At a Glance
Release Package:
2015 Priority List
Requirement ID:
Req-2007
Title:
Incorporate and adhere to local and national laws in regards to patient EHR access
Description:
The system shall provide the ability to apply age-based triggers for Pediatric Patient Portal access to comply with varying Federal, State, and local laws.
• As an example, it is expected that the system will comply with the Children’s Online Privacy Protection Act.
• The vendor shall identify the States and localities for which the system complies.
• Recommended implementation of this requirement includes line item segmentation of conditions and treatments to allow separation of access between the patient and the parent/guardian.
Requirement Type:
Normative Statement
Shall/Should/May:
SHALL
Critical/Core:
Yes
Status:
Released
Implementation Notes:
A system must be able to support end users in configuring access to a minor patient’s personal health data through a patient portal in a manner that complies with Federal, State, and local laws. The system is not expected to be compliant with the variation of State/local laws across States but to provide the ability to configure the proposed functionality to adjust to local mandates. Age-based triggers should support the provider in that compliance. For instance, to support compliance with the Federal Children’s Online Privacy Protection Act, the system should trigger a request for parent/guardian permission before collecting personal information from the minor patient online when a minor is younger than 13 years old. Systems should also support setting age-based triggers that reflect providers’ own criteria around portal access. If a system supports the application of relevant State and local laws through age-based triggers, the vendor should identify which States and localities are supported.
Importantly, to support the exposure of information through the portal in a manner that complies with relevant laws, the system should enable the selection of data or portions of the record for separation of access as between the minor patient and the parent/guardian based on localized legal requirements. See Requirement 2041 for further detail on data segmentation.