Member is notified of his or her termination, when feasible.

2. Such Network access privileges include, but are not limited to:

a. Workstations and server access;

b. Access to data contained within or available through the Network;


c. Access to any network that ConnectVirginia uses;

d. Email accounts; and/or

e. Inclusion on group email lists.

GENERAL RESIGNATION AND TERMINATION PROCEDURES

1. ConnectVirginia will terminate, as appropriate, a departing or terminated Workforce Member’s physical access to areas where ePHI is located within ConnectVirginia’s facilities.

2. ConnectVirginia will collect, and document the collection of, equipment and property that contains ePHI, which were used by the terminated or departing Workforce Member.

a. Such documentation will include:

i. The Workforce Member’s name;

ii. The date and time the equipment and property were returned; and

iii. The identification of the returned property and equipment.

b. ConnectVirginia will securely maintain such documentation.

3. Equipment that may contain, allow, or enable the Workforce Member to access ePHI, and which must be returned upon the Workforce Member’s termination or departure, include, but is not limited to:

a. Portable computers;

b. Personal Digital Assistants (PDAs);

c. Name tags or name identification badges;

d. Security tokens;

e. Facility access cards; and/or

f. Building, desk, or office keys.

SUSPENSION AND TERMINATION PROCEDURES FOR CONNECTVIRGINIA SERVICES

For each ConnectVirginia service, ConnectVirginia will suspend and/or terminate ConnectVirginia Customers in accordance with the applicable ConnectVirginia Customer Agreement and applicable policy. Please see the corresponding access policies for each ConnectVirginia Service in the applicable policy sections of this manual for more details.

Responsibility: Security Officer; Technical Domain Manager (or designee); Human Resources Manager



Regulatory Reference: 45 C.F.R. §164.308(a)(3)(ii)(C), Termination Procedures [Implementation Specification;

Addressable]


ConnectVirginia HIPAA Security Policy No.: HS-7Title: Security Awareness and Training Version: 1 Effective Date: 1/20/12

HIPAA Security Rule Language: “Implement a security awareness and training program for members of its workforce (including management).”

Purpose Statement: ConnectVirginia has the responsibility under the HIPAA Security Regulations for providing and documenting security awareness and training for ConnectVirginia Workforce Members in order that those persons can properly carry out their functions while appropriately safeguarding ePHI. This policy reflects ConnectVirginia’s commitment to comply with such Regulations.

Policy/Procedure:

1. ConnectVirginia will provide training and supporting reference materials to its Workforce Members, as appropriate, to carry out their functions with respect to the security of ePHI. As part of its risk analysis, pursuant to its Security Risk Management, Evaluation and Updates Policy (HS-1), ConnectVirginia will determine how often such training will be required for its Workforce Members and the method of such training.

2. ConnectVirginia will maintain sufficient records that document and confirm a Workforce Member’s completion of security awareness training, such as a document signed by each Workforce Member and the Security Officer acknowledging receipt of such training.

3. Security awareness training should include information to make Workforce Members aware of and familiar with ConnectVirginia’s HIPAA Security Policies and Procedures.

4. ConnectVirginia will provide security information reminders and updates to its Workforce Members, in accordance with the Security Reminders Policy (HS-8).

5. ConnectVirginia will make its Security Policies and Procedures available for reference and review by its Workforce Members who have access to ePHI.



Regulatory Reference: 45 C.F.R. §164.308(a)(5)(i), Security Awareness and Training [Standard; Required]


ConnectVirginia HIPAA Security Policy No.: HS-8Title: Security Reminders Version: 1 Effective Date: 1/20/12

HIPAA Security Rule Language: “Implement periodic security updates.”

Purpose Statement: ConnectVirginia will periodically provide information and reminders to Workforce Members and ConnectVirginia Customers on a variety of topics designed to increase the security of the Network.

Policy/Procedure:

1. ConnectVirginia’s Security Officer will periodically, as needed, issue security information and awareness reminders to Workforce Members and ConnectVirginia Customers. Such security reminders could include:

a. Information regarding general security risks and how to follow ConnectVirginia’s HIPAA Security Policies and Procedures;

b. Information regarding how to use the Network in a manner that reduces security risks; and/or

c. Legal and business responsibilities of ConnectVirginia for protecting the ePHI exchanged through the Network.

2. ConnectVirginia will issue security reminders immediately upon, or within a reasonable time following the occurrence of any of the following events:

a. Making substantial revisions to ConnectVirginia’s Security Policies and Procedures;

b. Implementing new, or significantly changing existing, security controls;

c. Making substantial changes to ConnectVirginia’s legal or business responsibilities;

d. Identifying substantial threats or new risks against the Network; or

e. Introducing new functions or making significant changes to existing Network functionalities.

3. Means of providing security information and awareness reminders and updates may include, but are not limited to:

a. Email reminders;

b. Posters;

c. Letters;

d. Meetings;

e. Information system sign-on messages;

f. Newsletter articles; and/or

g. Information posted to the Network.




Regulatory Reference: 45 C.F.R. §164.308(a)(5)(ii)(B), Security Reminders [Implementation Specification;

Addressable]


ConnectVirginia HIPAA Security Policy No.: HS-9Title: Malicious Software Version: 1 Effective Date: 1/20/12

HIPAA Security Rule Language: “Implement procedures for guarding against, detecting, and reporting malicious software.”

Purpose Statement: ConnectVirginia will implement and periodically review its processes and safeguards for guarding against, detecting, and reporting malicious software that pose risks to privacy and security ePHI, or the integrity or operation of the Network.

Policy/Procedure:

1. ConnectVirginia will take all necessary and reasonable measures to protect the Network, and all media that ConnectVirginia uses upon which ePHI is contained, from malicious software, including:

a. Ensuring that anti-virus software is installed on all media devices and hardware, either owned by or used by ConnectVirginia containing ePHI or which have access to the Network;

b. Mitigating the harm of malicious software attacks by recovering ePHI and other data contained on all media devices and hardware that has been attacked by malicious software;

c. Requiring all Workforce Members to scan email attachments and downloads before they are opened.

2. ConnectVirginia will conduct a weekly virus scan of its network server and Workstations.

3. ConnectVirginia Workforce Members must not bypass or disable anti-virus software installed on Workstations unless they are properly authorized to do so.

4. ConnectVirginia will provide periodic training and awareness to its Workforce Members about guarding against, detecting, and reporting malicious software, including:

a. How to discover malicious software;

b. How to report malicious software;

c. How to scan for malicious software that may be contained in email attachments; and/or

d. How to use anti-virus software.

5. Workforce Members must pass electronic files through virus protection programs prior to use, pursuant to the Malicious Software Policy (HS-9).

6. Workforce Members must immediately report suspected or confirmed malicious software to the Security Officer.


Responsibility: Security Officer; Technical Domain Manager; Workforce Members


Regulatory Reference: 45 C.F.R. §164.308(a)(5)(ii)(B), Protection from Malicious Software [Implementation



ConnectVirginia HIPAA Security Policy No.: HS-10Title: Log-in Monitoring and Automatic Log-Off


HIPAA Security Rule Language: “Implement procedures for monitoring log-in attempts and reporting discrepancies.”

Purpose Statement: ConnectVirginia will control access to its Workstations through the use of log-in procedures and automatic log-off functionality. ConnectVirginia will use similar log-in monitoring and automatic log-off functionality for those components of the Network that are accessed through a web-based user interface.

Policy/Procedure:

LOG-IN MONITORING

1. After five consecutive, unsuccessful attempts to log-on to a ConnectVirginia Workstation, the Workforce Member’s password will be disabled. All such events will be logged as part of the monthly audit report pursuant to the Information System Activity Review Policy (HS-2).

2. If a Workforce Member’s password is disabled due to unsuccessful log-on attempts, the Workforce Member should contact the Help Desk.

3. The Help Desk will verify the Workforce Member’s identity and determine whether the Workforce Member’s access was disabled because of five consecutive, unsuccessful attempts to log-on or for another reason.

4. After verifying the Workforce Member’s identity and that such Workforce Member’s access was disabled because of unsuccessful log-on attempts, the Help Desk will issue the Workforce Member a new, temporary password. The Workforce Member will then use the temporary password to log-on to the Workstation and re-set his or her own individual password in accordance with the Password Management Policy (HS-11).

AUTOMATIC LOG-OFF

1. A Workforce Member will be automatically logged-off of a ConnectVirginia Workstation after 30 minutes of inactivity.

2. To activate a new session, a Workforce Member will have to log-on to the Workstation using his or her username and password.

Responsibility: Security Officer; Workforce Members



Regulatory Reference: 45 C.F.R. §164.308(a)(5)(ii)(C), Log-In Monitoring [Implementation Specification;

Addressable] 45 C.F.R. §164.312(a)(2)(iii), Automatic Log-off [Technical Safeguards; Implementation

Specification for Device and Media Controls; Addressable]


ConnectVirginia HIPAA Security Policy No.: HS-11Title: Password Management Version: 2 Effective Date: 3/12/13

HIPAA Security Rule Language: “Implement procedures for creating, changing, and safeguarding passwords.”

Purpose Statement: Where ConnectVirginia requires the use of a password to access or exchange information through the Network, Workforce Members and ConnectVirginia Portal Users will be required to take appropriate measures to select and secure such passwords.

Policy/Procedure:

1. Passwords are case sensitive.

2. Workforce Members and ConnectVirginia Portal Users may not, under any circumstances, share their passwords with anyone. If a Workforce Member or ConnectVirginia Portal User does share his/her password with another person, he/she must notify the Help Desk immediately so that the password can be re-set.

3. Workforce Members and ConnectVirginia Portal Users should refrain from recording or using passwords where they may be obtained or observed by others.

Responsibility: Security Officer; Technical Domain Manager; Workforce Members; ConnectVirginia Portal Users


Regulatory Reference: 45 C.F.R. §164.308(a)(5)(ii)(D), Password Management [Implementation Specification;

Addressable]


ConnectVirginia HIPAA Security Policy No.: HS-12Title: Contingency Plan Version: 3 Effective Date: 12/9/14

Purpose Statement: The ConnectVirginia Contingency Plan establishes procedures to recover the Network following a disruption. ConnectVirginia has established the following objectives for this Contingency Plan:

1. Maximize the effectiveness of ConnectVirginia’s contingency operations through an established plan that consists of the following phases:

a. Notification and Activation Phase to detect and assess damage and to activate the plan;

b. Recovery Phase to restore temporary Network operations and to recover damage done to the Network; and

c. Reconstitution Phase to restore the Network’s functional capabilities to normal operations.

2. Identify the activities, resources, and procedures needed to carry out Network requirements during prolonged interruptions to normal operations.

3. Assign responsibilities to designated Workforce Members who will participate in the contingency planning strategies, and provide guidance for recovering the Network during prolonged periods of interruption to normal operations.

4. Ensure coordination with external points of contact and Vendors who will participate in the contingency planning strategies.

Policy/Procedure:

CONTINGENCY PLAN TRIGGERS

This Contingency Plan will be activated upon the occurrence of one or more of the following triggers:

1. A ConnectVirginia Service will be completely unavailable for more than 5 business hours or a total of 10 consecutive hours due to an unplanned outage.

2. Other triggers, as appropriate.

MITIGATION MEASURES

1. ConnectVirginia will use, or require its Vendors to use, at least a Tier 3 data center in connection with ConnectVirginia Services. Because of the robust protections offered by a Tier 3 data center, the likelihood of damage to the Network is very low. If there is damage to the Network, ConnectVirginia will be able to recover exact copies of ePHI, to the extent that it is maintained within the Network, pursuant to the Data Back-Up Plan


and Disaster Recovery Plan Policy (HS-13).

2. ConnectVirginia will take various steps to mitigate any damage to the Network caused by an emergency or disaster and to continue operations after such an event. ConnectVirginia may perform these measures itself or may require that other third parties to whom ConnectVirginia has outsourced certain activities, perform these measures.

a. Ensure that preventative controls, such as generators, waterproof tarps, sprinkler systems, and fire extinguishers will be fully operational and available at the time of an emergency or disaster.

b. Ensure that its electronic media and hardware containing ePHI or required for proper operation of the Network, including components supporting such devices, are connected to an uninterruptible, redundant power supply.

c. Ensure that ConnectVirginia will maintain service agreements with its hardware, software, and communications providers to support Network recovery.

NOTIFICATION PROCEDURES

1. ConnectVirginia personnel or a third party representative who discovers that ConnectVirginia’s facilities, the third party’s facilities, or the Network has been affected by an emergency or disaster, must notify the appropriate ConnectVirginia official, by telephone, pursuant to the following sequence:

a. Michael Matthews (804) 055-1792

b. Sandy McCleaf (804) 955-1794

2. When notified, the ConnectVirginia official will notify all others within ConnectVirginia who will be part of the contingency and recovery activities.

DAMAGE ASSESSMENT PROCEDURES

The Technical Domain Manager, or other ConnectVirginia Official, upon his or her initial review of the situation, will assess the following:

1. The cause of the disruption;

2. The potential for additional disruption or damage;

3. The affected physical area and the status of physical infrastructure;

4. The status of the Network server’s functionality and inventory, including items that may need to be replaced; and

5. The estimated time to repair services to normal operations.


ACTIVATION OF CONTINGENCY PLAN

Based on the damage assessment from the Technical Domain Manager, or other ConnectVirginia Official, ConnectVirginia senior management will determine what contingency operations and recovery activities are necessary to repair and sustain operations of the Network.

RECOVERY OPERATIONS

ConnectVirginia will restore the Network and recover any ePHI that was maintained within the Network in accordance with the following Policies and Procedures:

1. Data Backup Plan and Disaster Recovery Plan Policy (HS-13); and

2. Emergency Mode Operations Plan Policy (HS-14).

OTHER CONTINGENCY PLAN PROCEDURES

1. ConnectVirginia will perform a criticality analysis of each Network function to determine its importance to ConnectVirginia’s operations during or after a disaster in accordance with the Security Risk Management, Evaluation and Updates Policy (HS-1) and as outlined in the Applications and Data Criticality Analysis Policy (HS-15).

2. ConnectVirginia will provide periodic training materials regarding its disaster and emergency response procedures to Workforce Members, as appropriate.

3. ConnectVirginia will periodically test its Contingency Plan to ensure that critical business processes can continue in a satisfactory manner. If necessary, ConnectVirginia may revise the Contingency Plan, and the occurrence of any of the following events may result in a revision of the Contingency Plan:

a. Disaster recovery role and responsibility changes, including changes to contact information;

b. Changes to ConnectVirginia’s physical or technical infrastructure or operating systems;

c. Changes in threats to the Network; or

d. Results of testing that indicate that the plan needs to be modified to ensure that it is sufficient, accurate, and up-to-date.

Responsibility: Technical Domain Manager, other ConnectVirginia Officials as deemed necessary



Regulatory Reference: 45 C.F.R. §164.308(a)(7)(i), Contingency Plan [Standard; Required]


ConnectVirginia HIPAA Security Policy No.: HS-13Title: Data Backup Plan and Disaster Recovery Plan


HIPAA Security Rule Language: “Establish and implement procedures to create and maintain retrievable exact copies of electronic PHI.”

“Establish (and implement as needed) procedures to restore any loss of data.”

Purpose Statement: To the extent that ConnectVirginia maintains ePHI within the Network, ConnectVirginia will implement plans to create, maintain, and recover exact copies of such ePHI. The ability to recover exact copies of this ePHI will enable ConnectVirginia to restore or recover any loss of ePHI and to restore the Network after damage caused by an emergency or disaster, such as fire, vandalism, terrorism, system failure, or natural disaster.

Policy/Procedure:

1. ConnectVirginia will use, or require its Vendors to use, at least a Tier 3 data center in connection with ConnectVirginia Services. The Tier 3 data center lies on two power grids and is further supported by a backup generator. In addition, the data center network incorporates extensive redundancy to protect data in the event of an emergency. These backup safeguards reinforce ConnectVirginia’s commitment to ensure continuous operations of its servers, which minimizes the likelihood that ePHI will be lost during an emergency or Contingency Event.

2. Despite the presence of redundant circuits that the data center provides for ConnectVirginia’s servers to protect data exchanged through the Network, ConnectVirginia conducts weekly full backups with nightly backups of incremental data sets, and stores the backed-up data on a separate server. Information that is included in ConnectVirginia’s backup includes operational data sets such as CVEAM accounts and the CVEAM patient subscription lists,.

3. The backup server is located at the data center, within the secured ConnectVirginia cabinet that houses the Network server.

4. ConnectVirginia will periodically test its Data Backup Plan to ensure that critical business processes can continue in a satisfactory manner during a disaster. If necessary, ConnectVirginia may revise the Data Backup Plan, and the occurrence of any of the following events may result in a revision of the Data Backup Plan:

a. Changes to ConnectVirginia’s physical or technical infrastructure or operating systems;

b. Changes in threats to the Network; or

c. Results of testing that indicate that the plan needs to be modified to ensure that it is sufficient, accurate, and up-to-date.


5. In the event of an emergency or disaster, such as a fire, vandalism, terrorism, system failure, or natural disaster, ConnectVirginia will use data retrieved from its backup server to restore Network functionality in accordance with the Contingency Plan Policy (HS-12) and the Data Backup Plan and Disaster Recovery Plan Policy (HS-13).

Responsibility: Security Officer; Technical Domain Manager


Regulatory Reference: 45 C.F.R. §164.308(a)(7)(ii)(A), Data Backup Plan [Implementation Specification; Required] 45 C.F.R. §164.310(d)(2)(iv), Data backup and storage [Implementation Specification;

Addressable] 45 C.F.R. §164.308(a)(7)(ii)(B), Disaster Recovery Plan [Implementation Specification;

Required] 45 C.F.R. §164.308(a)(7)(ii)(D), Testing and Version Procedures [Implementation



ConnectVirginia HIPAA Security Policy No.: HS-14Title: Emergency Mode Operation Plan Version: 1 Effective Date: 1/20/12

HIPAA Security Rule Language: “Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.”

Purpose Statement: ConnectVirginia will develop and implement an Emergency Mode Operation Plan to enable the continuation of its critical business processes and to protect the security of ePHI while ConnectVirginia operates in emergency mode. ConnectVirginia’s Emergency Mode Operation Plan will permit authorized Workforce Members and ConnectVirginia Customers to access and use the Network during and immediately following an emergency or disaster. Emergency mode operation procedures detailed in the Emergency Mode Operation Plan must be tested on a periodic basis to ensure that critical business processes can continue in a satisfactory manner while ConnectVirginia operates in emergency mode.

Policy/Procedure:

1. ConnectVirginia’s Emergency Mode Operation Plan will:

a. Define and categorize reasonably foreseeable emergencies and/or disasters that could have an impact on the confidentiality, integrity, and availability of ePHI that is exchanged through the Network.

b. Include a procedure that specifies how ConnectVirginia will react to emergencies and disasters.

c. Include a procedure that outlines how ConnectVirginia will maintain security processes and controls during and immediately following an emergency or disaster.

d. Authorize designated Workforce Members to enter ConnectVirginia’s offices and facilities and any offsite location where backup media are stored to maintain the security process and controls of the Network.

e. Identify the roles that particular ConnectVirginia Workforce Members will serve while ConnectVirginia is operating in emergency mode.

f. Identify the roles of designated Workforce Members who will be permitted to administer or modify processes and controls that protect the security of ePHI while ConnectVirginia is operating in emergency mode.

2. ConnectVirginia will make its Emergency Mode Operations Plan easily available to its Workforce Members at all times.

3. ConnectVirginia will periodically test its Emergency Mode Operations Plan to ensure that critical business processes can continue in a satisfactory manner. If necessary, ConnectVirginia may revise the Emergency Mode Operations Plan, and the occurrence of any of the following events may result in a revision of the Emergency Mode


Operations Plan:

a. Disaster recovery role and responsibility changes, including changes to contact information.

b. Changes to ConnectVirginia’s physical or technical infrastructure or operating systems.

c. Changes in threats to the Network.

d. Results of testing that indicate that the plan needs to be modified to ensure that it is sufficient, accurate, and up-to-date.



Regulatory Reference: 45 C.F.R. §164.308(a)(7)(ii)(C), Emergency Mode Operation Plan [Implementation

Specification; Required] 45 C.F.R. §164.308(a)(7)(ii)(D), Testing and Version Procedures [Implementation



ConnectVirginia HIPAA Security Policy No.: HS-15Title: Applications and Data Criticality Analysis Version: 2 Effective Date: 9/18/12

HIPAA Security Rule Language: “Assess the relative criticality of specific applications and data in support of other contingency plan components.”

Purpose Statement: The purpose of the criticality analysis is for ConnectVirginia to document the impact to its services, processes, and operating objectives if a disaster or other emergency causes any or all of the Network’s functions to become unavailable for a documented period of time. The criticality analysis will serve as the basis for the prioritization of each Network function and the importance of the function to ConnectVirginia’s business operations during a disaster.

Policy/Procedure:

1. To prioritize functions within the Network for disaster recovery, the Technical Domain Manager will develop a matrix, which:

a. Inventories all the ConnectVirginia Services; and

b. Determines the necessity of each ConnectVirginia Service to ConnectVirginia’s operations.

2. The matrix will be used to determine which of the Network functions are most important to the operation of ConnectVirginia’s critical business operation and thereby determine how disaster recovery efforts will be focused during a Contingency Event or other disaster.

3. The matrix may direct:

a. Which ConnectVirginia Services will be restored first; and/or

b. Which ConnectVirginia Services will receive the first line of assistance during a disaster.

4. ConnectVirginia will conduct a yearly data criticality analysis as part of its risk assessment in accordance with the Security Risk Management, Evaluation and Updates Policy (HS-1).

5. The Technical Domain Manager will be responsible for documenting all activities relating to the data criticality analysis and providing such documentation to any Vendor that needs this information in connection with the Emergency Mode Operations Plan Policy (HS-14). Such documentation will be maintained and retained by the Security Officer for six years from the date of creation.

Responsibility: Technical Domain Manager; Security Officer; Vendor



Regulatory Reference: 45 C.F.R. §164.308(a)(7)(ii)(E), Applications and Data Criticality Analysis [Implementation



ConnectVirginia HIPAA Security Policy No.: HS-16Title: Facility Access and Security Version: 2 Effective Date: 9/18/12

HIPAA Security Rule Language: “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

Purpose Statement: ConnectVirginia and its Vendor(s), to the extent applicable, will ensure that physical access to the servers that host the Network is limited.

Policy/Procedure:

FACILITY ACCESS AND SECURITY CONTROLS

1. The servers that support the Network are housed in a Tier 3 data center. ConnectVirginia, in its discretion, may relocate its servers to another Tier 3 or higher data center.

2. All ConnectVirginia servers are contained within ConnectVirginia’s designated, locked cage at the data center.

3. The data center is locked at all times, and only grants authorized personnel limited physical access through the use of biometric security measures. In addition, the following security controls are utilized in the data center to protect the facility, and ConnectVirginia’s servers, from unauthorized access, tampering and theft:

a. Signs and warnings stating that access to an area is restricted

b. Surveillance cameras

c. Alarms

ConnectVirginia, in its discretion, may evaluate, from time to time, the need for additional security controls to be put into place by its Vendors to protect the physical security of its servers.

4. Designated Workforce Members and/or Vendor personnel will personally supervise all visitors and Vendors while they are physically present at the data center in the secured cabinet that houses the servers.

FACILITY REPAIRS AND MODIFICATIONS

1. The data center is responsible for conducting all necessary repairs and modifications to its facility to either repair or enhance its security features.

2. The data center will notify the Security Officer if any repairs or modifications are required for the cabinet containing ConnectVirginia’s server and backup server. ConnectVirginia will document and maintain such notifications.


Responsibility: Security Officer; Vendor

Regulatory Category: Physical Safeguards

Regulatory Reference: 45 C.F.R. §164.310(a)(1), Facility Access Controls [Standard; Required] 45 C.F.R. §164.310(a)(2)(i), Contingency Operations [Implementation Specification;

Addressable] 45 C.F.R. §164.310(a)(2)(ii), Facility Security Plan [Implementation Specification;

Addressable] 45 C.F.R. §164.310(a)(2)(iii), Access Control and Validation Procedures [Implementation

Specification; Addressable] 45 C.F.R. §164.310(a)(2)(iv), Maintenance Records [Implementation Specification;

Addressable]


ConnectVirginia HIPAA Security Policy No.: HS-17Title: Workstation Use and Security Version: 1 Effective Date: 1/20/12

HIPAA Security Rule Language: “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI.”

“Implement physical safeguards for workstations that access electronic PHI to restrict access to authorized users.”

Purpose Statement: Workstations will be used in a manner that is consistent with ConnectVirginia’s business purposes. ConnectVirginia requires the implementation of reasonable physical safeguards to protect all Workstations and other electronic devices that access, store or transmit ePHI from theft or unauthorized use. ConnectVirginia will periodically review, and may modify, as appropriate, the permitted and prohibited uses of Workstations and the security controls implemented to protect Workstations in accordance with the Security Risk Management, Evaluation and Updates Policy (HS-1). ConnectVirginia will periodically distribute training and education materials to Workforce Members regarding the use and security of Workstations used to access the Network.

Policy/Procedure:

1. ConnectVirginia’s Workstations will only be used for business purposes.

2. ConnectVirginia will locate Workstations in physically secure areas and will physically position Workstations in ways that minimize unauthorized viewing of ePHI.

3. Workstations will not be located in any of the following locations:

a. Public walkways

b. Hallways

c. Waiting areas

d. Any other area where unauthorized viewing of ePHI may occur

4. In the event that unauthorized viewing of ePHI cannot be minimized by positioning the Workstation, ConnectVirginia will install a screen filter on the Workstation.

5. ConnectVirginia will require Workforce Members to have unique user identifiers and passwords to gain access to their Workstations.

6. Workforce Members must activate workstation locking software upon leaving a Workstation for more than five (5) minutes.

7. Workforce Members must log off from their Workstations when their work-day shift is complete.

8. ConnectVirginia will ensure that anti-virus software, which is configured to receive anti-91 HIPAA Security Policies and Procedures

virus updates, is installed on all Workstations that its Workforce Members use in accordance with the Malicious Software Policy (HS-9).

9. These same Workstation security procedures apply to all Workstations regardless of the Workstation’s location.

10. Portable Workstations must be physically secured at all times when not in the Workforce Member’s immediate possession while such Workstations are off-site.



Regulatory Reference: 45 C.F.R. §164.310(b), Workstation Use [Standard; Required] 45 C.F.R. §164.310(c), Workstation Security [Standard; Required]


ConnectVirginia HIPAA Security Policy No.: HS-18Title: Device and Media Controls Version: 2 Effective Date: 9/18/12

HIPAA Security Rule Language: “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic PHI into and out of a facility, and the movement of these items within the facility.”

Purpose Statement: ConnectVirginia will take reasonable and appropriate steps to control its hardware and electronic media throughout the media’s entire lifecycle, from initial receipt to final removal. Such control includes reasonably and appropriately protecting, accounting for, storing, backing up, and disposing of its hardware and electronic media in accordance with specific control procedures and tracking all incoming hardware and electronic media and transfers of hardware and electronic media as they are moved into and out of ConnectVirginia’s direct control and premises.

Policy/Procedure:

INVENTORY AND MOVEMENT OF HARDWARE AND ELECTRONIC MEDIA

1. ConnectVirginia will periodically take an inventory of hardware and electronic media that contain ePHI. Workforce Members will be advised that they should not save any ePHI to electronic media unless required to perform their job functions.

2. If a Workforce Member is required to save ePHI to electronic media to perform his job functions, it may only be saved to hard drives and approved USB drives. No other media may be used to store ePHI.

3. Prior to moving hardware or other electronic media that contain ePHI outside of ConnectVirginia’s facilities and out of the direct control of ConnectVirginia, the Security Officer must be notified of and grant authorization for such movement.

4. ConnectVirginia will maintain documented records regarding the movement outside of ConnectVirginia’s facilities and direct control of hardware and electronic media that contains ePHI. Documentation regarding the movement of hardware or electronic media will be required only for desktop computers, laptops, and other media storage devices that can be tracked. The following information must be documented in each record regarding the movement of hardware or electronic media:

a. Date of movement

b. Method of movement

c. Description of the moved medium

d. Dates indicating the time period that the moved medium was used at ConnectVirginia

e. Dated signatures of the Security Officer and all Workforce Members supervising the movement.


DISPOSAL OF EPHI, HARDWARE AND ELECTRONIC MEDIA

1. ConnectVirginia will take all reasonable and appropriate steps to remove ePHI from hardware and electronic media prior to the final disposal of the hardware or electronic media.

2. The Security Officer or designee will determine which sanitization method is appropriate for the removal of ePHI from hardware and/or electronic media.

3. The following sanitization methods may be used to remove ePHI from hardware and/or electronic media:

a. Clearing

i. Overwrites storage space on the hardware or electronic media with non-sensitive data.

ii. The hardware and/or electronic media type and size may influence whether overwriting is a suitable sanitization method.

iii. ConnectVirginia will consult the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization, Publication 800-88 regarding recommendations for clearing different media types.

b. Purging

i. Degaussing is an acceptable method of purging.

ii. Degaussing exposes the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains.

iii. Degaussing cannot be used to purge nonmagnetic media, such as optical media or compact discs (CDs).

iv. ConnectVirginia will consult the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization, Publication 800-88 regarding its recommendations for purging different media types.

4. If hardware and/or electronic media cannot be cleared or purged, the only method of disposal is to physically destroy the hardware and/or electronic media. Acceptable methods of destroying hardware and/or electronic media include:

a. Disintegration

b. Incineration

c. Pulverization

d. Melting

e. Shredding

5. ConnectVirginia will document the disposal of all hardware and electronic media


disposal and the steps taken to remove ePHI prior to the disposal of such hardware and electronic media.

6. The Security Officer or his or her designee will inspect all hardware and electronic media to ensure that all ePHI has been removed from the hardware or electronic media prior to disposal.

MEDIA RE-USE

1. For the internal re-use of hardware and/or electronic media, such as the re-deployment of a computer to another Workforce Member, ConnectVirginia will reformat all files on the hardware and/or electronic media so that such files are not accessible.

2. For external re-use of hardware and/or electronic media (e.g. donation or return of leased hardware), ConnectVirginia will completely and permanently remove ePHI from the hardware and/or electronic media in accordance with the Disposal procedures of this Policy.



Regulatory Reference: 45 C.F.R. §164.310(d)(1), Device and Media Controls [Standard; Required] 45 C.F.R. §164.310(d)(2)(i), Disposal [Implementation Specification; Required] 45 C.F.R. §164.310(d)(2)(ii), Media Re-Use [Implementation Specification; Required] 45 C.F.R. §164.310(d)(2)(iii), Maintenance of Records regarding Movements of Hardware

and Media [Implementation Specification; Addressable]


ConnectVirginia HIPAA Security Policy No.: HS-19Title: Technical Access Controls Version: 2 Effective Date: 3/12/13

HIPAA Security Rule Language: “Implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights as specified in 45 C.F.R. §164.308(a)(4).”

45 C.F.R. §164.308(a)(4) states, “Implement policies and procedures for authorizing access to electronic PHI that are consistent with the applicable requirements of subpart E of this part.”

Purpose Statement: To protect the confidentiality, integrity, and availability of ePHI, ConnectVirginia has taken reasonable and appropriate steps to ensure that there are technical safeguards to control and restrict access to the Network to persons who are authorized to have such access in accordance with the Information Access Management Policy (HS-5).

Policy/Procedure:

ConnectVirginia will implement appropriate technical security controls and methods that permit only authorized persons to access the Network. Such controls and methods may include, but are not limited to, the following:

1. When appropriate, issuance of unique user identifications (user IDs) for each Portal User to be used in conjunction with passwords.

2. Emergency access procedures that enable authorized Workforce Members to obtain access to the Network during a disaster or other emergency.

3. Activation of password protected screensaver on internal Workstations after a designated period of inactivity.

4. Automatic log-off after a designated period of inactivity in accordance with the Log-in Monitoring and Automatic Log-Off Policy (HS-10).

5. Requiring Workforce Members to logoff or lock Workstations upon leaving their work areas.

6. Encryption, when appropriate, of ePHI exchanged through the Network.

EMERGENCY ACCESS PROCEDURE

ConnectVirginia may not need to access the Network during an emergency or disaster. However, if ConnectVirginia does require such access during an emergency or disaster, ConnectVirginia will follow the procedures outlined in its Contingency Plan Policy (HS-12) and Emergency Mode Operations Plan Policy (HS-14) regarding who has access to the Network.


WORKSTATION SCREENSAVERS FOR CONNECTVIRGINIA WORKFORCE MEMBERS

1. All ConnectVirginia Workstations will be equipped with screensavers that will automatically activate after 5 minutes of inactivity.

2. Workforce Members can only deactivate the Workstation screensaver by entering his or her confidential password when prompted.

ENCRYPTION AND DECRYPTION

1. Based on its risk analysis in accordance with the Security Risk Management, Evaluation and Updates Policy (HS-1), ConnectVirginia will determine when to implement encryption for ePHI exchanged through the Network and the type and quality of the encryption algorithm and cryptographic key length for data that ConnectVirginia controls and maintains.

2. The Security Officer will approve the encryption mechanism that ConnectVirginia will use.

3. When encryption is used, ConnectVirginia will:

a. Protect its cryptographic keys against modification and destruction, and protect its private keys against unauthorized disclosure.

b. Manage the cryptographic keys used to encrypt ePHI exchanged through the Network.

c. Periodically determine activation and deactivation dates for its cryptographic keys.

Responsibility: Security Officer; Technical Domain Manager; Vendors

Regulatory Category: Technical Safeguards

Regulatory Reference: 45 C.F.R. §164.312(a)(1), Access Control [Standard; Required] 45 C.F.R. §164.312(a)(2)(i), Unique User Identification [Implementation Specification;

Required] 45 C.F.R. §164.312(a)(2)(ii), Emergency Access Procedure [Implementation Specification;

Required] 45 C.F.R. §164.312(a)(2)(iii), Automatic Logoff [Implementation Specification; Addressable] 45 C.F.R. §164.312(a)(2)(iv), Encryption and Decryption [Implementation Specification;

Addressable]


ConnectVirginia HIPAA Security Policy No.: HS-20Title: Integrity Version: 2 Effective Date: 9/18/12

HIPAA Security Rule Language: “Implement policies and procedures to protect electronic PHI from improper alteration or destruction.”

Purpose Statement: To safeguard ePHI, it is important to ensure that ePHI has not been altered or destroyed in an unauthorized manner. Therefore, ConnectVirginia will take reasonable and appropriate steps to protect the integrity of ePHI exchanged through the Network.

Policy/Procedure:

1. Under no circumstances are Workforce Members permitted to modify or alter clinical information exchanged through the Network.

2. Except as set forth in this Policy, Deletion of ConnectVirginia Encounter Alerts Reports Policy (PORT-15) or ConnectVirginia’s Use and Disclosure of PHI in ConnectVirginia EXCHANGE Policy (CE-9), ePHI exchanged through the Network will not be destroyed without first providing notice to and receiving authorization from the Security Officer in accordance with the Device and Media Controls Policy (HS-18).

3. ConnectVirginia has sufficient policies and procedures in place that minimize the need to authenticate ePHI; therefore, it is not reasonable or appropriate to implement additional mechanisms to authenticate ePHI.


Regulatory Reference: 45 C.F.R. §164.310(c)(1), Integrity [Standard; Required] 45 C.F.R. §164.310(c)(2), Mechanisms to Authenticate Electronic PHI [Implementation



ConnectVirginia HIPAA Security Policy No.: HS-21Title: Person or Entity Authentication Version: 3 Effective Date: 3/12/13

HIPAA Security Rule Language: “Implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed.”

Purpose Statement: To protect the confidentiality, integrity, and availability of ePHI, ConnectVirginia will maintain a documented process for verifying the identity of any person or entity prior to granting access to the Network.

Policy/Procedure:1. ConnectVirginia relies upon the ConnectVirginia EXCHANGE Nodes to authenticate their

respective Users before providing such Users with access to ConnectVirginia EXCHANGE.

2. ConnectVirginia requires the use of authentication before access to the ConnectVirginia Portals is granted.

a. User IDs are assigned in accordance with the Technical Access Controls Policy (HS-19).

b. All passwords must be complex and confidential in accordance with the Password Management Policy (HS-11).

3. ConnectVirginia will not allow redundant authentication credentials.

4. When feasible, ConnectVirginia will mask, suppress, or otherwise obscure the passwords of persons and entities seeking access to the Network so that unauthorized persons are not able to observe such passwords.

5. ConnectVirginia will limit the authentication attempts of persons seeking access to the Network to five attempts at one time. Authentication attempts that exceed this limit may result in:

a. Logging of the event for review;

b. Disabling of the Workforce Member’s or ConnectVirginia Customer’s password; or

c. Notifying the Security Officer or other appropriate ConnectVirginia official.

6. The credentials of each Workforce Member and ConnectVirginia Customer will be verified pursuant to the Information Access Management Policy (HS-5).



Regulatory Reference: 45 C.F.R. §164.312(d), Person or Entity Authentication [Standard; Required]


ConnectVirginia HIPAA Security Policy No.: HS-22Title: Transmission Security Version: 2 Effective Date: 12/9/14

HIPAA Security Rule Language: “Implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network.”

Purpose Statement: To ensure the confidentiality, integrity, and availability of ePHI, ConnectVirginia will implement technical security measures to guard against unauthorized access to ePHI while it is transmitted over electronic communications networks.

Policy/Procedure:

1. ConnectVirginia will implement secure protocols, which encrypt data while such data is being electronically transmitted through the ConnectVirginia Services. In addition, these secure protocols allow decrypted data to be presented to the Workforce Member or ConnectVirginia Customer upon its arrival to his or her Workstation or device.

2. Unauthorized access to ePHI transmitted through the Network is prevented through the use of the administrative, technical and physical safeguards for the Network described in the Policies and Procedures.



Regulatory Reference: 45 C.F.R. §312(e)(1), Transmission Security [Standard; Required] 45 C.F.R. §312(e)(2)(i), Integrity Controls [Implementation Specification; Addressable] 45 C.F.R. §312(e)(2)(ii), Encryption During Transmission [Implementation Specification;

Addressable]


ConnectVirginia HIPAA Security Policy No.: HS-23Title: Availability Version: 1 Effective Date: 1/20/12

HIPAA Security Rule Language: “Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.”

Purpose Statement: ConnectVirginia will make all documentation available to those persons responsible for implementing the procedures to which the documentation pertains.

Policy/Procedure:

1. ConnectVirginia will make the following documentation available to those persons responsible for implementing these Policies and Procedures:

a. Policies and procedures regarding the security of ePHI and the Network.

b. All documentation that records any updates, revisions, modifications, or deletions made to existing Privacy and Security Policies and Procedures.

c. All policies and procedures no longer in effect for a certain Security Regulation requirement or implementation specification.

d. Any other documentation that the Security Officer deems appropriate to retain and to make available to Users regarding ConnectVirginia’s Policies and Procedures.

2. The Security Officer will be responsible for ensuring that such documentation as required by the HIPAA Security Regulations is made available to Workforce Members and ConnectVirginia Customers.

3. All documentation specified in this policy will be available on the Network.


Regulatory Category: Policies, Procedures, and Documentation

Regulatory Reference: 45 C.F.R. §164.316(b)(2)(ii), Availability [Implementation Specification; Required]


ConnectVirginia Operational Policies and Procedures for

the Network

ConnectVirginia Operational Policy Policy No: O-1Title: Subpoena Response Version: 1 Effective Date: 1/20/12

Purpose Statement: It is important that ConnectVirginia be responsive to a subpoena request but not disclose ePHI in an inappropriate manner.

Policy/Procedure:

1. Immediately upon receipt of any subpoena, ConnectVirginia will forward said subpoena to its legal counsel.

2. ConnectVirginia will follow advice of legal counsel regarding a response to a subpoena.

3. If the subpoena is requesting the health information of a specific person or persons whose ePHI was exchanged using the Network, counsel should be advised that ConnectVirginia takes the position that it is not the custodian of medical records and, therefore, is not the proper party to respond to the subpoena.

Responsibility: ConnectVirginia

103 Operational Policies and Procedures


ConnectVirginia EXCHANGE

ConnectVirginia Operational Policy for ConnectVirginia EXCHANGE

Policy No: CE-1

Title: ConnectVirginia EXCHANGE Permitted Purposes


Purpose Statement: ConnectVirginia has established a defined list of purposes for which information can be exchanged through ConnectVirginia EXCHANGE. By defining these purposes, ConnectVirginia can promote the privacy, security and confidentiality of information exchanged through ConnectVirginia EXCHANGE.

Policy/Procedure:

ConnectVirginia EXCHANGE Nodes and Node Users can only exchange information through ConnectVirginia EXCHANGE for the following Permitted Purposes:

1. Treatment of the individual who is the subject of the Message;

2. Payment activities of the Health Care Provider for the individual who is the subject of the Message which includes, but is not limited to, using the ConnectVirginia EXCHANGE to exchange information in response to or to support a claim for reimbursement submitted by a Health Care Provider to a Health Plan;

3. Health Care Operations of the Covered Entity that is disclosing information that contains PHI;

4. Health Care Operations of the Covered Entity requesting information that contains PHI if (i) the requester is a Health Care Provider who has an established Treatment relationship with the individual who is the subject of the Message or is using ConnectVirginia EXCHANGE on behalf of such Health Care Provider; and (ii) the purpose of the transaction is for those Health Care Operations listed in paragraphs (1) or (2) of the definition of Health Care Operations in 45 C.F.R. § 164.501 or health care fraud and abuse detection or compliance of such Health Care Provider;

5. Public health activities and reporting as permitted by Applicable Law, including the HIPAA Regulations at 45 C.F.R. § 164.512(b) or 164.514(e);

6. Any purpose to demonstrate meaningful use of certified electronic health record technology by the (i) Covered Entity that is disclosing information that contains PHI, (ii) Covered Entity that is receiving information that contains PHI or (iii) Covered Entity on whose behalf the ConnectVirginia EXCHANGE Node may properly use ConnectVirginia EXCHANGE to exchange information, provided that the purpose is not otherwise described in subsections 1-5 of this Policy and the purpose is permitted by Applicable Law, including but not limited to the HIPAA Regulations. “Meaningful use of certified electronic health record technology” has the meaning assigned to it in the regulations

105 ConnectVirginia EXCHANGE Policies and Procedures

promulgated by the Department of Health and Human Services under the American Recovery and Reinvestment Act, Sections 4101 and 4102; and

7. Uses and disclosures pursuant to an Authorization provided by the individual who is the subject of the Message or such individual’s personal representative as described in 45 C.F.R. § 164.502(g) of the HIPAA Regulations.

Responsibility: ConnectVirginia, ConnectVirginia EXCHANGE Nodes and Node Users



Policy No: CE-2

Title: ConnectVirginia EXCHANGE Node Eligibility Criteria


Purpose Statement: For consistency and fairness, the ConnectVirginia Board of Directors has established eligibility criteria against which applications for participation can be evaluated.

Policy/Procedure:

To be eligible to be a ConnectVirginia EXCHANGE Node, an Applicant must meet all of the following general eligibility requirements:

1. Organizational, Governance, Legal and Policy Criteria

a. The Applicant must be a valid legal entity or a governmental agency that oversees and conducts, on its own behalf and/or on behalf of its ConnectVirginia EXCHANGE Node Users, electronic transactions or exchanges of health information among groups of persons or organizations in Virginia.

b. The Applicant must have the organizational infrastructure and legal authority (through statutes, regulations, organizational agreements, contracts or binding policies) to comply with the obligations in the ConnectVirginia EXCHANGE Trust Agreement and to require its ConnectVirginia EXCHANGE Node Users to comply with applicable requirements of the ConnectVirginia EXCHANGE Trust Agreement.

c. The Applicant must sign the ConnectVirginia EXCHANGE Trust Agreement.

2. Technical: The Applicant must attest that it has the technical resources and ability to meet the ConnectVirginia EXCHANGE Onboarding and Certification Specifications.

3. Financial: The Applicant must demonstrate that it has sufficient financial resources to successfully onboard and maintain its participation in ConnectVirginia EXCHANGE.

Responsibility: ConnectVirginia, ConnectVirginia EXCHANGE Node Applicants



Policy No: CE-3

Title: ConnectVirginia EXCHANGE Application Review Policy


Purpose Statement: The ConnectVirginia Board of Directors is responsible for determining whether to admit new ConnectVirginia EXCHANGE Nodes that will be able to exchange information as part of ConnectVirginia EXCHANGE. To fulfill this responsibility, ConnectVirginia will review and act on Applications for participation submitted by organizations that wish to become ConnectVirginia EXCHANGE Nodes. This policy outlines a framework for this review and determination process.

Policy/Procedure:

PURPOSE OF APPLICATIONS FOR PARTICIPATION

Through the Application, the Applicant shall demonstrate to the satisfaction of the Board of Directors that, at the time the Application is submitted, it meets the applicable eligibility requirements set forth in the ConnectVirginia EXCHANGE Node Eligibility Criteria Policy (CE-2).

RECEIPT OF APPLICATIONS

Applicants should forward an electronic copy of the completed Application and all supporting documents to [email protected]. Original signed hard copies of the Application, supporting documents and Application Fee should be sent to ConnectVirginia, 4900 Cox Road, Suite 245, Glen Allen, Virginia 23060.

ConnectVirginia will catalog all Applications upon receipt by recording the date of receipt, the name of the Applicant, the Applicant’s primary contact, and payment of the Application Fee, if applicable pursuant to the ConnectVirginia EXCHANGE Fees Policy (CE-11). ConnectVirginia will verify that an Applicant has responded to each element of the Application and submitted any required Application Fee. If an Applicant has failed to respond to any applicable items on the Application or did not submit the required Application Fee, ConnectVirginia will return the Application to the Applicant for completion.

PROCESS FOR REVIEWING AND EVALUATION OF APPLICATIONS FOR PARTICIPATION

A. Application Review Deadlines

The ConnectVirginia Board of Directors shall consider, at a regularly scheduled meeting, all Applications which are received by ConnectVirginia at least three (3) weeks prior to the Board of Directors’ meeting. ConnectVirginia Management will forward a summary of each Application that will be considered by the Board of Directors to the Board’s


members as part of the read-ahead packet for the meeting along with Management’s recommendation on whether the Applicant meets the eligibility criteria.

B. Eligibility Review Process

Upon a determination by ConnectVirginia that an Application for Participation is complete, the Board of Directors will review the Application to determine whether the Applicant meets the Eligibility Criteria in the ConnectVirginia EXCHANGE Node Eligibility Criteria Policy (CE-2) and its responses on the Application and any supporting documentation are adequate for acceptance of the Applicant as a ConnectVirginia EXCHANGE Node.

As the Application is under review, the Board of Directors may consult with the Applicant, request additional information regarding the Application, suggest changes or modifications to the Application including the supporting documentation or make other recommendations the Board of Directors deems reasonably necessary during the evaluation. In addition, the Board of Directors may request verification of elements of the Application. The Board of Directors may also consider an Applicant’s previous participation in ConnectVirginia EXCHANGE either as a ConnectVirginia EXCHANGE Node or Node User and the circumstances surrounding termination of Applicant’s prior participation.

The Board of Directors may request that the Applicant modify and resubmit the Application and/or supporting documentation. If an Applicant fails, or declines, to provide requested information or modify its Application, then the Board of Directors will reject the Application.

If the Board of Directors determines that the Applicant does meet the Eligibility Criteria and its responses on the Application and any supporting documentation are adequate for acceptance of the Applicant as a ConnectVirginia EXCHANGE Node, it will accept the Applicant as a ConnectVirginia EXCHANGE Node conditioned upon the successful completion of required technical Certification Testing with eHealth Exchange. If the Board of Directors determines that the Applicant does not meet the Eligibility Criteria or its responses on the Application and any supporting documentation are not adequate for acceptance of the Applicant as a ConnectVirginia EXCHANGE Node, it will reject the Applicant.

Upon any determination for acceptance or rejection of an Application, the Applicant shall be informed of the decision of the Board of Directors as well as supporting reasoning for the decision. If rejected, the Applicant will receive a refund of its Application Fee, if any, and the Applicant may submit a new Application for consideration by the Board of Directors after correcting the identified deficiencies.


ConnectVirginia will update the Application record maintained pursuant to Section II, above, with the decision of the Board of Directors.

C. Certification Testing

Once the Board of Directors has determined that an Applicant meets the Eligibility Criteria and its responses on the Application and any supporting documentation are adequate for acceptance of the Applicant as a ConnectVirginia EXCHANGE Node, the Applicant will proceed with technical Certification Testing conducted by Healtheway. The technical Certification Testing requirements are available on the Healtheway website.

ConnectVirginia Management will review the results of the Applicant’s Certification Testing to determine whether Healtheway has concluded that the Applicant has passed or failed the Certification Testing.

If the Board of Directors has conditionally accepted the Applicant, and ConnectVirginia Management has determined that the Applicant has successfully completed and passed all Certification Testing, the Applicant will be admitted to ConnectVirginia EXCHANGE as a ConnectVirginia EXCHANGE Node. Once the Applicant is admitted to ConnectVirginia EXCHANGE as a ConnectVirginia EXCHANGE Node, the Applicant will begin paying the Participation Fee in accordance with the ConnectVirginia EXCHANGE Fees Policy (CE-11).

If the Board of Directors has conditionally accepted the Applicant, and ConnectVirginia Management has determined that the Applicant has failed to successfully complete all Certification Testing, the Applicant’s Application will be rejected.

If an Applicant’s Application is rejected by ConnectVirginia after the Applicant has commenced Certification Testing, the Applicant may re-apply following the process set forth in this Policy, including paying an additional Application Fee.

WITHDRAWAL OF AN APPLICATION TO PARTICIPATE

Any Applicant may withdraw its Application at any time by informing the Board of Directors of such withdrawal. If the Applicant withdraws its Application prior to commencing Certification Testing, it will receive a full refund of its Application Fee. If the Applicant withdraws its Application after it commences Certification Testing, it will not receive a refund of its Application Fee.

Responsibility: ConnectVirginia, Applicants



Policy No: CE-4

Title: ConnectVirginia EXCHANGE Node Suspension and Termination


Purpose Statement: Pursuant to the ConnectVirginia EXCHANGE Trust Agreement, a ConnectVirginia EXCHANGE Node may voluntarily suspend or terminate its right to participate in ConnectVirginia EXCHANGE. Furthermore, ConnectVirginia has the right to suspend or terminate a ConnectVirginia EXCHANGE Node. This Policy sets forth the detailed procedures for such actions.

Policy/Procedure:

SUSPENSION

A. Voluntarily by a ConnectVirginia EXCHANGE Node.

1. Service Level Interruptions

a. ConnectVirginia EXCHANGE Nodes will experience temporary service level interruptions from time to time. These service level interruptions may be planned or unplanned. A service level interruption will result in a ConnectVirginia EXCHANGE Node being temporarily unable to exchange information through ConnectVirginia EXCHANGE.

b. If a service level interruption is expected to last more than eight (8) business hours, the ConnectVirginia EXCHANGE Node will voluntarily suspend its right to access and use ConnectVirginia EXCHANGE in accordance with the ConnectVirginia EXCHANGE Trust Agreement and this Policy and Procedure.

c. If a service level interruption is expected to last less than eight (8) business hours, the ConnectVirginia EXCHANGE Node may, but is not required to, voluntarily suspend its right to access and use ConnectVirginia EXCHANGE in accordance with the ConnectVirginia EXCHANGE Trust Agreement and this Policy and Procedure.

2. Voluntary Suspension

a. In accordance with Section 21.02 of the ConnectVirginia EXCHANGE Trust Agreement, a ConnectVirginia EXCHANGE Node may suspend its own right to access and use ConnectVirginia EXCHANGE only under the following circumstances: (i) the ConnectVirginia EXCHANGE Node is doing technical maintenance or making technical modifications to its systems that require it to cease exchanging information through ConnectVirginia EXCHANGE for a limited period of time; or (ii) the ConnectVirginia EXCHANGE Node becomes aware of a privacy or security threat in its own systems that could pose a threat to ConnectVirginia EXCHANGE that can only be mitigated by temporarily ceasing to exchange information through ConnectVirginia EXCHANGE. A ConnectVirginia EXCHANGE Node may also suspend


its own right to access and use ConnectVirginia EXCHANGE if the Node is experiencing a service level interruption that is expected to last more than eight (8) business hours.

b. As soon as practicable after a ConnectVirginia EXCHANGE Node determines that it desires to voluntarily suspend its participation in ConnectVirginia EXCHANGE for a reason not listed in 2a above, the Node shall submit such reason to the ConnectVirginia Executive Director. The ConnectVirginia Executive Director will communicate the reason to the Board of Directors so that the Board of Directors can decide whether such reason is a “valid purpose” as that term is used in the Trust Agreement. If the Board of Directors determines that the reason is a “valid purpose,” then the ConnectVirginia EXCHANGE Node shall follow the process outlined below to effectuate its suspension.

c. As soon as practicable after a ConnectVirginia EXCHANGE Node determines that it will be voluntarily suspending its participation in ConnectVirginia EXCHANGE for one of the reasons identified in 2a above or for a “valid purpose” as determined by the Board of Directors in accordance with Section 2b above, the ConnectVirginia EXCHANGE Node will notify the ConnectVirginia Help Desk that the ConnectVirginia EXCHANGE Node is voluntarily suspending its right to access and use ConnectVirginia EXCHANGE. The ConnectVirginia EXCHANGE Node should specify the reason for, the commencement date of, and the expected duration of the voluntary suspension.

d. Upon receiving the notification from a ConnectVirginia EXCHANGE Node of its voluntary suspension, the ConnectVirginia Help Desk will send an electronic notification to all ConnectVirginia EXCHANGE Nodes notifying them of the commencement date and the expected duration of the ConnectVirginia EXCHANGE Node’s voluntary suspension. The ConnectVirginia Executive Director will communicate the commencement date, the expected duration and the reason for the ConnectVirginia EXCHANGE Node’s voluntary suspension to the ConnectVirginia Board of Directors.

e. Any single voluntary suspension must not last for more than fourteen (14) calendar days. A ConnectVirginia EXCHANGE Node may not have a series of voluntary suspensions that cause the Node to exceed fifty-six (56) calendar days of voluntary suspension in a twelve (12) month period.

f. If the duration of the voluntary suspension will exceed fourteen (14) consecutive calendar days or cause the ConnectVirginia EXCHANGE Node to exceed fifty-six (56) calendar days of voluntary suspension in the past twelve (12) months, the ConnectVirginia Executive Director must agree to the voluntary suspension.

i. If the Executive Director approves the suspension request, the ConnectVirginia EXCHANGE Node will be notified and the ConnectVirginia Help Desk will send an electronic notification to all ConnectVirginia EXCHANGE Nodes notifying them of the commencement date and the duration of the Node’s voluntary


suspension. The ConnectVirginia Executive Director will communicate the commencement date, the expected duration and the reason for the ConnectVirginia EXCHANGE Node’s voluntary suspension to the ConnectVirginia Board of Directors.

ii. If the Executive Director denies the request for voluntary suspension, the Executive Director will meet with the requesting ConnectVirginia EXCHANGE Node to discuss his/her determination and communicate his/her denial to the Board of Directors along with the reasons supporting such denial. The Executive Director and the ConnectVirginia EXCHANGE Node will work together in good faith to reach an acceptable resolution. If they cannot reach a resolution, the Board of Directors will issue a definitive resolution.

g. At the conclusion of the ConnectVirginia EXCHANGE Node’s voluntary suspension, the Node will notify the ConnectVirginia Help Desk that the Node no longer requires a voluntary suspension and is ready to resume accessing and using ConnectVirginia EXCHANGE. Once the ConnectVirginia EXCHANGE Node has notified the ConnectVirginia Help Desk, the Node and the Node’s Users may begin accessing and using ConnectVirginia EXCHANGE. The ConnectVirginia Help Desk will send an electronic notification to all ConnectVirginia EXCHANGE Nodes notifying them of the cessation of the Node’s voluntary suspension. The Executive Director will communicate this cessation of voluntary suspension to the ConnectVirginia Board of Directors.

h. The ConnectVirginia Help Desk will keep a log of all voluntary suspensions including the ConnectVirginia EXCHANGE Node name, the dates of the voluntary suspension and the reason(s) for the voluntary suspension.

B. With Cause by ConnectVirginia.

1. Prior to suspending a ConnectVirginia EXCHANGE Node in accordance with Section 21.03 of the ConnectVirginia EXCHANGE Trust Agreement, ConnectVirginia shall provide notice of such suspension to the suspended ConnectVirginia EXCHANGE Node unless providing such notice will create an immediate threat to the confidentiality, privacy or security of information exchanged through ConnectVirginia EXCHANGE or will cause irreparable harm to another party (ConnectVirginia EXCHANGE Node, ConnectVirginia EXCHANGE Node User, the integrity or operation of ConnectVirginia EXCHANGE, or consumer). The notice shall contain a written summary of the reasons for the suspension.

2. The ConnectVirginia Executive Director may suspend a ConnectVirginia EXCHANGE Node for up to thirty (30) calendar days upon completing a preliminary investigation and determining that there is a substantial likelihood that a Node’s acts or omissions create an immediate threat or will cause irreparable harm to another party including, but not limited to, a ConnectVirginia EXCHANGE Node, a ConnectVirginia EXCHANGE Node User, the integrity or operation of ConnectVirginia EXCHANGE, or an individual whose


information is exchanged through ConnectVirginia EXCHANGE. Any with cause suspension by ConnectVirginia that will last more than thirty (30) calendar days must be approved by the ConnectVirginia Board of Directors. If the ConnectVirginia Board of Directors cannot review the suspension prior to the end of the thirty (30) day period, the suspension will remain in effect until it can be reviewed by the Board of Directors.

3. Within twelve (12) hours of suspending a ConnectVirginia EXCHANGE Node, ConnectVirginia will provide to the suspended Node a written summary of the reasons for the suspension, if ConnectVirginia did not provide this prior to the suspension. The ConnectVirginia Help Desk will also provide notice of the suspension to all other ConnectVirginia EXCHANGE Nodes. The ConnectVirginia Executive Director will provide notice of the suspension as well as the reason(s) for the suspension to the ConnectVirginia Board of Directors.

4. The suspended ConnectVirginia EXCHANGE Node will use reasonable efforts to respond to the suspension notice with a detailed plan of correction or an objection to the suspension within five (5) business days or, if such submission is not reasonably feasible within five (5) business days, then at the earliest practicable time.

5. If the suspended ConnectVirginia EXCHANGE Node submits a plan of correction, ConnectVirginia will, within five (5) business days, review and either accept or reject the plan of correction.

a. If the ConnectVirginia EXCHANGE Node is objecting to the suspension, the suspension will be reviewed by the Compliance Committee within ten (10) days of receiving the Node’s objection. The Compliance Committee may either affirm or repeal the suspension. If the Compliance Committee affirms the suspension, the ConnectVirginia EXCHANGE Node must submit a plan of correction within five (5) business days of the affirmation and follow the procedures outlined herein. If the Compliance Committee repeals the suspension, the ConnectVirginia EXCHANGE Node’s right to participate in ConnectVirginia EXCHANGE will be reinstated.

b. If a ConnectVirginia EXCHANGE Node submits a plan of correction that is accepted by the Executive Director, the Node’s right to participate in ConnectVirginia EXCHANGE will be reinstated upon satisfactory completion of the plan of correction that is documented in order to confirm that the problem(s) has been adequately addressed.

c. If a ConnectVirginia EXCHANGE Node submits a plan of correction that is rejected by the Executive Director, the Executive Director and the Node will work together to prepare an acceptable plan of correction. If the Executive Director and the ConnectVirginia EXCHANGE Node cannot reach agreement on the plan of correction within fourteen (14) calendar days, the ConnectVirginia Board of Directors will address the issue by mandating a certain plan of correction. The ConnectVirginia EXCHANGE Node will remain suspended at least until the Board of Directors acts on the issue.


TERMINATION

A. Voluntarily by the ConnectVirginia EXCHANGE Node.

A ConnectVirginia EXCHANGE Node may voluntarily terminate its participation in ConnectVirginia EXCHANGE in accordance with Section 21.04 of the ConnectVirginia EXCHANGE Trust Agreement.

All requests for termination by a ConnectVirginia EXCHANGE Node shall be directed to the ConnectVirginia Executive Director in writing at least ten (10) business days prior to the requested termination date. Upon receipt of a request for voluntary termination by a ConnectVirginia EXCHANGE Node, the Executive Director will promptly inform the ConnectVirginia Board of Directors. ConnectVirginia will take, or direct the proper party(ies) to take, all appropriate technical actions necessary to carry out the termination including, but not limited to, termination of the Node’s Digital Credentials. ConnectVirginia will notify all other ConnectVirginia EXCHANGE Nodes of the termination.

B. With Cause by ConnectVirginia.

The ConnectVirginia Board of Directors may terminate a ConnectVirginia EXCHANGE Node’s participation in ConnectVirginia EXCHANGE for the reasons set forth in Section 21.05 of the ConnectVirginia EXCHANGE Trust Agreement.

If the ConnectVirginia Board of Directors terminates a ConnectVirginia EXCHANGE Node, ConnectVirginia will immediately communicate this decision to the Node. ConnectVirginia will take all appropriate technical actions necessary to carry out the termination including, but not limited to, termination of the Node’s Digital Credentials. ConnectVirginia will also notify all other ConnectVirginia EXCHANGE Nodes of the termination.

Responsibility: ConnectVirginia, ConnectVirginia EXCHANGE Nodes



Policy No: CE-5

Title: Dispute Resolution Process Version: 1 Effective Date: 9/18/12

Purpose Statement: To most efficiently and effectively resolve Disputes between and among ConnectVirginia EXCHANGE Nodes, each Node has agreed to submit to the Dispute Resolution Process set forth in this Policy. This mandatory, non-binding Dispute Resolution Process only applies to Disputes between and among ConnectVirginia EXCHANGE Nodes.

Policy/Procedure:

1. Notice of a Dispute: When a Dispute arises, a ConnectVirginia EXCHANGE Node shall send written notice to the other ConnectVirginia EXCHANGE Node(s) involved in the Dispute. The notice must contain a summary of the issue as well as a recommendation for resolution. The ConnectVirginia EXCHANGE Node must send a copy of the notice to ConnectVirginia for informational purposes.

2. Informal Conference: Within thirty (30) calendar days of receiving the notice, the ConnectVirginia EXCHANGE Nodes are obligated to meet and confer with each other, at least once, in good faith and at a mutually agreeable location (or by telephone), to try to reach resolution (the "Informal Conference"). If the ConnectVirginia EXCHANGE Nodes reach a resolution at the Informal Conference, they shall provide notice to that effect to ConnectVirginia.

3. Escalation to the Executive Director: If the ConnectVirginia EXCHANGE Nodes are unable to participate in an Informal Conference during the thirty (30) calendar day period or to reach resolution at the Informal Conference, they shall each notify the Executive Director, in writing, of this fact within ten (10) business days following the end of the thirty (30) calendar day period or the Informal Conference.

a. The Executive Director will have thirty (30) calendar days in which to convene a meeting of the involved ConnectVirginia EXCHANGE Nodes (“Executive Director Meeting”). The ConnectVirginia EXCHANGE Nodes involved in the Dispute are required to participate in the Executive Director Meeting during which each Node shall be able to present its version of the Dispute and any information that it believes is pertinent to the Executive Director’s decision.

b. The Executive Director shall have the ability to request additional information from the ConnectVirginia EXCHANGE Nodes to help him/her make his/her determination. The Executive Director, however, shall not have the authority to compel a response or the production of testimony or documents by the ConnectVirginia EXCHANGE Nodes. To the extent that the ConnectVirginia EXCHANGE Nodes do respond to requests of the Executive Director by producing documents, the Nodes shall have the ability to mark the documents produced as “Confidential Business Information”


and the Executive Director shall treat those documents in accordance with Section 17 of the ConnectVirginia EXCHANGE Trust Agreement.

c. The Executive Director is encouraged to develop an appropriate and equitable resolution of each submitted Dispute, considering all available evidence, the goals of ConnectVirginia and other relevant considerations. The Executive Director shall also have the authority to recommend sanctions, if he/she determines that one or more ConnectVirginia EXCHANGE Nodes breached the ConnectVirginia EXCHANGE Trust Agreement or any of the ConnectVirginia EXCHANGE Policies and Procedures which are incorporated by reference. These sanctions include, but are not limited to, developing corrective action plans, suspension of participation rights, and recommending termination of participation rights. The type of sanction will depend on the nature and severity of the breach.

d. Within fifteen (15) calendar days of the Executive Director Meeting, the Executive Director will issue a written recommendation for resolution, including an explanation of the basis and rationale of his/her recommendation. Within five (5) business days of the date on which the Executive Director issues his/her written recommendation for resolution, each ConnectVirginia EXCHANGE Node involved in the Dispute must decide whether to accept or reject the written recommendation for resolution. If a ConnectVirginia EXCHANGE Node decides to reject, in whole or in part, the Executive Director’s written recommendation for resolution, the Node must notify the Executive Director. If a ConnectVirginia EXCHANGE Node does not notify the Executive Director of its rejection of the written recommendation for resolution within such timeframe, the Node will have been deemed to have agreed to it.

4. Escalation to the Board of Directors: If any ConnectVirginia EXCHANGE Node involved in the Dispute rejects, in whole or in part, the Executive Director’s recommendation for resolution within the timeframe specified in Section 3(d) of this Policy, the Dispute will be escalated to the ConnectVirginia Board of Directors.

a. Within twenty (20) calendar days of receiving notice of escalation from a ConnectVirginia EXCHANGE Node, the Board of Directors shall review the Executive Director’s recommendation along with the information on which such recommendation was based and issue a final resolution. The Board of Directors may seek additional information from the ConnectVirginia EXCHANGE Nodes to aid its resolution of the Dispute. The Board of Directors may also seek the advice of legal counsel.

b. Within seven (7) calendar days of receiving the final resolution from the Board of Directors, each ConnectVirginia EXCHANGE Node involved in the Dispute will determine whether to accept or reject the resolution in whole or in part and so notify the Board of Directors and all parties to the Dispute. If a ConnectVirginia EXCHANGE Node rejects the resolution in whole or in part, the Node will provide a written explanation of the reasons for the rejection to the Board of Directors and all


parties to the Dispute. If a ConnectVirginia EXCHANGE Node in the Dispute rejects any part of the Board of Directors’ resolution, the Board of Directors will determine whether to accept that Node’s position or not and what consequences follow from that determination.

c. The Board of Directors will send a written summary of the resolution of the Dispute to all ConnectVirginia EXCHANGE Nodes. The summary will not identify the ConnectVirginia EXCHANGE Nodes involved, but will contain sufficient detail about the resolution to serve as an instructive resource for other ConnectVirginia EXCHANGE Nodes.

5. In no case shall a ConnectVirginia EXCHANGE Node be required to disclose PHI in violation of Applicable Law as part of its participation in the Dispute Resolution Process. The decision to not disclose PHI will not be held against a ConnectVirginia EXCHANGE Node in this Dispute Resolution Process.




Policy No: CE-6

Title: Consent Version: 3 Effective Date: 12/9/14

Purpose Statement: ConnectVirginia is committed to providing individuals in the Commonwealth of Virginia with a meaningful choice about how their personal health information is used including whether that information should be available through ConnectVirginia EXCHANGE.

Policy/Procedure:

1. ConnectVirginia EXCHANGE will rely upon the ConnectVirginia EXCHANGE Nodes to provide their patients with meaningful choice about how their health information is shared.

2. For purposes of this policy, an individual is given a “meaningful choice” if his/her choice is:

a. Made with advance knowledge/time;

b. Not used for discriminatory purposes or as a condition for receiving medical treatment;

c. Made with full transparency and education;

d. Consistent with patient expectations; and

e. Revocable at any time.

Responsibility: ConnectVirginia, ConnectVirginia EXCHANGE Nodes and Node Users



Policy No: CE-7

Title: Auditing and Monitoring Version: 1 Effective Date: 9/18/12

Purpose Statement: Monitoring a ConnectVirginia EXCHANGE Node’s compliance with the ConnectVirginia EXCHANGE requirements, policies and procedures helps to promote trust. Each ConnectVirginia EXCHANGE Node is required to engage in self-monitoring and submit regular attestations of compliance to ConnectVirginia.

Policy/Procedure:

AUDITING AND MONITORING BY CONNECTVIRGINIA EXCHANGE NODES

1. On a monthly basis (or more frequently if desired by the Node), each ConnectVirginia EXCHANGE Node will produce an audit report showing use of ConnectVirginia EXCHANGE over the previous month by the ConnectVirginia EXCHANGE Node’s Users. The report must contain a summary of user-specific information for each of the ConnectVirginia EXCHANGE Node Users who submits a query(ies) through ConnectVirginia EXCHANGE including which records were requested, when the request was submitted, and the Permitted Purpose that formed the basis of the request. The ConnectVirginia EXCHANGE Node will be responsible for reviewing these reports and determining whether there is any evidence of non-compliance with the ConnectVirginia EXCHANGE Trust Agreement or Operational Documents.

2. Annually, each ConnectVirginia EXCHANGE Node will be required to submit an Attestation of Compliance to ConnectVirginia in which the Node attests that (i) the Node has reviewed on at least a monthly basis ConnectVirginia EXCHANGE usage reports and did not find any evidence of non-compliance with the ConnectVirginia EXCHANGE Trust Agreement or Operational Documents and (ii) the Node and its Node Users have been and are in compliance with the ConnectVirginia EXCHANGE Trust Agreement and the ConnectVirginia EXCHANGE Policies and Procedures.

3. Each ConnectVirginia EXCHANGE Node is also responsible for instituting any other self-monitoring mechanisms that it believes necessary to allow it to provide the annual Attestation of Compliance.

4. Failure to provide the Attestation of Compliance will be deemed a material breach under the ConnectVirginia EXCHANGE Trust Agreement and may result in the ConnectVirginia EXCHANGE Node’s suspension from ConnectVirginia EXCHANGE.

5. If the ConnectVirginia EXCHANGE Node continues to fail to provide the Attestation of Compliance within thirty (30) days of receiving notice of such failure, then the Node’s participation in ConnectVirginia EXCHANGE may be terminated.




Policy No: CE-8

Title: Sensitive Data Version: 2 Effective Date: 12/9/14

Purpose Statement: The privacy and security of all health information is protected under both HIPAA and the Virginia Health Records Privacy Act. There are certain types of health information that are so sensitive that they are afforded additional protections under state and/or Federal law. These additional protections typically prevent the “sensitive” data from being disclosed without the individual’s written authorization. In some cases, the laws even prevent disclosure for treatment purposes (although they may have an exception that allows for disclosure in an emergency). This Policy defines “sensitive” data for purposes of ConnectVirginia EXCHANGE and sets forth the circumstances, if any, under which a ConnectVirginia EXCHANGE Node may send such “sensitive” data in response to a query.

Policy/Procedure:

PSYCHOTHERAPY NOTES

1. Definition: Psychotherapy notes are defined as “notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.”1

2. ConnectVirginia EXCHANGE Policy: Psychotherapy notes should never be included by a ConnectVirginia EXCHANGE Node in a response to any query. Since the definition of “psychotherapy notes” is very narrow, this exclusion does not apply to any other type of mental or behavioral health information.

HIV TEST RESULTS

1. Definition: HIV Test Results are defined as the “results of every test to determine [an individual’s] infection with [HIV].”2

2. ConnectVirginia EXCHANGE Policy: Each ConnectVirginia EXCHANGE Node (or its participant providers) is responsible for securing the consent of the individual or his/her personal representative per the Node’s local consent policy before exchanging the individual’s HIV Test Results through ConnectVirginia EXCHANGE. If the ConnectVirginia EXCHANGE Node obtains the consent of the individual or his/her personal representative, then the Node may include the individual’s HIV Test Results in response to a request. If the ConnectVirginia EXCHANGE Node does not secure this consent and the individual has HIV Test Results in his/her medical record, the Node must exclude

1 45 C.F.R. § 164.501.2 Va. Code Ann. § 32.1-36.1(A).


these HIV Test Results from its responses to queries through ConnectVirginia EXCHANGE. A ConnectVirginia EXCHANGE Node may, however, include HIV Test Results in response to a query when the query is (i) based on a medical emergency or (ii) from SSA and accompanied by an authorization from the individual, or personal representative of the individual, who is the subject of the query.

PART 2 SUBSTANCE ABUSE RECORDS

1. Definition: Part 2 Substance Abuse Records are defined as alcohol and drug abuse records that would identify an individual as an alcohol or drug abuser when those records are obtained, created or maintained by a federally assisted alcohol or drug abuse program for the purpose of treating alcohol or drug abuse, making a diagnosis for that treatment, or making a referral for that treatment.3

2. ConnectVirginia EXCHANGE Policy: A ConnectVirginia EXCHANGE Node may not include Part 2 Substance Abuse Records in a response to a query. A ConnectVirginia EXCHANGE Node may, however, include Part 2 Substance Abuse Records in response to a query when the query is (i) based on a medical emergency or (ii) from SSA and accompanied by an authorization from the individual, or personal representative of the individual, who is the subject of the query.

SPECIALLY PROTECTED RECORDS OF MINORS

1. Definition: Specially Protected Records of Minors are defined as those health care records of minors that relate to the following specific types of treatments or conditions for which the minor can consent:

a. venereal disease or any infectious or contagious disease that the State Board of Health requires to be reported;

b. birth control, pregnancy or family planning;

c. outpatient care for substance abuse; and

d. outpatient care for mental illness or emotional disturbance.4

2. ConnectVirginia EXCHANGE Policy: Each ConnectVirginia EXCHANGE Node (or its participant providers) is responsible for securing the consent of a minor per the Node’s local consent policy, before exchanging the minor’s Specially Protected Records through ConnectVirginia EXCHANGE. If the ConnectVirginia EXCHANGE Node obtains the consent of the minor, then the Node may include the minor’s Specially Protected Records in response to a request. If the ConnectVirginia EXCHANGE Node does not secure this consent and the minor has Specially Protected Records, the Node must exclude these Specially Protected Records from its responses to queries through

3 42 CFR Part 2.4 Va. Code Ann. § 54.1-2969(E).


ConnectVirginia EXCHANGE. A ConnectVirginia EXCHANGE Node may, however, include Specially Protected Records of Minors in response to a query when the query is based on a medical emergency.



Policy No: CE-9

Title: ConnectVirginia’s Use and Disclosure of PHI in ConnectVirginia EXCHANGE


Purpose Statement: Pursuant to the ConnectVirginia EXCHANGE Trust Agreement, ConnectVirginia EXCHANGE Nodes are permitted to send PHI to other ConnectVirginia EXCHANGE Nodes for any of the Permitted Purposes outlined in the ConnectVirginia EXCHANGE Permitted Purposes Policy (CE-1). Pursuant to the Business Associate Agreement between ConnectVirginia and each ConnectVirginia Node, ConnectVirginia may also use and disclose PHI, as needed, for its proper management and administration and to fulfill any other obligations described in the ConnectVirginia EXCHANGE Trust Agreement.

Policy/Procedure:

1. ConnectVirginia may only use information provided by a ConnectVirginia EXCHANGE Node, as needed, to perform certain proper management and administrative functions and fulfill its obligations under the ConnectVirginia EXCHANGE Trust Agreement.

2. Each ConnectVirginia EXCHANGE Node is responsible for making sure that all information it sends as a ConnectVirginia EXCHANGE Node complies with Applicable Law. This includes obtaining any consents or authorizations required by Applicable Law prior to sending such information.

3. ConnectVirginia does not maintain a copy of any Message Content following delivery to the requesting ConnectVirginia EXCHANGE Node.

Responsibility: ConnectVirginia; ConnectVirginia EXCHANGE Nodes



Policy No: CE-10

Title: Agreements with ConnectVirginia EXCHANGE Nodes


Purpose Statement: Each ConnectVirginia EXCHANGE Node must agree to be legally obligated to protect the privacy, security and integrity of the information exchanged through ConnectVirginia EXCHANGE. Furthermore, ConnectVirginia must agree to be legally obligated to fulfill its responsibilities as a Business Associate of each ConnectVirginia EXCHANGE Node. Each party’s legal obligations are set forth in the ConnectVirginia EXCHANGE Trust Agreement and Business Associate Addendum.

Policy/Procedure:

1. All organizations that act as ConnectVirginia EXCHANGE Nodes must agree to the ConnectVirginia EXCHANGE Trust Agreement before the organization is approved as a ConnectVirginia EXHANGE Node.

2. Each ConnectVirginia EXCHANGE Node must also enter into a Business Associate Agreement with ConnectVirginia where the ConnectVirginia EXCHANGE Node is the Covered Entity and ConnectVirginia is the Business Associate. The Business Associate Agreement is an addendum to the ConnectVirginia EXCHANGE Trust Agreement.




Policy No: CE-11

Title: ConnectVirginia EXCHANGE Fees Version: 2 Effective Date: 12/9/14

Purpose Statement: As part of its financial sustainability plan, ConnectVirginia will charge each ConnectVirginia EXCHANGE Node a fee to access and use ConnectVirginia EXCHANGE. It is important that all ConnectVirginia EXCHANGE Nodes understand the fees associated with participation in ConnectVirginia EXCHANGE since payment of these fees will be a condition of participation.

Policy/Procedure:

1. The Board of Directors will determine the fees for participation in ConnectVirginia EXCHANGE. These fees may include an application fee, a certification fee and an annual participation fee. All fees associated with ConnectVirginia EXCHANGE will be simple to administer, calculated according to a value-based model and designed to encourage use of ConnectVirginia EXCHANGE.

2. As of December 2014, the Governing Body has yet to approve a final fee schedule for participation in ConnectVirginia EXCHANGE. The Governing Body wants to ensure that it has sufficient time to fully vet all issues associated with ConnectVirginia EXCHANGE fees in the context of the overarching ConnectVirginia sustainability plan.

3. Until such time as a finalized fee schedule is available, there will be separate ConnectVirginia EXCHANGE fees for those Customers who are participating in the Bridge Funding MOU. For example, the Health System MOU contribution is $75 per staffed bed annually.




ConnectVirginia Portals

ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-1Title: ConnectVirginia Portal User Information Confidentiality


Purpose Statement: ConnectVirginia will protect the confidentiality of all Portal User Information.

Policy/Procedure:

1. ConnectVirginia will not use or share Portal User Information with any person except as set forth in this Policy.

2. ConnectVirginia may access all Portal User Information submitted to ConnectVirginia and allow third parties who are performing services for ConnectVirginia to use this information for the benefit of ConnectVirginia.

3. Portal Users may only access their personal Portal User Information or that of their CVEAM Delegates. They may not access another Portal User’s Information (except for that of their CVEAM Delegates). ConnectVirginia does not maintain a list of user passwords after their initial set-up.

Responsibility: ConnectVirginia, Portal Users

128 ConnectVirginia Portals Policies and Procedures

ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-2Title: Agreements with ConnectVirginia Portal Participants and Users


Purpose Statement: Each Portal Participant and User must agree to be legally obligated to protect the privacy, security and integrity of the information exchanged through the ConnectVirginia Portals. Furthermore, ConnectVirginia must agree to be legally obligated to fulfill its responsibilities as a Business Associate of each Portal Participant or User. Each party’s legal obligations are set forth in the ConnectVirginia Portal Master Service Agreement, the STREAMLINE Portal End User License Agreement, the CVEAM End User License Agreement, and the Business Associate Addendum.

Policy/Procedure:

1. All organizations that desire for its employees and contractors to have access to one or more of the ConnectVirginia Portals must sign the ConnectVirginia Portal Master Service Agreement and enroll as a Portal Participant in accordance with the ConnectVirginia Portal Participant Enrollment Policy (PORT-3).

2. Each Portal Participant, if it is a Covered Entity or Business Associate of a Covered Entity, must also enter into a Business Associate Agreement with ConnectVirginia where the Participant is the Covered Entity and ConnectVirginia is the Business Associate. The Business Associate Agreement is an attachment to the ConnectVirginia Portal Master Service Agreement.

3. All individuals who act as Portal Users must agree to the applicable Portal End User License Agreement(s) before the individual can access or use the Portal(s).

Responsibility: ConnectVirginia; Portal Participants and Users


ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-3Title: ConnectVirginia Portal Participant Enrollment


Purpose Statement: To protect the confidentiality, integrity, and availability of ePHI exchanged through the ConnectVirginia Portals, ConnectVirginia has implemented a strict enrollment process to ensure that only those individuals and organizations that meet the eligibility criteria have access to the ConnectVirginia Portals.

Policy/Procedure:

1. Each organization that desires for its employees and contractors to participate in one or more of the ConnectVirginia Portals will be responsible for completing the enrollment process.

2. To enroll, the organization must complete and submit the ConnectVirginia Portal Enrollment Form, which is available on the ConnectVirginia website.

a. The Enrollment Form will require an individual who is authorized to act on behalf of the organization to attest to the following:

i. the organization is either (i) a valid legal entity in good standing in the Commonwealth of Virginia or (ii) a local, state or Federal government agency;

ii. the organization has a reason to send and receive PHI or other information related to the provision of health care;

iii. the organization employs at least one health care provider who is licensed, certified or registered by the Virginia Department of Health Professions and holds a license, certificate or registration that is in good standing; and

iv. all information provided in the Enrollment Form is true, accurate and complete.

b. Organizations requesting access to the CVEAM Portal must also attest that they provide treatment and/or care coordination services to individuals in the Commonwealth of Virginia.

c. Organizations requesting access to the STREAMLINE Portal must also attest that they engage in treatment, payment and healthcare operations related to individuals in the Commonwealth of Virginia.

d. In the Enrollment Form, the enrollee will be required to identify a central point of contact for all correspondence between ConnectVirginia and the organization (the “POC”).

e. In the Enrollment Form, the enrollee will also be required to provide the following:


i. The services that the enrollee would like access to through the ConnectVirginia Portals (i.e. Patient Search through the STREAMLINE Portal and/or Encounter Alerts through the CVEAM Portal);

ii. A list of individuals who are employed or engaged by the enrollee who will be provided with access to each Portal;

iii. The role(s) to be assigned to each individual (refer to the ConnectVirginia Portal User Roles policy (PORT-4) for more information on the types of roles);

iv. Up to two individuals who will serve as CVEAM Delegates for the organization’s CVEAM account. (This is only applicable if the enrollee is requesting access to the CVEAM Portal.)

f. When identifying CVEAM Delegates, the individual submitting the Enrollment Form must attest that:

i. Each CVEAM Delegate is under the direction and control of the respective CVEAM Site Administrator;

ii. Each CVEAM Delegate is to be provided with access to their respective CVEAM Site Administrator’s CVEAM account; and

3. The enrollee has provided true and accurate contact information for the CVEAM Delegate(s).A separate enrollment form must be submitted for each CVEAM account desired under a single Portal Participant account.

4. The enrollment form must be notarized, scanned and submitted to ConnectVirginia at [email protected] or submitted via US Mail to ConnectVirginia Enrollment, 4900 Cox Rd, Suite 245, Glen Allen, Virginia 23060.

5. The enrollment form must be accompanied by a copy of the ConnectVirginia Portal Master Service Agreement signed by an authorized representative of the enrollee.

6. The POC is responsible for maintaining accurate enrollment information and notifying ConnectVirginia of changes to such information so long as the organization remains a Portal Participant. This includes notifying ConnectVirginia of changes to the organization’s POC and Portal Users in accordance with the processes established by ConnectVirginia.

7. The organization must also send to ConnectVirginia at 4900 Cox Rd, Suite 245, Glen Allen, Virginia 23060 a check made out to ConnectVirginia for the applicable annual fee.

8. Once the organization submits all required enrollment information to ConnectVirginia, if the organization is a legal entity, ConnectVirginia will verify with the Virginia State Corporation Commission that the organization is active in Virginia. Such verification is not required if the organization is a local or state government agency.

9. Once ConnectVirginia completes any required verification, ConnectVirginia will activate the organization’s Users’ Portal accounts. ConnectVirginia will notify the POC once


these accounts have been activated.

10. Each of the Portal Participant’s Users will be assigned a unique username and temporary password to activate the Portal User’s access to the ConnectVirginia Portal(s). The first time each Portal User signs-on to a ConnectVirginia Portal, he/she will be required to accept the applicable Portal End User License Agreement. Once the Portal User accepts the Portal End User License Agreement, he/she will change his or her password in accordance with the Password Management Policy (HS-11).



ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-4Title: ConnectVirginia Portal User Roles Version: 1 Effective Date:

12/9/14

Purpose Statement: The ConnectVirginia Portals will employ role based access controls to ensure that Portal Users have access to the minimum amount of information necessary for them to perform their job functions and effectively use the ConnectVirginia Portals.

Policy/Procedure:

1. Each Portal Participant must assign each of its Portal Users a role.

2. The Portal User’s role must be included in any message sent by the Portal User through a ConnectVirginia Portal including, but not limited to, queries.

3. Portal Users may be assigned more than one role.

4. The Portal Roles are set forth below along with the associated access rights:

a. Portal Participant Point of Contact (POC): An individual employed or contracted by a ConnectVirginia Portal Participant who has been identified as the primary point of contact between ConnectVirginia and that Portal Participant.

b. CVEAM Site Administrator: An individual employed or contracted by a CVEAM Portal Participant who is primarily responsible for the management of a single CVEAM account. This individual is responsible for submitting patient subscription lists for their assigned CVEAM account according to the Use of the CVEAM Policy (PORT-14).

c. CVEAM Delegates: An individual under the direct control of their associated CVEAM Participant. These Users have access to their associated CVEAM Site Administrator’s CVEAM account through the CVEAM Portal and are authorized to receive Encounter Alert Reports on behalf of their associated CVEAM Site Administrator. They will not be given a CVEAM account of their own in the CVEAM Portal. They are not authorized to submit patient subscription lists on behalf of their associated CVEAM Site Administrator.

d. Patient Search Physician: An individual who is licensed as a physician, employed or contracted by an STREAMLINE Portal Participant, and authorized by such STREAMLINE Portal Participant to submit queries and receive information through the Patient Search service of the STREAMLINE Portal.

e. Patient Search Nurse: An individual who is licensed, registered or certified as a nurse, employed or contracted by an STREAMLINE Portal Participant, and authorized by such STREAMLINE Portal Participant to submit queries and receive information through the Patient Search service of the STREAMLINE Portal.

f. Patient Search Administrative: An individual who is employed or contracted by an STREAMLINE Portal Participant and who is authorized by that STREAMLINE


Portal Participant to submit queries and receive information through the Patient Search service of the STREAMLINE Portal. Individuals assigned this role should not be physicians or nurses.



ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-5Title: ConnectVirginia’s Use and Disclosure of PHI in ConnectVirginia Portals


Purpose Statement: Pursuant to the ConnectVirginia Portal Master Service Agreement and Portal End User License Agreements, Portal Users may only use the Portal to exchange information for certain defined purposes.

When using the CVEAM Portal, Users are only permitted to send their patient subscription lists to ConnectVirginia (see Use of the CVEAM Portal Policy (PORT-14) for more information).

When using the Patient Search service in the STREAMLINE Portal, Users are permitted to request information about individuals with whom they have a relationship for the purposes of engaging in treatment, payment or healthcare operations related to the individual who is the subject of the request.

Pursuant to its Business Associate Agreements, ConnectVirginia may also use and disclose PHI, as needed, for its proper management and administration and to fulfill any other obligations described in the ConnectVirginia Portal Master Service Agreement or Portal End User License Agreements.

Policy/Procedure:

1. ConnectVirginia may only use information provided by a Portal User, as needed, to perform certain proper management and administrative functions and fulfill its obligations under the ConnectVirginia Portal Master Service Agreement or Portal End User License Agreements. This includes, but is not limited to, auditing and monitoring use of the ConnectVirginia Portals as described in the ConnectVirginia Portal Auditing, Monitoring and Attestations of Compliance Policy (PORT-6).

2. Each Portal User is responsible for making sure that all information he requests or sends through the ConnectVirginia Portals complies with Applicable Law. This includes obtaining any consents or authorizations required by Applicable Law prior to sending such information.

Responsibility: ConnectVirginia; Portal Users


ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-6Title: ConnectVirginia Portal Auditing, Monitoring and Attestations of Compliance


Purpose Statement: In accordance with the Information System Activity Review Policy (HS-2), ConnectVirginia will implement auditing and monitoring mechanisms to record and examine the activity of Portal Users in the ConnectVirginia Portals to enable ConnectVirginia and Portal Participants to detect potentially problematic activity.

Policy/Procedure:

AUDIT REPORT CONTENT

1. ConnectVirginia will create monthly audit reports that capture Portal User-level data associated with at least the following activities:

a. Portal User sign-ons to each ConnectVirginia Portal;

b. Messages sent by a CVEAM Portal User using CVEAM;

c. Requests made by an STREAMLINE Portal User using the Patient Search functionality of the STREAMLINE Portal; and

d. Failed authentication attempts after five (5) unsuccessful attempts to log-in to each ConnectVirginia Portal.

2. The monthly audit reports may generate the following information for each activity logged:

a. Date and time of activity;

b. Descriptions of each attempted or completed activity;

c. Identification of the Portal User performing the activity; and/or

d. Origin of the activity, such as the I/P address or workstation identification number.

PARTICIPANT AUDIT REPORT REVIEW

1. On a periodic basis, ConnectVirginia may choose to provide each Portal Participant with an audit report, which provides a summary of user-specific information for the Users in its organization.

2. The Portal Participant will identify and provide to ConnectVirginia the names of, and contact information for, the individuals who will review audit reports.

3. The individuals identified by STREAMLINE Portal Participant will review the audit report within two weeks of receipt.

4. If the individual uncovers any indications of improper use of a ConnectVirginia Portal, it


will follow the Breach and Security Incident Response Procedures for Portal Participants and Users Policy (PORT-13).

5. Annually, each Portal Participant will be required to submit an Attestation of Compliance to ConnectVirginia in which the Participant attests that, (i) within two weeks of receiving each audit report, the Participant reviewed the audit report; (ii) when reviewing the monthly audit reports, the Participant did not find any evidence of non-compliance with the ConnectVirginia Portal Master Service Agreement, applicable Portal End User License Agreement(s) or ConnectVirginia Policies and Procedures; (iii) the Participant has been and is in compliance with the ConnectVirginia Portal Master Service Agreement and ConnectVirginia Policies and Procedures; and (iv) each Portal User has been and is in compliance with the ConnectVirginia Portal Master Service Agreement, applicable Portal End User License Agreement(s) and ConnectVirginia Policies and Procedures.

6. Failure to provide the Attestation of Compliance will be deemed a material breach under the ConnectVirginia Portal Master Service Agreement and may result in Participant’s suspension from access to the ConnectVirginia Portal(s).

7. If the Participant continues to fail to provide the Attestation of Compliance within ten (10) days of receiving notice of such failure, then Participant’s access to the ConnectVirginia Portal(s) may be terminated.

PORTAL PARTICIPANT AND USER REQUESTS FOR AUDIT REPORTS

1. If a Portal Participant desires any other type of audit report, the Participant’s POC will submit a request to ConnectVirginia with a brief explanation of the reason for the request.

2. If a Portal User desires an audit report of his/her activity, or the activity of his/her/its CVEAM Delegate(s), within ConnectVirginia Portal(s), he/she will submit a request to ConnectVirginia with a brief explanation of the reason for the request.

3. Within one week of receiving the request from the Portal Participant or User, ConnectVirginia will decide whether to accept or deny the request and transmit such decision to the requestor.

4. If ConnectVirginia denies a request, ConnectVirginia will provide a brief explanation of the denial.

5. If ConnectVirginia accepts the request, ConnectVirginia will provide the Portal Participant or User with the requested report as soon as feasible.

Responsibility: ConnectVirginia, Portal Participants and Users


ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-7Title: ConnectVirginia Portal Participant Suspension


Purpose Statement: The ConnectVirginia Portal Master Service Agreement allows ConnectVirginia or Participants to suspend a Participant’s access to the ConnectVirginia Portals. This policy sets forth the process by which such suspensions may occur.

Policy/Procedure:

VOLUNTARY SUSPENSION BY A PORTAL PARTICIPANT

1. A Portal Participant may suspend its own right to access a ConnectVirginia Portal(s) by notifying the ConnectVirginia Help Desk of such suspension. If a Portal Participant suspends its own right to access a ConnnectVirginia Portal(s), the access rights of its Portal Users will also be suspended.

2. When notifying ConnectVirginia of a suspension, the Portal Participant should specify the reason for, the commencement date of, and the duration of the voluntary suspension.

3. At the conclusion of the Portal Participant’s voluntary suspension, the Portal Participant will notify the ConnectVirginia Help Desk that the Portal Participant no longer requires a voluntary suspension and is ready to resume accessing and using the ConnectVirginia Portal(s). Once the Portal Participant has notified the ConnectVirginia Help Desk, the Portal Participant and the Participant’s Users may begin accessing and using the ConnectVirginia Portal(s).

4. The ConnectVirginia Help Desk will keep a log of all voluntary suspensions including the Portal Participant name, the dates of the voluntary suspension and the reason for the voluntary suspension.

SUSPENSION BY CONNECTVIRGINIA

1. ConnectVirginia may suspend a Portal Participant’s ability to use a ConnectVirginia Portal(s) to the extent necessary to address the threat posed by the Portal Participant if ConnectVirginia determines any of the following:

a. A Portal Participant fails to meet the eligibility criteria set forth in the ConnectVirginia Portal Participant Enrollment Policy (PORT-3);

b. A Portal Participant’s acts or omissions materially breached the ConnectVirginia Portal Master Service Agreement;

c. A Portal Participant failed to comply with the applicable ConnectVirginia Policies and Procedures;


d. A Portal Participant failed to comply with applicable laws governing the protection of health information;

e. A Portal Participant engaged in conduct that is detrimental to the interests of ConnectVirginia;

f. A Portal Participant provided inaccurate information to ConnectVirginia on a material matter;

g. A Portal Participant failed to comply with a reasonable written directive of ConnectVirginia; or

h. A Portal Participant failed to pay the applicable membership fee within forty-five days of the date of the invoice.

2. Upon suspension, ConnectVirginia will provide to the Portal Participant a written summary of the reasons for the suspension.

3. The Portal Participant will use its best efforts to respond to the suspension notice with a detailed plan of correction or an objection to the suspension within five business days or at the earliest practicable time.

4. If the Portal Participant submits a plan of correction, ConnectVirginia shall review and either accept or reject the plan of correction within five business days of receipt.

5. If the plan of correction is accepted, ConnectVirginia shall reinstate the Portal Participant’s ability to use the ConnectVirginia Network upon successful completion of the plan of correction.

6. If the plan of correction is rejected, the Portal Participant’s suspension will continue, during which time ConnectVirginia and the Portal Participant will work in good faith to develop a plan of correction that is acceptable to both the Portal Participant and ConnectVirginia.

7. During the period of the Portal Participant’s suspension, all Participant Users’ access to the ConnectVirginia Portal(s) will also be suspended.

Responsibility: ConnectVirginia; Executive Director; Portal Participants


ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-8Title: ConnectVirginia Portal User Suspension and Termination


Purpose Statement: ConnectVirginia will suspend or terminate a Portal User’s access to the ConnectVirginia Portals for the reasons set forth in the Portal End User License Agreements.

Policy/Procedure:

SUSPENSION PROCEDURES FOR PORTAL USERS

1. ConnectVirginia can suspend a Portal User under the circumstances set forth in the Portal End User License Agreements.

2. To suspend a Portal User, ConnectVirginia will de-activate the username and password that the User uses to access the ConnectVirginia Portal(s).

3. ConnectVirginia will provide notice of the suspension to a suspended Portal User and their sponsoring Portal Participant as soon as possible. Such notice will contain an explanation of the reason(s) that the User was suspended. If the suspension is of a CVEAM Delegate, ConnectVirginia will also provide notice of such suspension to such Delegate’s CVEAM Site Administrator.

4. The Portal User will have ten (10) business days in which to respond to the notice of suspension by providing ConnectVirginia with a plan of correction to address the reason(s) for the suspension. If the suspended User is a CVEAM Delegate, then the Delegate’s CVEAM Site Administrator must acknowledge and participate in the plan of correction.

a. If the Portal User fails to provide ConnectVirginia with a plan of correction, ConnectVirginia will terminate the User.

b. If the Portal User provides ConnectVirginia with a plan of correction, ConnectVirginia will have ten (10) business days in which to notify the User whether the plan of correction is acceptable. If the plan of correction is not acceptable, then ConnectVirginia will inform the User of the defects in the plan.

5. If, in ConnectVirginia’s opinion, the reason(s) leading to the suspension of the Portal User is addressed, ConnectVirginia will re-activate the username of the User and issue such User a new, temporary password. The User will then use the temporary password to access the ConnectVirginia Portal(s) and change his password in accordance with the Password Management Policy (HS-11).

TERMINATION PROCEDURES FOR CONNECTVIRGINIA PORTAL USERS

1. ConnectVirginia can terminate a Portal User under the circumstances set forth in the


Portal End User License Agreements.

a. To terminate a Portal User, ConnectVirginia will De-activate the username and password that the Portal User uses to access the ConnectVirginia Portal(s).

2. ConnectVirginia will provide notice of termination to a terminated Portal User and their sponsoring Portal Participant as soon as possible. If the termination is of a CVEAM Delegate, ConnectVirginia will also provide notice of such termination to such Delegate’s CVEAM Site Administrator.



ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-9Title: ConnectVirginia Portal Log-in and Log-off Version: 1 Effective Date:

12/9/14

Purpose Statement: To regularly track the identification and authentication of those accessing the ConnectVirginia Portals, ConnectVirginia will monitor log-in attempts to the ConnectVirginia Portals. ConnectVirginia will also enhance the security of the ConnectVirginia Portals by automatically logging-off inactive Portal Users from the ConnectVirginia Portals.

Policy/Procedure:

UNIQUE USER IDS

1. ConnectVirginia will control access to the ConnectVirginia Portals by assigning each Portal User who is granted access to the ConnectVirginia Portals a unique user ID that:

a. Identifies the individual; and

b. Permits activities performed on the ConnectVirginia Portals to be traced to the individual.

2. User IDs may consist of, but are not limited to:

a. Portal User’s name

b. An identification number

c. Biometric identification

LOG-IN PROCEDURES

1. A Portal User may only access a ConnectVirginia Portal after successfully entering his/her username and password. This process allows ConnectVirginia to verify the identity of the Portal User.

2. After five consecutive, unsuccessful attempts to log-on to a ConnectVirginia Portal, the Portal User’s password will be disabled. All such events will be logged as part of the monthly audit report pursuant to the ConnectVirginia Portal Auditing, Monitoring and Attestations of Compliance Policy (PORT-6).

3. If a Portal User’s password is disabled due to unsuccessful log-on attempts, the Portal User should contact the Help Desk.

4. The Help Desk will verify the Portal User’s identity and determine whether the Portal User’s access to the ConnectVirginia Portal(s) was disabled because of five consecutive, unsuccessful attempts to log-on or by ConnectVirginia for another reason.

5. After verifying the Portal User’s identity and that such User’s access was disabled because of unsuccessful log-on attempts, the Help Desk will issue the Portal User a new, temporary password. The Portal User will then use the temporary password to log-on


to the ConnectVirginia Portal(s) and re-set his or her own individual password in accordance with the Password Management Policy (HS-11).

AUTOMATIC LOG-OFF

1. A Portal User will be automatically logged-off of a ConnectVirginia Portal after 30 minutes of inactivity.

2. To activate a new session, a Portal User will have to log-on to the ConnectVirginia Portal(s) using his or her username and password.

Responsibility: Security Officer; Portal Users; Help Desk


ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-10Title: ConnectVirginia Portal Password Management


Purpose Statement: To prevent unauthorized access to and use of the ConnectVirginia Portals, ConnectVirginia requires Portal Users to take appropriate measures to select and secure passwords that allow such access to the ConnectVirginia Portals.

Policy/Procedure:

1. All Portal Users will be given a username and password that allows them to access the ConnectVirginia Portals.

2. When a Portal User or Workforce Member logs-on to a ConnectVirginia Portal for the first time, he/she will be prompted to change the initial, temporary password provided to him/her by ConnectVirginia.

3. All passwords must comply with the Password Management Policy (HS-11).

Responsibility: Portal Users


ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-11Title: ConnectVirginia Portal Help Desk Version: 1 Effective Date:

12/9/14

Purpose Statement: The ConnectVirginia Help Desk is one point of contact that provides technology support for Portal Participants and Users using the ConnectVirginia Portals. The ConnectVirginia Help Desk’s priority is to ensure that access to the ConnectVirginia Portals is available for Participants and Users.

ConnectVirginia assists its customers by: resolving issues over the phone immediately whenever possible; offering temporary workarounds; providing resources for users to attempt to solve the issues themselves; scheduling office visits; and by escalating necessary issues to the appropriate team other than the Help Desk.

Policy/Procedure:

Help Desk support includes the following:

a. Help finding information

b. Basic user guidance/application support

c. Resetting passwords

d. Escalating issues requiring a higher level of support



ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-12Title: ConnectVirginia Portal Training Version: 1 Effective Date:

12/9/14

Purpose Statement: ConnectVirginia will provide training information for Portal Users to optimize each Portal User’s use of the ConnectVirginia Portals and to help ensure that such Users will safeguard ePHI exchanged through the ConnectVirginia Portals.

Policy/Procedure:

1. ConnectVirginia will provide training information to Portal Users that will teach them how to use the ConnectVirginia Portals.

2. As part of the training information, ConnectVirginia will provide information regarding methods to protect the confidentiality and integrity of ePHI.



ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-13Title: Breach and Security Incident Response Procedures for Portal Participants and Users


Purpose Statement: Despite taking all reasonable and appropriate steps to protect the confidentiality, integrity and availability of ePHI, ConnectVirginia may experience Security Incidents and/or Breaches. ConnectVirginia has procedures in place that address ConnectVirginia’s awareness of, response to, and creation of reports about Security Incidents and Breaches, which are integral parts of ConnectVirginia’s efforts to comply with the HIPAA Security and Breach Notification Regulations. Portal Participants and Users are also responsible for being aware of and reporting any Security Incidents or Breaches that involve or impact the ConnectVirginia Portals.

Policy/Procedure:

SECURITY INCIDENTS

1. A “Security Incident” is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations through the ConnectVirginia Portals.

2. The following incidents are examples of potential Security Incidents. This list is not exclusive. The Security Officer will determine when a Security Incident has or is likely to have occurred.

a. Stolen or otherwise inappropriately obtained passwords that are used to access a ConnectVirginia Portal(s);

b. Virus attacks that interfere with the operations of a ConnectVirginia Portal(s);

c. A Participant’s failure to notify ConnectVirginia to terminate the account of a former Portal User that is then used by an unauthorized individual to access a ConnectVirginia Portal(s); and/or

d. A request for information sent for purposes other than treatment of the individual who is the subject of the request.

BREACHES

1. Unauthorized disclosures occur when an individual receives, uses, or discloses PHI that: is not permitted under the HIPAA Privacy Rule; is allowed with authorization, but no authorization was obtained; is for the user’s or discloser’s personal gain; is intended to harm the subject of the PHI; involves an unauthorized access to data or, is incidental in nature.

2. The Breach notification requirements only apply to PHI that is “unsecured.” Unsecured PHI is PHI that is not secured by a technology that renders the data unusable, unreadable or indecipherable and is endorsed by an ANSI-accredited standards setting


organization. HHS has determined that in order for PHI to be unusable, unreadable or indecipherable it must be encrypted or destroyed.

REPORTING POTENTIAL BREACHES AND SECURITY INCIDENTS

1. Any Portal Participant or User must report any potential Breach or Security Incident, or any other potential threat to the confidentiality, integrity, or availability of PHI available through a ConnectVirginia Portal(s), to ConnectVirginia as soon as it is suspected.

2. The individual providing notice of the potential Breach, Security Incident or other threat may provide such notice in any format, including in writing, electronically, or orally.

3. The Privacy Officer will document the report of a potential Breach or Security Incident or threat along with the date and time that he or she was notified of such event.

4. ConnectVirginia will not take any retaliatory measures against an individual who reports a potential Breach or Security Incident or threat. If the Breach or Security Incident was created by the neglect, or deliberate action, of a Portal User, then ConnectVirginia may impose sanctions as set forth in other Policies.

5. No ConnectVirginia Portal Participant or User will prohibit or otherwise attempt to hinder or prevent anyone from reporting a potential Breach, Security Incident or threat.

ALLEGATIONS OF NONCOMPLIANCE

1. An allegation of a Portal Participant’s or User’s noncompliant use of a ConnectVirginia Portal(s) could potentially be a Breach or a Security Incident.

2. If ConnectVirginia receives a complaint or notice regarding a Portal Participant’s or User’s allegedly noncompliant use of a ConnectVirginia Portal(s), ConnectVirginia will follow the procedures set forth in the Message Content Incident, Breach and Security Incident Response Procedures Policy (H-3) under “Response to a Potential Message Content Incident, Breach or Security Incident.” In addition, the Security Officer will forward the notice or complaint to the POC for the Portal Participant or User that is the subject of the complaint. If the POC is the subject of the complaint or notice, ConnectVirginia will notify the Practice Administrator, or such other official, as deemed appropriate by ConnectVirginia. If the POC receives a complaint or notice regarding a Portal Participant’s or User’s allegedly noncompliant use of a ConnectVirginia Portal(s), the POC will forward the notice or complaint to the Security Officer.

3. Based on the nature of the complaint or notice, ConnectVirginia, in its sole discretion, may choose to suspend access to the ConnectVirginia Portal(s) by the Portal Participant or User who is the subject of the complaint or notice. ConnectVirginia and, if applicable, the Portal Participant will implement such suspension in accordance with the applicable suspension policy.


4. The POC, or other practice official, will undertake an investigation of the complaint and produce a written report to ConnectVirginia within one week of being notified of the complaint. The written report will include a summary of the POC’s, or other practice official’s, findings including whether a Breach or Security Incident occurred and the basis for such conclusion.

5. The Privacy and Security Committee will evaluate the POC’s report along with the findings of its own investigation to determine (i) whether a Portal Participant or User has engaged in noncompliant behavior and (ii) whether such noncompliant behavior has created a Breach or Security Incident.

6. If ConnectVirginia has determined that the noncompliant behavior caused a Breach or Security Incident, ConnectVirginia will determine the appropriate corrective action to pursue, including suspension or termination of the Portal Participant’s or User’s authorization to use the ConnectVirginia Portal(s).

7. The Portal Participant or User must abide by whatever corrective action ConnectVirginia decides to pursue regarding the noncompliant behavior.

Responsibility: Privacy Officer, Security Officer, Executive Director, ConnectVirginia Portal Participants and Users


ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-14Title: Use of the CVEAM Portal Version: 1 Effective Date:

12/9/14

Purpose Statement: CVEAM Portal Participants and Users may only use the CVEAM Portal for the purposes set forth in this policy.

Policy/Procedure:

1. When subscribing to receive Encounter Alert Reports through the CVEAM Portal, CVEAM Portal Participants and Users are only permitted to subscribe for individuals with whom they have a current relationship for the purposes of providing treatment (e.g. have seen the patient at least twice in the past 18 months) or care coordination (e.g. individual is a member of a plan/ACO or other care management program). CVEAM Portal Participants and Users may not subscribe for Encounter Alert Reports for individuals for any other purpose.

2. CVEAM Portal Participants and Users with active Encounter Alert subscriptions must review their subscription list every 90 days and confirm their relationship with each patient for whom they subscribe to receive Encounter Alert Reports.

Responsibility: ConnectVirginia; CVEAM Portal Participants and Users


ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-15Title: Deletion of ConnectVirginia Encounter Alert Reports


Purpose Statement: ConnectVirginia allows CVEAM Portal Participants and CVEAM Site Administrators to retain Encounter Alert Reports that they receive in the CVEAM Portal. For proper system administration and management, ConnectVirginia will periodically delete such Reports in accordance with this Policy.

Policy/Procedure:

1. ConnectVirginia will allow CVEAM Portal Participants and CVEAM Site Administrators to retain Encounter Alert Reports received through in the CVEAM Portal.

2. Any CVEAM Portal User will be able to delete an Encounter Alert Report in a CVEAM account to which he/she has access. CVEAM Portal Users are encouraged to delete Encounter Alert Reports after the Report has been read and either printed or downloaded for the CVEAM Portal User’s records.

3. ConnectVirginia will automatically delete Encounter Alert Reports from the CVEAM Portal if the receiving CVEAM Portal Participant or CVEAM Site Administrator, or such User’s CVEAM Delegate, has read the Report and the Report is more than 90 days old.

4. ConnectVirginia will monitor the number and size of Encounter Alert Reports retained by each CVEAM Portal Participant and CVEAM Site Administrator in the CVEAM Portal. If ConnectVirginia finds that the number or size of Reports retained in the CVEAM Portal are excessive, ConnectVirginia will contact such CVEAM Portal Participant or User to request that he/she/it delete his/her/its Reports.

Responsibility: ConnectVirginia; CVEAM Portal Users


ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-16Title: Use of the Patient Search Service through the STREAMLINE Portal


Purpose Statement: STREAMLINE Portal Users may only use the Patient Search functionality of the STREAMLINE Portal for the purposes set forth in this policy.

Policy/Procedure:

When using the Patient Search service in the STREAMLINE Portal, Users are permitted to request information about individuals with whom they have a relationship for the purposes of engaging in treatment, payment or healthcare operations related to the individual who is the subject of the request. STREAMLINE Portal Users may not request information on an individual for any other purpose.

Responsibility: ConnectVirginia; STREAMLINE Portal Users


ConnectVirginia Operational Policy for ConnectVirginia Portals Policy No: PORT-17Title: Establishing a Relationship in the STREAMLINE Portal


Purpose Statement: To ensure the privacy and security of information accessed through the Network, STREAMLINE Portal Users must have established a relationship with an individual before accessing information related to that individual. For those STREAMLINE Portal Users who access the Network through the STREAMLINE Portal, the STREAMLINE Portal will require the STREAMLINE Portal Users to attest to having such a relationship prior to allowing access to information.

Policy/Procedure:

1. A STREAMLINE Portal User may only declare a relationship with an individual when the STREAMLINE Portal User is:a. actively treating the individual or coordinating his/her care;b. asked to consult on the treatment of the individual; orc. working for a provider who is treating the individual and has been asked to access

this information.

2. Once a relationship is established pursuant to Section 1 of this Policy and Procedure, the relationship will persist for six (6) months. At the end of the six (6) month period, the relationship will need to be re-established as described in Section 1 above.

3. If a relationship is incorrectly established, the STREAMLINE Portal User will notify ConnectVirginia’s Help Desk immediately and the Help Desk will remove the relationship in the Network.

Responsibility: ConnectVirginia; STREAMLINE Portal Users



ConnectVirginia Public Health Reporting Pathway Service

ConnectVirginia Operational Policy for ConnectVirginia Public Health Reporting Pathway

Policy No: PHRP-1

Title: Certificate Validation Version: 1 Effective Date: 2/4/2014

Purpose Statement: To ensure that only authorized Registrants are sending messages to VDH using the PHRP, ConnectVirginia will validate the certificate for each message.

Policy/Procedure:

For each message that a Registrant sends using the PHRP, ConnectVirginia will check the validity of the certificate by verifying that

1. The certificate has not expired;2. The message has a valid signature;3. The certificate has not been revoked;4. The certificate is binding to the expected entity; and5. The certificate has a trusted certificate path.



Policy No: PHRP-2

Title: Agreements with Registrants Version: 1 Effective Date: 2/4/2014

Purpose Statement: Each Registrant must agree to be legally obligated to comply with various requirements that govern the use of the PHRP. Furthermore, ConnectVirginia must agree to be legally obligated to fulfill its responsibilities related to the PHRP. Each party’s legal obligations are set forth in the ConnectVirginia Public Health Reporting Agreement.

Policy/Procedure:

1. Each Registrant must agree to the ConnectVirginia Public Health Reporting Agreement before using the PHRP.

2. Each Registrant must also enter into any required Memorandum of Understanding or Agreement with the Virginia Department of Health related to the electronic public health reporting activity.

Responsibility: ConnectVirginia; Registrants


Policy No: PHRP-3

Title: ConnectVirginia Public Health Reporting Audit Requests


Purpose Statement: ConnectVirginia will promptly respond to requests from Registrants for reports of the Registrant’s activity using the PHRP.

Policy/Procedure:

1. If a Registrant desires an audit report of its activity using the PHRP, Registrant will submit a request to ConnectVirginia with a brief explanation of the reason for the request.

2. Within one week of receiving the request from the Registrant, ConnectVirginia will decide whether to accept or deny the request and transmit such decision to the Registrant.

3. If ConnectVirginia denies a request, ConnectVirginia will provide a brief explanation of the denial.

4. If ConnectVirginia accepts the request, ConnectVirginia will provide the Registrant with the requested report as soon as feasible.

5. ConnectVirginia will not provide Registrants with any reports or documentation related to a Registrant’s compliance with Meaningful Use requirements. A Registrant must request and receive any such report or documentation from the Virginia Department of Health.

Responsibility: ConnectVirginia, Registrants


Policy No: PHRP-4

Title: ConnectVirginia Registrant Onboarding Version: 2 Effective Date: 12/9/14

Purpose Statement: To protect the confidentiality, integrity, and availability of public health reporting data transported through the PHRP, ConnectVirginia has implemented a strict onboarding process to ensure that only those entities that meet the eligibility criteria have access to the PHRP.

Policy/Procedure:1. Each entity that desires to use the PHRP to transport Data to VDH will be responsible for

completing the onboarding process.

2. To onboard, an entity must complete and submit the Public Health Reporting Agreement Form, which is available on the ConnectVirginia website.

a. The Agreement will require the entity to attest to the following: it is a health care provider, vendor or reference laboratory in the Commonwealth of Virginia that wishes to submit Data electronically to VDH for public health reporting purposes; and

b. It has registered with VDH to submit such Data electronically and executed all required Memorandum of Understanding or Agreement related to such electronic submission.

3. The entity will also have to identify the transport method that it will use and a central point of contact for all correspondence between ConnectVirginia and the entity (the “PHRP Site Administrator”).

4. The Agreement form must be scanned and submitted to ConnectVirginia at [email protected] or submitted via US Mail to ConnectVirginia Enrollment, 4900 Cox Rd, Suite 245, Glen Allen, Virginia 23060.

a. The PHRP Site Administrator for the Registrant is responsible for maintaining accurate enrollment information and notifying ConnectVirginia of changes to such information.

5. Once the Registrant submits all required enrollment information to ConnectVirginia, ConnectVirginia will contact the Registrant to schedule testing of the transport method. Upon successful completion of testing, ConnectVirginia will notify VDH and seek confirmation that VDH is ready to accept Data from the Registrant. Once ConnectVirginia receives such confirmation from VDH, it will enable Registrant’s use of the PHRP.



Policy No: PHRP-5

Title: ConnectVirginia Registrant Suspension and Termination


Purpose Statement: ConnectVirginia may suspend or terminate a Registrant’s access to the PHRP as set forth in the ConnectVirginia Public Health Reporting Agreement and this Policy.

Policy/Procedure:

1. ConnectVirginia can suspend a Registrant upon giving the Registrant notice that it has materially breached the ConnectVirginia Public Health Reporting Agreement. Such notice will contain an explanation of the breach.

2. To suspend a Registrant, ConnectVirginia will de-activate the certificates that the Registrant uses in connection with the PHRP.

3. The Registrant will have ten (10) business days in which to respond to the notice of breach by curing such breach.

a. If the Registrant fails to cure the breach within this cure period, ConnectVirginia may terminate the Registrant.

b. If the Registrant cures the breach within this cure period, ConnectVirginia will reactivate the certificate that the Registrant uses in connection with the PHRP.



Policy No: PHRP-6

Title: ConnectVirginia Public Health Reporting Data Encryption


Purpose Statement: To ensure the confidentiality, integrity, and availability of the Data, ConnectVirginia will provide a mechanism for Registrants to encrypt Data before transmitting to VDH through the PHRP.

Policy/Procedure:

1. ConnectVirginia will provide Registrants with a mechanism to encrypt Data using industry standard message encryption mechanisms and Transport Layer Security (TLS).

2. VDH will be responsible for decrypting the Data.

3. ConnectVirginia and its Vendor(s), to the extent applicable, will:

a. Protect its cryptographic keys against modification and destruction, and protect its private keys against unauthorized disclosure.

b. Manage the cryptographic keys used to encrypt Data transported through the PHRP.

c. Periodically determine activation and deactivation dates for its cryptographic keys.
