Security FAQ’s

How are healthcare providers able to use the health information?
What should patients and providers know about the security of my records?
If my patient opts out, can they opt back in?
Who can access my health information through C3HIE?

What provisions allow providers to use HIE information?
C3HIE shares medical record information with healthcare providers for payment, treatment and other healthcare operations as defined under HIPAA, 45 CFR 164.506, Uses and Disclosures for Treatment, Payment, and Health Care Operations | HHS.gov.

C3HIE has a business associate agreement with each participating organization that defines these requirements and the protection of the data and privacy of the patient.

C3HIE does share records as required under the 21st Century Cures Act Federal Register :: 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.

A patient has the authorization to opt out or in of sharing their records with other providers at any participating facility. This is a global authorization and if a patient opts out, none of their records are available through C3HIE. C3HIE can also share records based on explicit authorization by a patient for other purposes, such as life insurance applications.

What should patients and providers know about the security of patient records?
C3HIE uses the HITRUST global security and privacy framework HITRUST Alliance | HITRUST CSF | Information Risk Management to protect the healthcare records both in storage and in transit. Health records are encrypted at all times until they are displayed to an authorized user who must have a relationship with the patient.

The HITRUST framework has both technical and process controls to ensure protection of the data. Technical controls include strong encryption of data in storage and in transit with firewall rules that deny all requests except from trusted partners with signed agreements. All events are logged and access is monitored.

All users with access to C3HIE data through the C3HIE web application are required to use multi factor authentication. From a process perspective, all HASA employees and vendor partners have background checks and are trained in cyber security and the HITRUST framework. C3HIE monitors and adapts its security environment to manage current threats.

C3HIE has both a Security Officer and a Privacy Officer to oversee and manage protection of clinical records. Security is a strategic goal and initiative at the HASA Board level.

If my patient opts out, can they opt back in?
Yes, their HIE status is based on their most recent decision with a participating provider or hospital. Ask your patients at registration if they would like to opt back in.

Who can access my health information through C3HIE?
Only your treating providers that are participating with the HIE can access your health information through C3HIE.

Have more questions?

General FAQ