Part 8, Chapter 23: Manual Exhibit 8-23-C
ALL Users of the Indian Health Service (IHS) Resource Patient and Management System (RPMS) Direct Messaging System must agree to the following terms and conditions for participation:
- Privacy Act Warning. The RPMS Direct registration and account setup requires collection of your personal information. The IHS will be unable to establish a RPMS Direct account without your personal information.
The IHS makes every effort to protect your privacy. For registration purposes: two (2) valid government picture IDs are required, and some demographic information may be collected in the system, such as your name, date of birth, credentials, zip code, and RPMS Direct username to provide you access to RPMS Direct. Collection of this information is subject to the Privacy Act of 1974, as amended [5 United States Code (U.S.C.) § 552a]. Only authorized persons may use your information contained in the RPMS Direct. Any unauthorized disclosure or misuse of your information may result in criminal and/or civil penalties. Any individual may file a civil action in a Federal District Court against IHS if the individual believes that IHS violated the Privacy Act.
For site management, information is collected for statistical and management purposes. RPMS Direct uses software programs to create anonymous, summary statistics, which are used for such purposes as assessing what RPMS Direct information and functions are useful to you and other users and identifying system performance or problem areas. For security purposes and to ensure that this service remains available to all users, IHS RPMS Direct employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. Except for authorized law enforcement investigations and required audits, no other attempts are made to identify individual users or to track an individual user's usage habits. Unauthorized attempts to upload information or change information on or from this system are strictly prohibited and may be punishable under Federal law.
- RPMS Direct Messaging. You may send and/or receive secure messages using the RPMS Direct through your RPMS Electronic Health Record (EHR) or RPMS Direct web system. RPMS Direct will only send and receive messages from trusted Direct accounts. Your RPMS Direct account shall be used to exchange health related information with other healthcare providers, patients, and/or patients' personal representatives only.
Message Agents will monitor and respond to messages on behalf of healthcare providers, patients, and patients' personal representatives as appropriate.
- Alternate Email Address (Non-Direct email address). The IHS RPMS Direct reserves the right to contact you via the alternate email address regarding important system or account information, major changes planned for RPMS Direct, or for other system-related needs. The RPMS Direct is not responsible for any consequences resulting from RPMS Direct emails being blocked by your Internet service provider, spam-blocking software, or similar.
- Security of Information. Security maintenance and administration is an essential element of RPMS Direct system operation and maintenance. RPMS Direct has several levels of security to protect your information. When you type in your message, RPMS Direct establishes a secure connection with your browser so information is encrypted or scrambled for transmission and storage. In addition these security levels comply with the Privacy Act of 1974 as amended (5 U.S.C. § 552a); Health Insurance Portability and Accountability Act (HIIPAA) of 1996 Public Law (Pub. L.) 104-191, Aug 21, 1996,110 Stat.1936; 45 Code of Federal Regulations, Parts 160 and 164; and (2) Health Information Technology for Economic and Clinical Health Act (Pub. L. 111-5, Feb 17, 2009).
- Secure Socket Layer/Transport Layer Security. The Secure Socket Layer/Transport Layer Security (SSL/TLS) is a security protocol, which provides a transmission level of encryption between the user's browser and RPMS Direct server machines. The SSL/TLS is a method for protecting RPMS Direct user's identification and password.
- Personal Responsibilities. As an RPMS Direct user, you must handle and respond to the information received in the RPMS Direct account timely and appropriately in accordance with healthcare industry standards of patient care and your local policies.
Based on your professional judgment, significant health information exchanges will be shared and incorporated into the patient's RPMS EHR record. You take full responsibility for disclosing information in this account to other individuals as needed.
- Registration and Log In. To meet Meaningful Use performance measures, and to send and receive secure messages to other healthcare providers, patients, and patients' personal representatives, registration is required. To access RPMS Direct, the IHS will require identity verification during registration and login.
- Password Protection. Your RPMS Direct account is password protected. You will have four (4) chances to enter the correct password before the system locks your account. You will need to contact your system administrator for assistance to unlock your account. Your password will expire every sixty (60) days. You shall not share your password with anyone and must exercise caution by securing your password. The IHS will never ask for your password.
- Logging Out. You must log out when you are finished accessing the password protected RPMS Direct. This prevents someone else from accessing your account if you leave or share the computer. If ten minutes of non-activity pass, the session will expire.
- Saving of Passwords by Browser on all Computers. Many internet browsers (such as Internet Explorer, Apple Safari, or Google Chrome) allow users to save their usernames and passwords. When prompted by a browser to save your RPMS Direct username and password, you must decline this option. Saving your username and password could potentially enable anyone to gain unauthorized access to your account and your patients' health information.
- Surveys, Questionnaires, and Polls. The IHS may use surveys, questionnaires, and polls to facilitate feedback and input from RPMS Direct users. When you respond to surveys, questionnaires, or polls related to RPMS Direct, this information is collected anonymously. This aggregated information is used only for statistical purposes. No surveys, questionnaires, or polls will ever ask you for your personal information or RPMS Direct password.
- Agreement and Disclaimers to RPMS Direct Messaging Terms and Conditions.
- General Disclaimer.
- RPMS Direct is a secure email system. It is available for the Indian Health System healthcare providers, patients, and patients' personal representatives to send and receive healthcare related information between its participants and other trusted Direct partners. The Indian Health System is made up of the IHS, which is a Federal agency, and participating Tribal/Urban programs. Your RPMS Direct account is dedicated solely for healthcare related communications and must not be used for any other purposes. All information resides on and transmits through protected Federal computer systems and networks.
- Use and disclosure of your information is limited, as required by Federal law. The IHS only uses the specified information you provide as agreed to in these Terms and Conditions. The IHS does not sell, trade, or rent users personal information. The IHS reserves the right to perform statistical analyses and profiling of user behavior and characteristics to measure interest in and use of the various functions of the system. The IHS may at times share this aggregated information (i.e. anonymous statistical data) about our users within the Indian Health System for quality assurance audits and RPMS Direct administrative needs.
- The IHS acknowledges that privacy and security of your and your patients' information matters to you. The IHS has taken measures to provide appropriate levels of security to protect the information exchanged within the RPMS Direct. Certain information about your account may be shared with authorized personnel to administer RPMS Direct. The IHS protects the information you provide with security technology based on current computer industry standards, and applicable Federal guidelines.
- Medical Disclaimer.
- The RPMS Direct provides an additional method of communication between RPMS Direct users, patients, patient's personal representatives and other trusted partners. RPMS Direct does not replace face-to-face patient care communications. The information provided by RPMS Direct is to help you and patients with healthcare decisions. RPMS Direct is not used in the event of a medical emergency.
- The health-related information exchanged through the RPMS Direct is not part of the patients' RPMS EHR medical record unless incorporated into the RPMS EHR chart by the health care provider.
- Your Obligations.
- RPMS Direct is an IHS web system for Indian Health System participants to send and receive health-related information to other healthcare providers and to patients and/or their personal representatives. As a user, you must verify the Direct address of the recipient of your message. Your use of RPMS Direct means you understand, accept, and grant your consent to review and take action related to your system usage including, but not limited to monitoring, auditing, inspecting, investigating, restricting access, tracking, sharing with authorized personnel, or any other authorized actions by authorized Indian Health System and law enforcement personnel.
- Threats, attempts, or actions to modify this system, attempt to inappropriately share the data, deny access to the system, gain unauthorized access to data, breach system security, or otherwise damage the system or data contained within are strictly prohibited. These actions may result in criminal, civil, or administrative penalties resulting from violations of Federal laws including, but not limited to, 18 U.S.C. § 1030 (Fraud and Related Activity in Connection with Computers) and 18 U.S.C.§ 2701 (Unlawful Access to Stored Communications).
- Printing, Saving, or Downloading Information. Documents containing Protected Health Information may only be viewed or stored on authorized, encrypted and secure devices, and must be deleted when no longer required. Storage of the data must comply with applicable Federal law, Federal regulations, including HIPAA, and organizational security, privacy and Health Information Management policies.
- Inactivating Your Account. To inactivate your RPMS Direct account, you must contact your supervisor and provide a written request. Be aware that once inactivated, information from the account becomes immediately inaccessible and cannot be retrieved by you.
- Agreement. By logging in to RPMS Direct, you acknowledge that you have read and agreed to all of the Terms and Conditions stated herein. You expressly acknowledge and agree to take actions as defined in your local policies and in accordance with the industry standards of patient care. Further, you expressly acknowledge and agree that representatives from the RPMS Direct and the IHS may contact you regarding surveys, questionnaires, and polls. Your participation in questionnaires and polls is voluntary and not required in order for you to access RPMS Direct.
- General Disclaimer.