1. Scope and Application.

1.1 Scope.

The policies and procedures described in this document (Policies and Procedures) apply to all organizations and individuals using the Massachusetts Health Information Highway and are intended to ensure that the Massachusetts Health Information Highway is used in an effective, efficient, ethical, and lawful manner.

1.2 Acceptance of Terms.

Use of the Massachusetts Health Information Highway constitutes acceptance of, and agreement to abide by, all the requirements in these Policies and Procedures.

1.3 Incorporation by Reference.

All the provisions of these Policies and Procedures are incorporated by reference into each Participation Agreement. All capitalized terms used in this Agreement shall have definitions in the Participation Agreement, unless otherwise provided herein.

2. Access to the Massachusetts Health Information Highway.

2.1 Participation Agreement.

An individual who is authorized to legally bind the Participant must execute and sign a Participation Agreement before being granted access to the Massachusetts Health Information Highway.

2.2 Delegated Administration Agreement.

Each Participant must execute a Delegated Administration Agreement before being granted access to the Massachusetts Health Information Highway. Each Participant must identify at least one individual to serve as an Access Administrator, as provided in the Delegated Administration

Agreement. Each Participant’s Access Administrator is responsible for administration of the Participant’s Authorized Users and must sign the Access Administrator Agreement.

2.3 Massachusetts Health Information HighwayService Addendum.

Each Participant must execute a Massachusetts Health Information Highway Service Addendum before being granted access to services on the Massachusetts Health Information Highway. Participants may execute more than one Service Addendum as their need for The HIway services evolves.

2.4 Identification of Authorized Users.

Each Participant’s Access Administrator must provide EOHHS with a list of the Participant’s

Authorized Users, and such other information about such Authorized Users as EOHHS may reasonably require. Each Participant’s process for identifying Authorized Users must include verifying each individual’s identity, the individual’s affiliation with the Participant, the individual’s functional role with the Participant, and whether it is appropriate for the individual to send or receive information using the Massachusetts Health Information Highway.

2.5 Assignment of Usernames and Passwords.

EOHHS or the Participant shall provide Authorized Users, with a user name and a password to access their EHR and/or the Massachusetts Health Information Highway. Authorized Users are prohibited from sharing their user names and/or passwords with others and from using the user names and/or passwords of others.

2.6 Training.

Each Participant is responsible for training its Authorized Users and ensuring that the Massachusetts Health Information Highway Policies and Procedures have been read and understood by all of its Authorized Users. Each Participant shall ensure that all of its Authorized Users comply with the Massachusetts Health Information Highway Policies and Procedures and comply with Participant’s own privacy and security policies and procedures.

2.7 Termination of Authorized Users.

Each Participant shall terminate access to the Massachusetts Health Information Highway immediately for any Authorized User who no longer requires access by reason of termination of employment, and as soon as reasonably practicable for Authorized Users who no longer require access by reason of change in function. Each Participant shall immediately terminate access to the Massachusetts Health Information Highway for any Authorized User that engages in conduct that could undermine the security and integrity of the Massachusetts Health Information Highway. Each Participant shall notify EOHHS immediately upon termination of any

Authorized User’s account.

3. Acceptable Uses.

3.1 Acceptable Uses.

Participant agrees that it will use and disclose the Protected Health Information (PHI) accessible through the Massachusetts Health Information Highway only for purposes that are permitted by applicable federal and state laws, including without limitation the HIPAA Privacy Rule.

3.2 Prohibited Uses.

Each Participant shall ensure that its Authorized Users do not use the Massachusetts Health Information Highway for any of the following prohibited uses:

  1. For illegal purposes or to further illegal activities including, without limitation, any upload, download, posting, distribution or facilitating the distribution of any material that constitutes unauthorized use or reproduction of material protected by copyright, trademark, trade secret or other intellectual property right.
  2. For any purpose or activity that is, or may be perceived as, obscene, threatening, abusive, harassing, defamatory, libelous, deceptive, fraudulent, or invasive of another’s privacy.
  3. For any unauthorized access to or inappropriate use of data, systems, and networks including, but not limited to, any probe or attempted probe, scan or vulnerability testing without the express authorization of EOHHS.
  4. To interfere with the service of any user, host or network, including deliberate attempts to overload a server, network connected device, or network component;
  5. To propagate malformed data or network traffic resulting in damage to, or disruption of, a service or network connected device;
  6. To forge data with the intent to misrepresent the origination user or source;
  7. To send unsolicited, mass electronic mail messages to one or more recipients or systems, including, without limitation, commercial advertising and informational announcements; or
  8. To forge electronic mail headers (including any portion of the IP packet header and/or electronic mail address) or to use any other method to forge, disguise, or conceal the user's identity or IP address.

4. Information and Network Security.

4.1 Participant Safeguards.

Each Participant shall implement reasonable and appropriate safeguards to protect the security and integrity of the Massachusetts Health Information Highway, including maintaining compliance at all times with the HIPAA Security Rule.

4.2 EOHHS Safeguards.

Participants may not attempt to disable, modify, or circumvent any security safeguards adopted by the Massachusetts Health Information Highway. Participant acknowledges and agrees that EOHHS can monitor, record, and Audit (see Section 6) use of the Massachusetts Health Information Highway in order to protect the security of the Massachusetts Health Information Highway.

4.3 Suspension of Account.

EOHHS may at any time suspend access to the Massachusetts Health Information Highway by the Participant, Access Administrator and/or any of its Authorized Users as required to prevent unauthorized use of the Massachusetts Health Information Highway; to prevent, investigate, or remedy a breach or security incident; to protect the integrity of the information systems operated by EOHHS and its contractors; or for violation of any of the requirements of these Policies and Procedures. EOHHS will restore such access as determined by EOHHS in its sole discretion.

4.4 Duty to Report.

Users should immediately report any weaknesses in or breach of system security and/or any incidents of possible misuse or violations of these Policies and Procedures to EOHHS.

4.5. Non-disclosure of Security Information.

Participant and its Authorized Users shall not divulge connectivity details, passwords, or other access control information that could be used by a third party to gain unauthorized access to the Massachusetts Health Information Highway.

4.6 Physical Security.

Participant and Authorized Users shall take reasonable precautions to secure their physical working environment to guard against unauthorized access including, but not limited to workstations, laptops or The HIway issued software, certificates, private keys or network connected devices (e.g. LAND). In addition, the Participant and Authorized Users shall take security precautions in the workspace such as the use of password screen locks, session timeouts, logging out of workstations at the end of the working day and strong passwords.

4.7 Network Security.

Participant must maintain a secure network through measures such as multiple firewalls configured for high availability and minimal vulnerability and the latest versions of OS and antivirus protection.

4.8 Access to Webmail.

Participant shall not use public computers for accessing Webmail due to security and privacy concern.

5. Privacy and Patient Engagement.

Participant is responsible for obtaining any and all necessary patient consents and authorizations relating to the use and exchange of patient information, including without limitation consent to release HIV test results, genetic test information, substance abuse information, and as otherwise required by law. In addition, Participant and/or the Authorized User are responsible for obtaining patient permission to share patient information over the Massachusetts Health Information Highway. It is the responsibility of the Participant to maintain these consents and permissions as required by law and their policies. The method by which the Participant maintains the consents will be determined by the Participant but proof of consent may be subject to Audit by EOHHS as defined in Section 6 of these Policies and Procedures.

6. Audit.

6.1. EOHHS Audits.

EOHHS (or a third party engaged by EOHHS) may audit Participants on a periodic basis. The purpose of these audits will be to confirm compliance with and proper use of the Massachusetts Health Information Highway in accordance with the Participation Agreement, the Delegated Administration Agreement, and these Policies and Procedures (“Audit”).

6.2 Audit Process.

Audits will take place during normal business hours and at mutually agreeable times and shall be limited to such records, personnel and other resources of the Participant as are necessary to determine proper use of the Massachusetts Health Information Highway, compliance with the Participation Agreement, the Delegated Administration Agreement, and these Policies and Procedures, or to comply with applicable state or federal requirements.

7. Webmail.

7.1 Policies and Procedures Applicable to Webmail.

The provisions of this Section 7 of the Policies and Procedures shall apply to Participants and its Authorized Users who use the Webmail service of the Massachusetts Health Information Highway.

7.2 User Agreement.

Each Authorized User must execute and sign a User Agreement before being granted access to Webmail.

7.3 Webmail Capacity.

Each Authorized User’s Webmail account will be subject to a storage capacity limit of 10MB per attachment and 1GB for the mailbox itself. EOHHS will notify an Authorized User when their webmail account has reached its storage capacity limit, after which the webmail account will not be able to receive additional messages until messages have been removed to allow additional storage. EOHHS will not delete or archive messages in an Authorized User’s webmail account, but will not deliver messages to an account when it is over its storage capacity limit. EVERY PARTICIPANT AND AUTHORIZED USER AGREES AND ACKNOWLEDGES THAT THEY WILL NOT BE ABLE TO RECEIVE MESSAGES SENT TO THEIR WEBMAIL ACCOUNT WHEN IT IS OVER ITS STORAGE LIMIT CAPACITY.

7.4 Webmail Supported Browsers.

Webmail will be supported on browsers with a default or Medium security setting as specified below:

Browser version support for PC/Mac is as follows.

IE 8+

Firefox 5+

Safari 5+ **

** Safari 5+ will be ready in December 2012

8. Other.

8.1 Breach Response.

Participants are obligated to report all breach events to their Access Administrator and organization’s privacy and security officer(s) immediately after their discovery. The Access Administrator will advise EOHHS of the breach event. Other individuals who have information about breach events involving the Massachusetts Health Information Highway are encouraged to file reports or complaints with the EOHHS privacy and security officer or his/her designee. If a breach occurs at the Participant level, then any required public notification is responsibility of the Participant. If the breach occurs at the Massachusetts Health Information Highway level, then the responsibility is of EOHHS Privacy and Security Officer to report the breach to the Participant, which will in turn make any required public notifications.

8.2 Amendments.

EOHHS may amend these Policies and Procedures from time to time. EOHHS will provide notice of changes by email to the Participant’s designated Access Administrator and by posting changes to the Massachusetts Health Information Highway website in a manner and form that makes the changes apparent and readily available for review. EOHHS will post any such amendments on the Massachusetts Health Information Highway website at least thirty days before implementation of the amendment, but reserves the right to provide less notice, including no prior notice, if EOHHS reasonably determines that less notice is necessary for the security of the Massachusetts Health Information Highway, or unless the amendment is required in order for EOHHS, the Participant, or any other participant to comply with applicable laws or regulations. In that case, EOHHS may implement the amendment within a shorter period of time as EOHHS reasonably determines is appropriate under the circumstances, but will provide as much notice of the amendment as reasonably possible. It is the responsibility of the Participant to check the

Massachusetts Health Information Highway Website periodically for such updates. Participant’s continued use of the Massachusetts Health Information Highway constitutes acceptance of the changes.