Data Sharing at DPH

DPH partners with many healthcare providers, community partners, vendors, and researchers to deliver the best care possible to its patients. In order to share DPH data with outside entities, certain legal agreements need to be in place.

On this page you can:

  • Learn when a Business Associate Agreement is needed when contracting for services.
  • Learn when a System Access Agreement is needed when contracting for services, or when a contractor/provider needs EPIC access.
  • Find links to:
    • Requesting EPIC CareLink access.
    • Requesting research data.
    • Publishing data to the public.
    • Requesting IT standards exception requests. 

Business Associate Agreements

What is a Business Associate Agreement (BAA)?

  • A BAA is an agreement that is attached to DPH contracts with entities that perform services for DPH which involve using, creating, receiving, or storing protected health information (PHI).  These entities are known as "business associates."  In order to legally share the information with the contract entity, the contract must include a BAA.  

 

When do I need a BAA?

  • Anytime DPH contracts with vendor that will use, store, or create PHI on DPH's behalf, the contract must include a BAA.  

 

How do I get a BAA?

  • The first step is to contact the Contracts Office.  
  • A DPH "business sponsor" (the person pursuing the contract with the vendor) will work with the DPH Contracts Office during the contracting process to include a BAA to any contract with an entity using PHI to perform the service. 
  • BAAs are negotiated during the contracting process with input from the City Attorney's Office, OCPA, and Contracts. 

 

How do I determine if I need a BAA?

  • Use the BAA Decision Tree to help determine if a BAA will be required with the vendor or outside entity.

 

System Access Agreements

What is a System Access Agreement (SAA)?

  • A SAA is an agreement that permits an outside entity to directly access a DPH electronic system, such as our electronic medical record.

 

When do I need a SAA?

  • Anytime an entity or person outside of DPH wants access to any DPH electronic system, a SAA must be in place between DPH and the other party before access to DPH systems can be granted.  This includes access to EPIC Carelink.

 

How do I get a SAA?

  • The first step is to contact the Contracts Office. 
  • A DPH "business sponsor" (the person who wants that outside entity or person to have access) will work with DPH contracts to establish the SAA.  Some contracts will include a SAA as part of the contracting process. 
  • Some requests will only require a "stand alone" SAA. 

 

I only want EPIC Carelink Access, do I still need to sign a SAA?

  • Yes. Anyone who wants access to EPIC Carelink will need to have a valid SAA in place.  The steps to request EPIC Carelink can be found here.  
最後更新 February 1, 2024