Protecting patient privacy

Surescripts understands the importance of respecting the privacy and confidentiality of personal health information. Surescripts handles personal health information in connection with activities undertaken to fulfill our purpose to serve the nation through simpler, trusted health intelligence sharing, in order to increase patient safety, lower costs and improve the quality of care.

How Surescripts handles personal health information

Surescripts operates a network to allow for the secure and reliable movement of electronic clinical and prescription information between different healthcare providers and organizations while maintaining the meaning of the information being exchanged. Through the Surescripts network, authorized healthcare providers can gain access to clinical and prescription information for use in providing care to patients.

How the Surescripts network is used: Surescripts provides a number of services to healthcare providers that enable safer and more affordable prescriptions and provides them with actionable patient intelligence to make more informed care decisions. These services include Benefit Optimization, Medication History, Electronic Prescribing, Prior Authorization, Clinical History, Clinical Direct Messaging and Insights & Alerts.

• Benefit Optimization: Surescripts Benefit Optimization solutions allow healthcare providers to gain ready access to formulary and benefit information so they may make more informed clinical and prescription decisions. To provide this service, Surescripts works with pharmacy benefit managers (PBMs) and payers of healthcare services to offer healthcare providers access to their patients' drug benefit information in real time during office visits.
• Medication History: Surescripts Medication History solutions equip healthcare providers who care for patients with access to a patient's medication history across providers, as part of the medication reconciliation process at the point of care. To provide this service, Surescripts securely connects to a patient's medication history data stored in the databases of community pharmacies and pharmacy benefit managers. Surescripts then presents that data to healthcare providers through their certified software vendor. Surescripts requires that a healthcare providers obtain all necessary patient consents, including those required by all applicable federal and state laws and regulations, prior to electronically accessing a patient's medication history. Surescripts also permits patients to opt out of participating in the Medication History service; requests to opt out should be directed to the patient’s healthcare provider or to privacyofficer@surescripts.com.
• Electronic Prescribing: Surescripts E-Prescribing solutions allow healthcare providers to exchange prescription information electronically, for both new prescriptions and refills. Surescripts makes this service available by providing a secure and reliable connection between a prescriber’s electronic health record software and a pharmacy’s technology system.
• Clinical History: Surescripts Clinical History solutions allow healthcare providers to see where a patient may have previously received care and to retrieve certain clinical records from those locations for treatment-related purposes. When a provider requests information about a patient’s previous locations of care through Record Locator & Exchange, Surescripts uses its Master Patient Index to identify the patient’s previous care locations using Medication History data and E-Prescribing transactions previously sent via the Surescripts network. The requesting provider will receive a list of the patient’s past care locations and can then request records from those past care locations. Record Locator & Exchange can also facilitate the electronic retrieval of patient records from the past care locations on behalf of the requesting provider. Surescripts requires that the requesting provider obtain all necessary patient consents, including those required by all applicable federal and state laws and regulations, prior to requesting information through Record Locator & Exchange. Surescripts also permits patients to opt out of participating in the Record Locator & Exchange service; requests to opt out should be directed to the patient’s healthcare provider or to privacyofficer@surescripts.com.

Surescripts has, on limited occasions, at the request and with the authorization of connected Covered Entities, made data available to public health authorities and Institutional Review Board authorized researchers in accordance with applicable law.

How the Surescripts network is not used: Surescripts does not mine personal health information available via the Surescripts network, either for Surescripts' own purposes or for the purposes of third parties. Surescripts does not rent or sell personal health information available via the Surescripts network. Surescripts has taken steps to prevent third parties from using the system to influence physician prescribing decisions inappropriately. Similarly, Surescripts has implemented procedures designed to protect a patient's pharmacy choice. Physicians connecting to the Surescripts network will not receive commercial messaging (like advertisements from pharmaceutical companies or other third parties) at the point of care. All software applications certified to connect to the Surescripts network are required to abide by these rules, and only technology companies that agree with this philosophy are allowed to connect.

How Surescripts safeguards personal health information: Protecting the privacy and security of personal health information maintained, transmitted or otherwise made available via the Surescripts network is vitally important to us. We do so in accordance with applicable data protection laws, including HIPAA and strict privacy and security requirements in our contractual agreements with our Network Alliance partners. Surescripts has implemented appropriate privacy safeguards to prevent unlawful use or disclosure of personal health information. Surescripts has also implemented administrative, physical and technical security safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic personal health information that it receives, maintains or transmits. Examples of these safeguards include:

• Vendor certification process: Healthcare providers, pharmacies and PBMs may only connect to the Surescripts network if they use software or systems that have been certified by Surescripts. Surescripts works with technology vendors to certify their products for connection to the Surescripts network. This process ensures that a vendor can send and receive supported electronic messages and that the solution is providing open choice for medication selection and dispensing location. This process also ensures that the technology systems work in accordance with industry-accepted standards for the electronic exchange of prescription data between providers and pharmacies. Once a vendor completes the process, it is added to the list of certified vendors that Surescripts maintains and makes available to providers and pharmacies.
• Use of appropriate technologies: Surescripts and those who connect to the network use secure connections in accordance with applicable law and industry standards.
• Audits: Recurring security audits of the system are performed by independent auditing entities.

Certifications and accreditations: Surescripts is certified and accredited by a number of leading security and privacy organizations and standards, including HITRUST, and the Electronic Healthcare Network Accreditation Commission (EHNAC). These are nationally recognized organizations that provide independent peer evaluation of an organization's ability to perform at industry-established levels within the healthcare electronic network industry.

Additional Resources:

• Certifications and Accreditations
• Intelligence in Action

Contact us

If you have any questions, comments or concerns about Surescripts' handling of personal health information, please contact us at:

Chief Privacy Officer 
Surescripts, LLC;
2550 S Clark St
Arlington, VA 22202
703-921-2121
privacyofficer@surescripts.com

Chief Information Security Officer
Surescripts, LLC
900 2nd Avenue South
Minneapolis, MN 55402
651-855-3000
CISO@surescripts.com

**These phone and fax numbers are for general business purposes. Protected Health Information and sensitive information (e.g., DOB, SSN, medical information) SHOULD NOT be left on voicemail or sent to these fax numbers.**