/Docs/G/Patient-Data-Manager/pDMA/Form/0.md
Source views: Source JSON(ish) on GitHub (VSCode) Doc views: Document (&k=r00t): Visual Print Technical: OpenParameters Xray
{- "edges" : [
- [ "2.1.sec" : "see 45 CFR 164.524(a)(1)" ] , [ "2." : "G/Z/paras/s4" ] , [ "Def.Patient." : "G/Z/ol/Base" ] , [ "Def.PDM." : "G/Z/ol/Base" ] , [ "Def.PHR." : "G/Z/ol/Base" ] , [ "Def.PDR." : "G/Z/ol/Base" ] , [ "Def.PHI.sec" : "45 CFR 160.103" ] , [ "Def.PHI." : "G/Z/ol/Base" ] , [ "Def.SDR." : "G/Z/ol/Base" ] , [ "Def." : "G/Z/ol/Base" ] , [ "4.1.sec" : "append sample form" ] , [ "4." : "G/Z/ol-AA/s3" ] , [ "5." : "G/Z/ol-AA/s3" ] , [ "6." : "G/Z/ol-AA/s5" ] , [ "7.1.sec" : "and pursuant to {_Patient} instruction and/or service tier etc." ] , [ "7." : "G/Z/ol-AA/s4" ] , [ "8." : "G/Z/ol-AA/s2" ] , [ "9.1.sec" : "consider adding here provisions related to law enforcement/access via subpoena and/or court order" ] , [ "9." : "G/Z/ol-AA/s4" ] , [ "10." : "G/Z/ol-AA/s1" ] , [ "11." : "G/Z/ol-AA/s1" ] , [ "12.2.sec" : "Massachusetts" ] , [ "12.3." : "G/Z/ol-a/s1" ] , [ "12.4." : "G/Z/ol-a/s1" ] , [ "12.5." : "G/Z/ol-a/s1" ] , [ "12." : "G/Z/ol-AA/s7" ] , [ "13." : "G/Z/ol-AA/s2" ] , [ "" : "G/AgtForm/US/Frame/2Parties/0.md" ] , [ "" : "G/Z/ol-II/13" ] ,
]
"data" {- "Doc.Ti" : "Patient Data Use Agreement" ,
"Why.Ti" : "PREAMBLE:" ,
"Why.sec" : "This document is a proposed model patient data use agreement. It is intended to establish a relationship between an individual and a data management service entity for the purposes of managing the individual\u2019s complete, longitudinal health data on the individual\u2019s behalf. It provides complete control over the aggregated copy of the patient\u2019s data to the patient, including the destruction of the data should the patient wish to do so. This document does not authorize a data management service entity to function as a healthcare provider unless the data management service is already functioning in such capacity. The patient\u2019s aggregated copy of health data does not supplant existing provider-maintained records that law and regulation require healthcare providers to maintain, nor does it have any impact on provider responsibility to report public health data or perform any other functions related to medical records as may be required by federal, state, and local law." ,
"1.Ti" : "Introduction" ,
"1.sec" : "This Patient Data Use Agreement (PDUA or Agreement), by and between ", "P1.US.N,E,A", " (", "_Patient", ") and ", "P2.US.N,E,A", " (Patient Data Manager, or ", "_PDM", "), authorizes ", "_PDM", ", on ", "_Patient", "\u2019s behalf, to request, acquire, receive, aggregate, maintain, curate, secure, share, and delete, with ", "_Patient", "\u2019s permission as granted pursuant to this Agreement, ", "_Patient", "\u2019s complete, longitudinal digital health record (or any portions of the health record designated by the ", "_Patient", ")." ,
"2.Ti" : "Background and Authority" ,
"2.2.sec" : "", "_PDM", " has the capacity to aggregate, maintain, and secure personal health data in a way that enables it to be: regularly updated; protected; compartmentalized; shared in whole or in part with the ", "_Patient", "\u2019s authorization; and maintained free of unauthorized changes or interference that could render the data untrustworthy." ,
"2.3.sec" : "", "_Patient", " seeks to exert the right of access provided to ", "_Patient", " by 45 CFR \u00a7 164.524 and related HHS Office of Civil Rights guidance to regularly access personal health information maintained by healthcare providers in designated record sets and to direct providers to transmit ", "_Patient", "\u2019s personal health information to ", "_PDM", " on ", "_Patient", "\u2019s behalf." ,
"2.4.sec" : "As ", "_Patient", " wishes to have a complete, longitudinal health record under his or her full control and maintained on his or her behalf by ", "_PDM", ", ", "_Patient", " and ", "_PDM", " agree to the following terms:" ,
"Def.Ti" : "Definitions" ,
"Def.Patient.Ti" : "Patient:" ,
"Def.Patient.sec" : "", "_Patient", " is an individual who seeks to aggregate personal health data from disparate healthcare providers and sources, including data generated by him or herself." ,
"Def.PDM.Ti" : "Patient Data Manager (PDM):" ,
"Def.PDM.sec" : "", "_PDM", " is a third-party entity with whom ", "_Patient", " enters into this PDUA for the purposes of requesting, acquiring, receiving, aggregating, incorporating, maintaining, curating, and securing ", "_Patient", "\u2019s complete, longitudinal digital health record. Examples of entities who could act as ", "_PDM", "s are healthcare providers, health data systems, health insurers, and third-party mobile medical application entities." ,
"Def.PHR.Ti" : "Patient Health Record (PHR):" ,
"Def.PHR.sec" : "", "_PHR", " is ", "_Patient", "\u2019s aggregated, longitudinal health data that ", "_PDM", " maintains on the patient\u2019s behalf pursuant to this Agreement. The ", "_PHR", " does not replace healthcare providers\u2019 medical records systems, does not relieve any reporting responsibilities healthcare providers have under federal, state, or local law, and does not provide an alternative method for providers\u2019 required maintenance of medical records. Should ", "_PDM", " also be ", "_Patient", "\u2019s healthcare provider, the ", "_PHR", " shall not be comingled with the provider/", "_PDM", "\u2019s electronic health record system." ,
"Note" : "PDR is defined but not used?" ,
"Def.PDR.Ti" : "Patient Data Receipt (PDR):" ,
"Def.PDR.sec" : "An electronic computable set of structured data sent or provided to ", "_Patient", " or ", "_Patient", "\u2019s designated ", "_PDM", " at the conclusion of each health encounter or episode of care for inclusion in the ", "_Patient", "\u2019s ", "_PHR", "." ,
"Def.PHI.Ti" : "Protected Health Information (PHI):" ,
"Def.SDR.Ti" : "Standing Data Release (SDR):" ,
"Def.SDR.sec" : "A release through which ", "_Patient", " exercises right of access to personal health information maintained at a healthcare provider on an ongoing, automatic basis and requests ", "_Patient", "\u2019s ", "_PHI", " be transmitted to ", "_Patient", "\u2019s ", "_PDM", " for curation in ", "_Patient", "\u2019s ", "_PHR", "." ,
"Def.sec" : "<ul type=\"none\"><li>", "Def.Patient.Sec", "<li>", "Def.PDM.Sec", "<li>", "Def.PHR.Sec", "<li>", "Def.PDR.Sec", "<li>", "Def.PHI.Sec", "<li>", "Def.SDR.Sec", "</ul>" ,
"3.Sec" : "", "Def.Sec", "" ,
"4.Ti" : "Standing Data Release" ,
"4.2.sec" : "The ", "_SDR", " complies with the Department of Health and Human Service\u2019s Office of Civil Rights\u2019 requirements for the release of personal health information from healthcare providers to third parties on the behalf of patients or patient representatives who are requesting access to personal health information. The ", "_SDR", " enables the ", "_Patient", " to authorize continual updates to ", "_Patient", "\u2019s ", "_PHR", " and provides instructions to healthcare providers on enabling automatic updates in the form of a Patient Data Receipt in electronic health record systems." ,
"4.3.sec" : "", "_Patient", " understands that healthcare providers cannot transmit ", "_PHI", " to a third party such as ", "_PDM", " without the authorization of ", "_Patient", " or ", "_Patient", "\u2019s authorized representative. ", "_Patient", " also understands that once ", "_Patient", " submits the ", "_SDR", " to a healthcare provider, HIPAA provides the healthcare provider up to 30 days to complete the initial request and the right to seek a further 30-day extension." ,
"5.Ti" : "Patient Control" ,
"5.1.sec" : "", "_Patient", " shall have complete authority and control over ", "_Patient", "\u2019s ", "_PHR", " and all of the data contained within it, regardless of the source of the information. ", "_Patient", " accordingly may direct ", "_PDM", " to share all or part of ", "_Patient", "\u2019s ", "_PHR", " with another entity or individual, including but not limited to a healthcare provider or family member." ,
"5.2.sec" : "", "_Patient", " may revoke a third party\u2019s previously-granted ", "_PHR", " access. ", "_PDM", " shall immediately implement any such revocation (within one business day). ", "_Patient", " understands that data shared prior to revocation of access often cannot be removed from related records kept by a third party, such as when information from the ", "_PHR", " has been incorporated into a medical record maintained by a healthcare provider who treated ", "_Patient", "." ,
"5.3.sec" : "", "_Patient", " shall have the ability and authority to add notes and comments to the information contained in the ", "_PHR", ". Such annotations shall be clearly distinguished from the original text of any health data provided by healthcare providers to maintain data integrity and provenance." ,
"6.Ti" : "Sharing of PHR with Designated Parties" ,
"6.1.sec" : "", "_Patient", " may authorize ", "_PDM", " to share some or all of ", "_Patient", "\u2019s ", "_PHR", " with individuals and entities that ", "_Patient", " identifies. ", "_PDM", " shall not share data without ", "_Patient", "\u2019s explicit permission." ,
"6.2.sec" : "", "_PDM", " shall establish a process for ", "_Patient", " to request access for an identified individual or entity and to specify the type of access such individual or entity may have (e.g., full access, access to all except ", "_Patient", "-generated health data, access to medication information only, access to payer data, etc.)." ,
"6.3.sec" : "", "_PDM", " cannot guarantee that such designated parties will review the information that ", "_Patient", " chooses to share." ,
"6.4.sec" : "", "_Patient", " may revoke this authorization at any time by notifying the ", "_PDM", " by online form, in writing, by telephone, or via other processes that ", "_PDM", " establishes. ", "_PDM", " shall not limit ", "_Patient", " to one method of notification but shall offer at least three means of revoking authorization. ", "_PDM", " shall implement ", "_Patient", "\u2019s revocation immediately and shall indicate in the ", "_PHR", " when the revocation has been so implemented." ,
"6.5.sec" : "Emergency Access. ", "_Patient", " may grant permission in advance to the ", "_PDM", " to share ", "_Patient", "\u2019s ", "_PHR", " in the case of an emergency during which ", "_Patient", " may not be able to authorize such sharing. Emergency sharing designations and permissions may be established and updated at any time, and may be limited to specific information of particular importance during emergency treatment when ", "_Patient", " is otherwise incapacitated." ,
"7.Ti" : "Health Data Aggregation and PHR Updates" ,
"7.2.sec" : "", "_PDM", " shall enable the incorporation of ", "_Patient", "-generated health data (PGHD) from fitness trackers, wearables, remote health monitors, and other non-clinically-derived information into ", "_Patient", "\u2019s ", "_PHR", ". Such information will be clearly delineated as PGHD." ,
"7.3.sec" : "", "_PDM", " shall enable the incorporation of subjective assessments by the patient of their health outcomes into the ", "_PHR", " (i.e., patient reported outcomes (PROs)). Such information will be clearly delineated as PRO." ,
"7.4.sec" : "", "_PDM", " shall ensure that its system can accept and integrate updates (Patient Data Receipts) from healthcare provider EHRs on an ongoing basis. If ", "_SDR", "s are in place, Patient Data Receipts shall be automatically transmitted from provider EHRs to the ", "_PHR", " at the conclusion of each of ", "_Patient", "\u2019s health visits or health encounters." ,
"8.Ti" : "Accounting of Disclosures" ,
"8.1.sec" : "", "_PDM", " shall maintain a record or log of active ", "_SDR", "s and activity within the ", "_Patient", "\u2019s ", "_PHR", ", including updates and disclosures, and shall provide a mechanism by which ", "_Patient", " can ask for additional information about any documented disclosure. Disclosures shall indicate what data was provided, to whom, on what date and time, and the ", "_SDR", " associated with the healthcare provider." ,
"8.2.sec" : "", "_PDM", " shall maintain log entries for a minimum of 7 years from the date of access. ", "_Patient", " retains the right to print or otherwise save the log or information about specific entries at any time." ,
"9.Ti" : "PHR Security and Restrictions on Use" ,
"9.2.sec" : "", "_PDM", " shall use appropriate safeguards to prevent any use or disclosure of ", "_Patient", "\u2019s ", "_PHR", ", either in whole or in part, other than as specified in this Agreement and as authorized by ", "_Patient", ". To the extent that ", "_PDM", " receives, maintains, or transmits ", "_PHR", ", ", "_PDM", " shall use appropriate administrative, physical, and technical safeguards that comply with those required by the HIPAA Security Rule and that reasonably and appropriately protect the confidentiality, integrity, and availability of ", "_PHR", ", regardless of whether ", "_PDM", " is a Covered Entity as defined by HIPAA." ,
"9.3.sec" : "", "_PDM", " shall comply with any applicable state and local security and privacy laws to the extent that they are more protective of ", "_Patient", "\u2019s privacy than the HIPAA Privacy Rule and the HIPAA Security Rule, regardless of whether ", "_PDM", " is a Covered Entity as defined by HIPAA. If ", "_PDM", " is not a Covered Entity, other federal laws and regulations may apply (e.g., Federal Trade Commission regulations pertaining to health data held by third-party entities not impacted by HIPAA). If ", "_PDM", " offers access to the ", "_PHR", " in a mobile application, Food & Drug Administration rules may also apply. ", "_PDM", " is responsible for ensuring compliance with all applicable law and regulation." ,
"9.4.sec" : "", "_Patient", " shall not share personal login and authentication information for ", "_PHR", " access with anyone. ", "_Patient", " may designate Patient Representative(s) who may access ", "_Patient", "\u2019s ", "_PHR", " in ", "_Patient", "\u2019s stead, but Patient Representative(s) shall maintain his or her own login and authentication information." ,
"10.Ti" : "Mobile Access to PHR" ,
"10.1.sec" : "The ", "_PHR", " is an aggregation of ", "_Patient", "\u2019s digital health data from various sources, both clinical and non-clinical. ", "_PDM", " may provide various means of ", "_PHR", " access to the ", "_Patient", ", including through mobile applications accessible on a smartphone, smart speaker, or other such electronic device. In such an instance, ", "_PDM", " shall determine whether any such applications meet the Food & Drug Administration\u2019s (FDA) definition of a mobile medical application and shall adhere to any additional requirements and guidelines set out by the FDA." ,
"11.Ti" : "Independence From Provider Medical Records" ,
"11.1.sec" : "", "_Patient", "\u2019s ", "_PHR", " maintained by ", "_PDM", " is separate and independent from medical records that healthcare providers are required by law to maintain for each patient. Healthcare providers may incorporate information from the ", "_PHR", " into their medical records if the ", "_Patient", " grants them access to the ", "_PHR", ", but the existence of the ", "_PHR", " does not supplant their medical records systems, any reporting responsibilities healthcare providers have under federal, state, or local law, or provide an alternative method for their required maintenance of medical records." ,
"12.Ti" : "Termination" ,
"12.1.sec" : "This Agreement shall begin on the Effective Date set forth above and shall continue indefinitely until terminated by either party." ,
"12.3.0.sec" : "Upon termination by either party, revocations of active ", "_SDR", "s shall be generated by the ", "_PDM", " and submitted to all entities providing data to the ", "_PHR", " on an automatic basis. ", "_PDM", " shall disable the ability of ", "_Patient", "\u2019s ", "_PHR", " to receive updates no later than five (5) business days of submitting revocation notices." ,
"12.3.1.sec" : "", "_Patient", " understands that ", "_SDR", "s are not transferable to other ", "_PDM", "s and that new forms will need to be completed and submitted to healthcare providers pursuant to the new ", "_PDM", "\u2019s policies to authorize automatic updates to the ", "_PHR", " maintained by a new ", "_PDM", "." ,
"12.4.0.sec" : "", "_Patient", " may terminate this Agreement at any time with written notice to ", "_PDM", ". Upon notice of ", "_Patient", "\u2019s desire to terminate the Agreement, ", "_PDM", " shall provide ", "_Patient", " the ability to transfer ", "_Patient", "\u2019s ", "_PHR", " and related access logs to another patient data manager of ", "_Patient", "\u2019s choosing, to be provided a copy of the ", "_PHR", " for ", "_Patient", "\u2019s personal storage, and/or to destroy the ", "_PHR", " data and related access logs. ", "_PDM", " shall provide ", "_Patient", " thirty (30) days to make a decision about disposition of the ", "_PHR", ". Should ", "_Patient", " opt to transfer ", "_PHR", " to another patient data manager, ", "_PDM", " shall assist ", "_Patient", " with the form(s) and process needed to authorize the transfer. ", "_PDM", " shall ensure that the transfer may be effected electronically if ", "_Patient", " so elects and shall be performed expediently and no later than 30 days after ", "_Patient", " notifies ", "_PDM", " of its disposition decision, without undue burden or unreasonable cost." ,
"12.4.1.sec" : "", "_PDM", " shall, to the best of its ability, confirm successful transfer of ", "_Patient", "\u2019s ", "_PHR", " to a new patient data manager, or the date, time, and method of destruction of ", "_Patient", "\u2019s ", "_PHR", " data and access logs, as applicable." ,
"12.5.0.sec" : "", "_PDM", " may terminate this Agreement with 60 days\u2019 notice to ", "_Patient", " and shall require acknowledgement from ", "_Patient", " within five (5) days of such notice to ensure ", "_Patient", " is aware of the impending termination. ", "_PDM", " shall provide ", "_Patient", " with the option to transfer ", "_PHR", " to another patient data manager, to be provided a copy of the ", "_PHR", " for ", "_Patient", "\u2019s personal storage, or to destroy the ", "_PHR", " data." ,
"12.5.1.sec" : "", "_PDM", " shall, to the best of its ability, confirm successful transfer of ", "_Patient", "\u2019s ", "_PHR", " to a new patient data manager, or the date, time, and method of destruction of ", "_Patient", "\u2019s ", "_PHR", " data and access logs, as applicable." ,
"12.6.sec" : "In the event of ", "_Patient", "\u2019s death, ", "_PDM", " shall follow the specific instructions ", "_Patient", " provided at initiation of the ", "_PHR", ". Data will be destroyed or donated to a data repository named by ", "_Patient", ". ", "_Patient", " may request a copy be provided to ", "_Patient", "\u2019s named beneficiary prior to disposition." ,
"12.7.sec" : "", "_Patient", " understands and acknowledges that ", "_PDM", " shall not keep a copy of ", "_Patient", "\u2019s ", "_PHR", " once an agreement has been terminated, the patient has selected the method of disposition or transfer of the ", "_PHR", ", and the ", "_PDM", " has successfully disposed of or transferred the data. In the event that ", "_PDM", " is the terminating party, ", "_Patient", " shall have one year from the date of termination to determine the method of disposition or transfer. If disposition or transfer does not occur within that year, ", "_PDM", " shall then destroy the data." ,
"13.Ti" : "Modifications to Terms of Agreement" ,
"13.1.sec" : "This Agreement may be updated or amended due to changes in law, regulations, policies, or for other reasons. Parties to this Agreement will be alerted to any such updates or amendments a minimum of 30 days prior to implementation." ,
"13.2.sec" : "Neither party shall assign this Agreement without the written consent of the other." ,
"_P1" : "Patient" ,
"_P2" : "PDM" ,
"FtNt.1.Xref" : "<sup><a href=\"#FtNt.1.sec\">1</a></sup>" ,
"Annex.Div" : "<b>Footnotes</b><ol><li>", "FtNt.1.sec", "</ol>" ,
"FtNt.1.sec" : "The HHS Office of Civil Rights provides further interpretive guidance regarding the use of the right of access to transmit ", "_PHI", " to third parties designated by the individual, including the use of an example of transferring ", "_PHI", " to an individual\u2019s mobile app on a smartphone, (FAQ #2036, https://www.hhs.gov/hipaa/for- professionals/faq/2036/can-an-individual-through-the-hipaa-right/index.html), and provides further guidance that such requests may be provided on a standing basis to avoid having to repeat requests for access each time ", "_PHI", " is updated (FAQ #2070, https://www.hhs.gov/hipaa/for-professionals/faq/2070/may-a-covered-entity-accept- standing-requests/index.html)." ,
"_Patient" : "<a href='#Def.Patient.sec' class='definedterm'>Patient</a>" ,
"_PDM" : "<a href='#Def.PDM.sec' class='definedterm'>PDM</a>" ,
"_SDR" : "<a href='#Def.SDR.sec' class='definedterm'>SDR</a>" ,
"_PHR" : "<a href='#Def.PHR.sec' class='definedterm'>PHR</a>" ,
"_PHI" : "<a href='#Def.PHI.sec' class='definedterm'>PHI</a>" ,
}
}