Overview
This Trusted Exchange Framework and Common Agreement (TEFCA) network privacy policy (Privacy Policy)1 is intended to inform you about how Surescripts Health Information Network, LLCTM (Surescripts Health Information Network) transfers, uses, or stores information that flows through its network* under TEFCA. Surescripts Health Information Network may update this Privacy Policy at any time, and future updates to the Privacy Policy will be effective as soon as they are posted. If you are interested, you should check back from time to time and make sure that you have reviewed the most current version of this Privacy Policy.
You can find more information about TEFCA and the terms that govern the exchange of health information on the TEFCA network on the Sequoia Project website. Any terms used but not defined in this Privacy Policy have the meanings given to them in the Common Agreement for Nationwide Health Information Interoperability version 1.1 (Common Agreement).
*Note that Surescripts HIN has applied to be a Qualified Health Information Network under TEFCA.
Information Transferred through the Network
The network will be used to exchange TEFCA Information (TI) (as that term is defined in the Common Agreement) between pharmacies, healthcare organizations and other entities. The data transferred includes protected health information (PHI) and other information requested by the entities requesting the data exchange.
Surescripts Health Information Network maintains and supports the network, however, Surescripts HIN does not own the data that flows through it. If you have concerns about your data being exchanged via the network, please contact your healthcare organization to discuss your concerns.
Information Stored by the Network
If necessary for troubleshooting, Surescripts Health Information Network may temporarily configure the systems of the network to capture data regarding transactions processed by the network, which may include both the personal data from network end users and PHI that flows through the network.
Information That You Give Surescripts HIN
You can contact Surescripts Health Information Network about the network through our online form (www.surescripts.com/qhin), and we may keep a record of your communication to help answer or resolve the matter you contacted us about. You can decide how much information you want to share with us in those cases.
Network Hosting Infrastructure
The network is hosted both on Surescripts, LLC (“Surescripts”) owned and managed servers and Google Cloud servers managed by Surescripts. This network environment hosts all transactions and the resulting audit logs. Data moving through the network environment is encrypted following industry best practices. Data stored in the network environment is also encrypted following industry best practices.
How Do We Use Your Information, and Who can Access it?
Information, including PHI, that flows through the network is not stored, disclosed, or used by Surescripts Health Information Network other than for purposes of facilitating health information exchange between Participants and Subparticipants of the network and supporting those exchange activities. This information is exchanged between entities that use the network, as is required by TEFCA. Surescripts Health Information Network and Surescripts staff may have incidental access to the information that flows through the network for troubleshooting purposes.
Additionally, if you contact us about the network, any information you share via email or other method of contact may be shared between staff from Surescripts Health Information Network, Surescripts, TEFCA’s Recognized Coordinating Entity, and the Department of Health and Human Services Office of the National Coordinator for Health Information Technology as needed to respond to your inquiry.
How Long Does Surescripts Health Information Network Keep Your Information?
Information that flows through the network is passed through to the entities involved in the data exchange. Detailed logs collected for troubleshooting purposes, or an issue investigation may be retained for up to three years.
Any information provided by you when you contact Surescripts Health Information Network or Surescripts may be retained for as long as required to resolve the issue about which you contacted us.
How We Protect Your Information
We use a combination of process, technology, and physical security controls to help protect your information from unauthorized access, use, or disclosure. While we use these precautions to safeguard your information, we cannot guarantee the security of the networks, systems, servers, devices, and databases we operate or that are operated on our behalf.
When your information flows through the network or is stored in a log for troubleshooting purposes, that information is encrypted and transmitted using industry-standard encryption algorithms. Surescripts Health Information Network and Surescripts have internal policies and processes directed toward limiting access to your information to personnel, agents, consultants, and contractors who need to know such data to perform their jobs and develop or improve the network, our websites, products, and services.
Your State Privacy Rights
If you are a California resident, you can learn more about your California privacy rights by reviewing this California privacy notice.
If you are a resident of Colorado, Virginia, Utah, or Connecticut, you can learn more about your rights under your respective state privacy laws by reviewing this additional privacy notice.
Contact Surescripts Health Information Network about this Privacy Policy
If you have questions about your health information that is transferred via the network by a pharmacy, healthcare organization, or other entity using the network software, please reach out to your pharmacy, healthcare organization, or other entity transmitting your health information through the network using the contact information in their privacy policy.
If you have questions or concerns about this Privacy Policy, please contact us at 1-888-926-3776 or privacyoffice@surescripts.com. In any correspondence, please include the website or reason that led you to contact us.
- This TEFCA Privacy Notice represents a framework and the general content for the privacy notice that will be published by Surescripts Health Information Network consistent with the requirements of the Common Agreement. Surescripts HIN anticipates refining and potentially modifying this notice prior to publication.