Introduction
The New York State Department of Health (NYSDOH) has developed the Health Commerce System (HCS) as a secure system for electronically collecting and distributing health related data among NYSDOH, health facilities/providers and public health response partners. The Health Commerce System acts as a conduit for real time exchange of confidential information including patient level data regarding chronic or communicable disease and other non-public material regarding naturally occurring or terrorist related disease outbreaks or environmental disasters leading to mass casualty and mortality and generally affecting the health of the population. Therefore there must be a clear understanding of how participant organizations and users must protect the use of HCS and specific, signed and notarized agreements are required before an organization and its staff may gain access to HCS resources and applications.
Security
Authorized HCS users can create their own user ID and password using our paperless process however, if user completed the paper process form they will be assigned a user ID, a Personal Identification Number (PIN), and a password by CAMU. These codes are unique for every user, must be saved securely for future reference. The PIN and password may not be shared with others. The consequences of sharing an HCS access account are severe, and can include revocation of the account. Multiple instances of violations that compromise the security of account usage may result in the inability of your organization to do business on the HCS.
Because HCS uses the ID and PIN codes to manage and control access to data, including confidential information, CAMU must be notified immediately at camu@health.ny.gov or 1-866-529-1890 if a user suspects that any of these confidential access codes may have been compromised.
The HCS has routines in place to prevent unauthorized access of HCS data. Users will not attempt to circumvent these routines.
For both security and performance reasons, all HCS user accesses is logged and/or monitored. Users, therefore, understand that these logs and monitoring sessions can trace their activities on the HCS and agree that their activities on the HCS may be logged and monitored.
Users must notify the HCS coordinator (HCSC) immediately about any change in their employment or duties that will affect authorized HCS access. To notify CAMU if the HCSC cannot be contacted, call 1-866-529-1890 or write camu@health.ny.gov.
User Access and Usage of Data
The HCS is a series of electronic data collection and distribution systems developed by various program areas within NYSDOH. The NYSDOH program area that is responsible for collection and maintenance of particular data shall authorize access to that data via the HCS. The same program area is also responsible for responding to questions about the data to which they authorize access. Employees/agents of Participant Organizations who have obtained information from the HCS shall not disclose this information to any other person unless that person is legally authorized to obtain and has official reason to see that information. Unauthorized disclosure may be a violation of law and subject the participant organization, its employees and/or its agents to fines, imprisonment or suspension or revocation of a professional license.
- Acceptable Use
- Acceptable use is use that is authorized by the New York State Department of Health and is consistent with public health functions and state law and regulations.
- Acceptable use is use that is authorized by the New York State Department of Health and is consistent with public health functions and state law and regulations.
- Unacceptable Use
- for any illegal or unauthorized purpose
- transmission of threatening, obscene, or harassing materials
- interference with or disrupt network users, services or equipment HCS Doc 2 v 4.0 080504 Confidential
- distribution of any advertising materials or products
- propagation of computer worm or viruses
- using the network to make unauthorized entry to other communication devices or resources
- using the network to infringe upon any copyright protections applicable to programs and/or data available on the HCS
- for personal profit, or gain
- advertising products or services
- for the distribution of Chain letters; or broadcasting messages to lists or individuals; or other types of use that causes congestion or otherwise interfere with the work of others
- for recreational activities
- intentional development of programs that harass and/or damage or alter the software components of a computer or computing system
The guidelines established with the policy are intended to be illustrative of the range of acceptable and unacceptable uses of the HCS and its facilities and are not exhaustive. Questions about specific uses not set forth in this policy should be directed by e-mail to camu@health.ny.gov. Instances of specific unacceptable uses must be reported by email to camu@health.ny.gov immediately.
Reason for Access
Users requesting access to the HCS must have a valid and acceptable reason for access. This typically involves a user satifying a state-mandated reporting activity on behalf of the organization, performing health activities such as assurance, surveillance, planning, preparedness, response, or serving a critical role at the organization that is associated with these activities and requires access to data or information as part of that role.
State entities and NYSDOH program areas are responsible for controlling access to their applications and data. They will review requests and act on them via their own protocols for access approval. It is therefore understood that granting of access requests to applications and data on the HCS is subject to state entities and NYSDOH program area approval and protocols.
Data Disclosure
Health data/information originating from the HCS is protected under state and federal confidentiality laws as well as NYSDOH policy/procedures. Employees or agents of HCS participant organizations who have acquired knowledge of personal or health data/information from the HCS shall not disclose this information to any other person, unless that person is authorized by the NYSDOH program area and has official reason to see that information.
Enforcement
Access to the HCS is a privilege. NYSDOH may direct a participating party to be replaced and/or reserves the right to revoke the use of HCS for individual(s) or the Organization's participation if violations of HCS data protection and security policies occur.
Unauthorized use, fraudulent use, unacceptable use, abuse of computing on network facilities, or unauthorized disclosure of information will lead to suspension of the user's account and/or referral for appropriate legal action. Legal consequences may include suspension or revocation of a professional license, fines and/or imprisonment.
Process for Organization and User Affiliation
JOINT ORGANIZATIONAL - USER ATTESTATION REQUIREMENTS
There are two joint organizational-user attestation requirements for HCS access and account creation: Organizational affiliation and Account establishment. These agreements bind the user and the co-signing participant organization to the policies they outline and establishes the organization as an HCS participant organization, establish HCS coordinators at each organization who administer HCS use for that organization, and also establish user accounts. By signing the agreement the HCS Coordinator indicates he or she understands and agrees on behalf of the HCS participant organization that:
Organizational Affiliation
In order for a prospective organization to utilize HCS resources, it must agree to require its employees, agents, and affiliates to comply with the terms and conditions of the Organizational Participant Organization agreement and its schedules and the Individual User account agreement and its schedules. The Participant Organization will be responsible for the actions of any of its employees/agents with regard to compliance with the HCS policies. It is absolutely forbidden for any employee/agent to share an HCS account or to use an account assigned to another HCS user. Absent an appropriate organizational response to account violations, user account privileges will be deleted upon a first offense.
The Participant Organization is required to designate at least one HCSC as the principal point of contact concerning HCS access. By definition, the HCSC must have the authority and responsibility within the Participating Organization for executing the roles and responsibilities for an HCSC delineated in the Participant Organization agreement. The HCSC will be personally accountable for execution of the responsibilities defined and will have the authority to bind the Participant Organization in matters relating to the HCS. The organization will be held responsible for actions of an HCSC who is remiss in these responsibilities. NYSDOH has empowered the HCSC role for management of Organization user accounts on the HCS. Upon execution of the Participant Organization document, the Director of the Participant Organization will be given an HCS account and also designated as an HCSC.
An affiliated Organization must name an HCS Security Coordinator who will be made personally accountable for execution of the HCS security protocols outlined in the Participant Organization agreement.
Establishing and Retaining Account Access.
Any prospective user has a valid affiliation with the Organization and the Coordinator has exercised due diligence in verifying this fact (e.g. checked with the Director of the Organization or user's Department Head);
the prospective user has valid need to access the HCS for this organization;
the Organization will enforce the terms and conditions of the affiliation and user account agreements as it applies to the user
the HCS Coordinator designated by the participant organization agrees to sponsor them as a user;
the Organization will be responsible for actions of this user in regard to their compliance with the HCS policies, at all times and places and under all conditions.
The user agrees to all the terms and conditions of the HCS account documentation and user agreement and agrees that he/she is bound by this agreement regardless of organization or location from which the HCS is accessed.The user's account will be deactivated should their need for access or their employment status with the co-signing organization change, and they have no other notarized HCS account documentation from another organization on file with NYSDOH.
Individuals requesting an account on the HCS must accurately complete Schedule 2.A in its entirety.
Duties of each user with an established HCS account include:
- adhering to the terms and conditions of this agreement in its entirety (including its schedules) regardless of the location from which the user accesses the HCS;
- assuring the PIN number and password of the HCS account are kept confidential in a secure place and are not shared with anyone;
- updating electronically the contact information recorded in the NYSDOH Communications Directory when necessary so that it is accurate at all times;
- maintaining the confidentiality of all data and information accessed on the HCS;
- accessing only that information on the HCS for which the user has been duly authorized;
- reporting any indications of fraudulent use, including being asked to use another's account to gain access to information not specifically authorized to yourself or by witnessing such an action from another user;
- contacting the HCS coordinator(s) at the HCS participant organization(s) for which they are to access the HCS at least 3 business days prior to any change in user's HCS responsibilities or in user's employment status affecting the standing of the account or notifying NYSDOH at 1-866-529-1890 if contacting the HCS coordinator is not possible.
Establishing User Organizational Affiliations
HCS Users may be employed by, or be affiliated with, multiple HCS Participant Organizations if they are engaged in activities in which they access the HCS on behalf of multiple HCS Participant Organizations. Under these circumstances they must establish an affiliation with those additional HCS Participant organizations on the HCS. This can be achieved through the HCS coordinator approval process.
- They can execute a separate account document for each HCS Participant Organization through the standard HCS coordinator approval process, including notarization. This is the preferred practice, as it preserves their account in the event they leave employment of one organization.