Health Information Exchange (HIE) privacy policy

A health information exchange (HIE) is a network of organizations that let healthcare providers and other health organizations exchange information more easily. Under Maryland law, Surescripts is registered as an HIE because Surescripts’ Record Locator and Exchange (RLE) and Clinical Direct Messaging (CDM) products help providers and other healthcare organizations who use these products to access and share the health information that each maintains on an individual.

Participants in Surescripts’ HIE can access your demographic information and the medical information about you that is maintained by organizations that participate in Surescripts’ HIE. The medical information that may be accessed through Surescripts’ HIE may include your medical history, your diagnoses and illnesses, test results, a list of your medications, notes from your providers, and summaries of provider visits.

This health information could include sensitive information that receives additional protections under state and federal laws including:

• HIV/AIDS records
• Genetic Testing records
• Substance Use Disorder records
• Mental Health records
• Reproductive Health records

Surescripts requires that providers or organizations using Surescripts’ RLE and CDM services to get all consents or authorizations required by law from you before they share or access sensitive health information about you through Surescripts’ products. To ensure your sensitive health information is protected and only shared or used in ways permitted by law, Surescripts may also filter out certain information like national drug codes data associated with sensitive health information about you when accessed by certain authorized participants. Surescripts does not share your information with law enforcement unless it is legally compelled to do so by court order.

Participants in Surescripts’ HIE use your information to help make better treatment recommendations, improve care coordination between your providers, and coordinate payment for the care you receive.

With the exception of CDM services, Surescripts only stores basic demographic information, provided by healthcare providers, for purposes of patient matching and identification. All other information about you that is maintained by Surescripts is incidental to transmitting clinical information requested and responded to by providers or organizations using Surescripts’ RLE and CDM services. Surescripts does not use or disclose that information unless required to do so under applicable law.

Under federal and state laws, you have the following rights for your health information that is shared with Surescripts: 

• Request a list of who has shared, accessed or viewed your healthcare information through Surescripts. You may request a list of who has viewed or accessed your health information by submitting a request to one of your healthcare providers that participates in Surescripts’ HIE.
• Opt-out of having your information shared through Surescripts’s HIE.
• Be notified if there is a breach of your health information or if your information has been viewed by an unauthorized person.

See below for more information about each of these rights.

Surescripts complies with all state and federal privacy laws that apply to your data and requires providers or other organizations using Surescripts’ products and services to access or share your data to comply with all applicable laws. These laws include protections related to how your data may be used, who may access your data, and whether your consent is required before your data is disclosed. Surescripts also uses a variety of security measures to ensure your data is secure including systems checks and audits, system penetration testing, and advanced monitoring tools.

In the case of a breach of your personal health information, Surescripts will work to mitigate any damage caused by the breach and take steps to ensure a similar breach does not occur in the future. Additionally, Surescripts will provide written notice to individuals whose information was impacted by the breach and will notify law enforcement authorities as required by law.

To amend or obtain copies of the health information about you available through Surescripts, submit a request to your healthcare providers that participate in Surescripts’ HIE.

If you need your information in the event of an emergency, the procedures above still apply.

Yes. You can choose to opt-out of having your information shared or accessed through Surescripts’ Medical History and RLE products and services.

You may opt-out by submitting a completed and notarized opt-out form to Surescripts. You may obtain a copy of this form by emailing optout@surescripts.com. Return the form and any applicable supporting documentation to Surescripts’ Support at 2550 South Clark Street, Suite 1000, Arlington, VA 22202.  Once the opt out has been processed, we will follow up with confirmation directed to the Requestor as provided in Section 4 on the form within 10 business days of receipt.

You can also make a request to opt-out through one of your healthcare providers that uses Surescripts’ Medication History and Record Location and Exchange products. We note that if you opt out through one of your healthcare providers, your information may still be available through one of your other healthcare providers.

Surescripts does not have direct relationships or interactions with patients. We require completion of this document to verify the identity and authority of an individual requesting access and appropriately locate and identify you within our system for an accurate opt-out.

If you opt out, providers and other healthcare organizations can no longer request or share your health information through Surescripts’ Medication History and RLE products and services. This means that these organizations will not be able to share information with one another through Surescripts’ HIE network to make sure the care you are receiving is as informed as possible.

After opting out, providers will continue to be able to electronically send prescriptions.  Opting out means information we maintain will no longer be accessible through requests made for Medication History and Record Locator and Exchange through Surescripts.

Opting out will not remove the information that must be retained for audit and record retention purposes or that was already provided in response to previous requests (as we have no way of deleting information that was already sent).

Yes, contact Surescripts’ Opt-Out team at optout@surescripts.com if you would like to opt back in.