SMRTNET Data Security

SMRTNET uses numerous procedural controls, which are generally much more secure than controls used for paper records, that assure that security rules are monitored and followed. SMRTNET’s privacy and security, which is a combination of policy, technology and governance/oversight by data contributors and providers that are close to their patients, has been proven throughout the operation of SMRTNET across Oklahoma. 

The privacy guidelines listed below that oversee the network have been successfully in place for over six years. The legal agreements that all members sign have been reviewed and accepted by attorneys and privacy officers from physician offices, hospitals, laboratories, universities, Native American tribes, community health centers, mental health, optometry, public health and other health entities. The governance/oversight comes from many different provider network groups that are close to the particular privacy needs of their patients. So, for instance, tribes oversee tribal data, physician governance committees oversee their medical data. Cerner, a worldwide health data company with secure data management of over 1,500 hospitals stores and distributes the data for the members. 

Limits of Data Use

• The network is only used for treatment and treatment support as regulated by HIPAA, federal and state law and overseen by a public non-profit organization of healthcare providers.
• Only members who have applied and been accepted by the network can access data.
• The data cannot be used for research.
• Nobody can access a “list “of patients by any type except by approval of the management committee. Only data from one patient at a time can be seen and only for treatment or HIPAA related purposes.
• No employers, insurance companies or any non-member persons can access the data. 

Limited Data Set

The data shared is limited to the data types most needed to assist improving healthcare. These include diagnosis, medications, laboratory results, procedure codes, allergies and reactions, and other related information as determined by the public non-profit governance boards. 

Public and Transparent Oversight

The data exchange process is overseen by a management committee of provider agencies. The committee operates using a transparent process with public meetings and budgets under the umbrella of a legislatively created health authority. New members can be added to the management committee as the network grows. SMRTNET is made up of several health information exchange boards that oversee their particular health issues. These operate within the scope of the general management committee. 

Provider Oversight

• Each provider is issued a special identification and password, which they have to use to access the data. This is changed periodically.
• The provider must electronically certify that s/he is seeing the patient for treatment or treatment related issues before any information is shared.
• Every access to information is recorded.
• Within each organization only the level of information that is needed by that provider for treatment or support is shared. So, for instance, a clerk can only see the patient’s address but the physician can see medications and diagnosis.

Audits

• An audit report is issued to each member facility of SMRTNET of accesses by staff.
• Any provider or member can be audited for appropriate use at any time by request of any member. 

Patient Identification

• Name, date or birth, or social security number and other demographics identify patients before any information is shared.
• A sophisticated software program makes sure that names are correctly matched to records. Only statistically determined exact matches are shared. Close matches will be researched and corrections made by professional staff members when appropriate using additional demographics such as address and phone numbers to assure matches. 

Patient Oversight of Access and Use

Under HIPAA patients may ask their providers for copies of their personal health information. In the future patients may be offered an opportunity to apply for a free electronic personal health record where they will see who has accessed their information. Over time they will also be able to store information there for use by SMRTNET providers. The ability of member provider to share treatment information with other providers who are also seeing the same patient is allowed under HIPAA and this fact is in the privacy statement of each member as signed and acknowledge by patients.

• Patients can opt out initially or at any time. A completed opt out request form submitted to SMRTNET prevents the patients information from being shared through SMRTNET to all member providers in any facility.
• Patients are informed at the provider source about the network. This is the most appropriate place to share that information.
• Information about SMRTNET is made available by the provider office, on the website www.smrtnet.org and by phone.
• Sensitive data under law such drug abuse and some family planning information is not sent by the member providers into the network.
• The provider must electronically certify that s/he is seeing the patient and only those that certify this can see the patient data.
• Providers may provide higher levels of patient acknowledgement such as “opt in” if they chose. 

Outside Storage and Data Security

The data is stored in a special facility in Kansas City overseen by a company that stores data for over 1,500 hospitals and several networks. The software has been tested within a framework of two million patients and several thousand providers. Patient information is “shattered” into separate electronic “virtual vaults” which store types of information separated from names. 

Network Agreement

The rules of the network are listed in a detailed member agreement, which all data providers and data contributors agree to in writing. Over twenty attorneys from a wide variety of health entities have reviewed and certified that the rules and processes in the agreement fit with all federal and state law.