Code of Massachusetts Regulations
101 CMR - EXECUTIVE OFFICE FOR HEALTH AND HUMAN SERVICES
Title 101 CMR 20.00 - Health Information Exchange
Section 20.11 - Statewide Event Notification Service Framework

Universal Citation: 101 MA Code of Regs 101.20

Current through Register 1531, September 27, 2024

(1) General. The statewide event notification service framework is a HIway-facilitated service composed of EOHHS-certified ENS vendors. Certified ENS vendors must:

(a) collect ADT feeds from required submitters;

(b) reflect ADT feeds to all other certified ENS vendors;

(c) conduct a patient matching process with the ADT feeds; and

(d) produce notifications to their respective ENS subscribers in a secure method that protects patient privacy in accordance with applicable state and federal law.

(2) ENS Certification Process. EOHHS sets reasonable objective criteria, including applicable privacy and security standards for certified ENS vendors. The certification will be for a term as specified in the certification process but in no event for more than three years, at which time the term may be renewed upon successful recertification.

(3) Reflect ADTs. A certified ENS vendor must reflect ADTs to all other certified ENS vendors for the purposes of treatment or care coordination by ENS recipients.

(a) Certified ENS vendors must match all inbound reflected ADTs using their patient matching process to determine positive or negative matches.

(b) All inbound reflected ADTs that achieve a positive result in the patient matching process must be routed to the appropriate ENS recipients in accordance with the contract between the ENS vendor and ENS recipient.

(c) All inbound reflected ADTs that achieve a negative result in the patient matching process must be destroyed in accordance with the requirements of the certification process; however, a record of the transaction must be kept, as required, to meet minimal audit standards and retention periods for audit purposes consistent with 45 CFR § 164.312(b). Certified ENS vendors must keep a log of inbound reflected ADTs in auditable information.

(4) Data Security. Data shall be transmitted and held in accordance with industry-accepted practices, which at a minimum shall include the Health Insurance Portability and Accountability Act (HIPAA) Rules, and any other requirements EOHHS may deem necessary for certification.

(5) Audit Rights. EOHHS retains the right to conduct data integrity, privacy, and security audits of certified ENS vendors to comply with the framework of 101 CMR 20.12. EOHHS, upon finding unauthorized access or disclosure of data, may suspend the certification until corrective action is taken, and/or rescind the certification.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.