KSTARS Data Use Policy

1.1 PURPOSE:

The purpose of this reference document is to present the Kentucky State Ambulance Reporting System (KSTARS) End User Security Policy and its associated procedures. All prospective users of the KSTARS system must agree to the End User Security Policy upon access to the system.

Additional documentation material may be referenced throughout this document and is available as supplemental reference material.

1.2 DEFINITIONS:

KBEMS: The Kentucky Board of Emergency Medical Services

Agency Adminstrator: Refers to the EMS agency administrator or hospital administrator

Data Administrator: The Data Administrator of KBEMS

Data Management Committee: The appointed committee of KBEMS whose role it is to develop a statewide plan for data collection and compliance, identify information initiatives and research funding sources tied to EMS data collection, as well as provide direction in the development of operational guidelines, policies, and procedures.

Data Recipients: Those persons or organization that have requested access to, and use of, the data contained in the KSTARS system; this includes registered KSTARS users.

Deidentified: Refers to the masking or removal of personally identifiable information such as names, social security numbers, and street addresses; each record will contain a unique identifier to maintain data quality.

EMS Community: This refers to individuals as well as local, state, and national organizations associated with the delivery of emergency medical services. This can include paramedics, emergency medical technicians, educators, medical directors or EMS agencies and their leadership staff.

EMS Provider: An EMS agency licensed by KBEMS.

EMS: Emergency Medical Services

KSTARS XSD: The Extensible Markup Language (XML) Schema Definition utilized to send end user data to the KSTARS.

KSTARS Data Use Policy

KSTARS: The database, maintained by the Kentucky Board of EMS, that houses patient care and service delivery data submitted by EMS Providers in Kentucky.

ePCR: Electronic Patient Care Reports (ePCR) are electronic records detailing the provision of emergency medical service by local EMS provider agencies as required by this agreement.

Extract: Refers to a file extracted from either the EMS Providers or the KSTARS database containing patient care and service delivery information; this is the XML file that will be submitted by EMS Providers monthly and also submitted by KBEMS to the NEMSIS National Database; all extracts are considered to contain sensitive, confidential, or otherwise protected data and must be secured appropriately.

EMS Agency Supervisor: Staff at EMS agencies designated to submit data files to KSTARS, request account creations, password resets, and/or other utility and administrative functions.

Hospital Supervisor: Staff at hospitals designated to access KSTARS, request account creations, password resets, and/or other utility and administrative functions.

NEMSIS: The National EMS Information System (the national database housing EMS patient care and service delivery data from all states and territories in the US).

Third Party: Refers to any organization or entity not a part and outside of the two organizations entering into this data sharing agreement.

KSTARS Data Use Policy

1.3 USER PERMISSION GROUPS:

Administrator: This is the highest level of access and clearance. This access level has full permission to all aspects of the State Bridge.

KBEMS Staff: This level of access is giving to the Kentucky Board of EMS office staff.

EMS Agency Administrator: This group is given access to the EMS agency they represent. They have full right and permissions to access and edit any data used or collected by their EMS service.

Medical Director: This group is given access to view ePCR’s for the service they represent.

EMS Agency Supervisor: This group is given access to view ePCR’s for the service they represent.

EMS Responder: This group is the EMS agency end user or person completing an ePCR. This is typically EMT’s and Paramedics. This group has the ability to complete and edit ePCR’s for EMS calls on which they performed patient care.

Hospital Administrator: This group can add or delete users from hospital access, as well as view ePCR’s for incoming patients and inpatient admissions.

Hospital staff: This group is given access to view ePCR’s for incoming patients and inpatient admissions.

Third Party Billing: This access level is given for viewing and extraction of information for billing purposes, and also allows for importing from third party software.

KSTARS Data Use Policy

2.1 END USER SECURITY POLICY

2.2 Protected Health Information

Electronic Protected health Information (ePHI) as defined by HIPAA is securely transmitted to the KSTARS system from provider agencies across the state. However, this ePHI with personal identifiable information on patients is not accessible by unauthorized users and will not be displayed on reports that are generated.

2.3 Confidentiality

In addition to protected patient information KSTARS also contains confidential information about Kentucky’s EMS system and the delivery of services by local provider agencies. The information contained within the system and its reports is intended for use by Kentucky’s local and state EMS agencies. However, local EMS agencies are free to distribute any information regarding their particular agency.

KSTARS exists for statewide and national EMS data analysis. Information provided by Kentucky EMS agencies and other sources will be collected and queried for the purpose of statewide quality improvement. All requests for data must be routed to the KBEMS data administrator.

3.1 KSTARS SECURITY

3.2 Data Structure

The KSTARS system, and access to its data, will be structured in such a way to allow access only to authenticated users and only at authorized permission levels. The KSTARS web site will be secured with minimum SSL 128-bit encryption.

All personal identifiable patient information will be secured in a separate database schema. No unauthorized end user may access the secured patient data. Much of the data and reports in the system will be aggregated (grouped / summed / sorted) rather than displayed at the record level. It is not the focus of the KSTARS system and statewide database to provide search or display capabilities for individual incidents or patients.

3.3 Authentication

KSTARS Data Use Policy

The KSTARS system employs a dual authentication mechanism to grant access to the system. All accounts are created with a personal username and password, and permissions for that user account are given based on the user’s permission level.

The KBEMS Data Administrator, an EMS agency administrator or hospital administrator are the only users that may assign new user accounts or modify existing accounts within an agency.

Accounts are “locked out” after six (6) unsuccessful login attempts. Only a user in permission group “EMS Agency Administrator is allowed to “unlock” an account. Accounts may also be “locked” manually by an “EMS Agency Administrator” or the KBEMS Data Administrator.

In the event of a lost or compromised password, only an agency’s administrator may contact the System Administrator to request a reset. For KSTARS users that are not EMS providers licensed/certified with KBEMS (i.e. Medical Directors, or hospital users who are not EMR, EMT, or Paramedics) access the KSTARS login page, click the “Request Access” button and provide the required information.

3.4 Authorization

The KSTARS system employs role based access control to assign permissions to groups of users. The profile to which an end user is assigned is determined by the agency administrator or the KBEMS Data Administrator.

3.5 Traceability

KSTARS logs all actions and transactions. This information is used to provide audit ability and traceability for the KSTARS application.

As the KSTARS system contains confidential and/or exempt information on both patients and provider agencies, any unauthorized access to the system or its assets will be reported to the proper authorities and may result in civil or criminal penalties.

KSTARS Data Use Policy

3.6 User Responsibilities

The following guidelines must be adhered to by all end users who are authorized to access the KSTARS system and its reporting resources.

3.6.1 Password Protection

It is the responsibility of all end users to take reasonable steps to safeguard their passwords. User passwords must not be shared with any other persons including other users. A user may not offer to allow another user access to the system by using their username and/or password. Sharing of account information is prohibited. Failure to follow these guidelines may result in loss of KSTARS privileges.

3.6.2 Access Locations

It is the responsibility of all end users to access the secure portion of the KSTARS system from approved computers. ACCESS FROM UNAUTHORIZED COMPUTERS IS PROHIBITED (authorization is determined by the EMS Agency).

3.6.3 Maintaining Confidentiality

It is the responsibility of all end users to ensure that confidential information remains protected and is not distributed to or shared inappropriately. Please refer to the Confidentiality section for a complete explanation of what is, and is not, permitted.

End users who inadvertently encounter unauthorized Protected Health Information (PHI), such as personal identifiable data, must report this to the KBEMS Data Administrator. End users shall not attempt to use the KSTARS data or reports to track or link an individual’s data, determine real or likely identities, gain information about an individual, or contact an individual.

End users shall not use or further disclose the KSTARS data or reports except as permitted. Provider agencies shall establish appropriate administrative, technical, and physical safeguards to protect the confidentiality of and to prevent unauthorized use or access to the KSTARS data or reports.

KSTARS Data Use Policy

End users shall not release, or allow the release of, the KSTARS data or reports to any persons or entities other than as permitted and described in the Confidentiality section. Furthermore, where release of KSTARS data or reports is permitted, end users shall instruct individuals, to which the KSTARS data or reports are disclosed, of all obligations for their protection and shall require the individuals to maintain those obligations.

End users shall secure t he KSTARS data or reports when they are not under the direct a n d immediate control of a n authorized individual p erforming the functions.

3.6.4 Reporting Unauthorized Access

End users shall make a good faith effort to identify any misuse or unauthorized disclosure of the KSTARS data or reports. End users shall notify the KBEMS Data Administrator within twenty-four (24) hours of discovery. Furthermore, any end user who observes, or is made aware of, any unauthorized person attempting to access the KSTARS system and its assets must report the violation to the KBEMS Data Administrator.

3.6.5 Penalties

End users acknowledge that failure to abide by the terms of the End User Security Policy may be subject to penalties for wrongful disclosure of protected health information under federal law. End users shall inform all persons, with authorized access to the KSTARS data or reports specified, of the penalties for wrongful disclosure of protected health information.

_____________________________________________________________________________________

The security and protection of patient and EMS provider information is of the highest importance to the KSTARS program. Accordingly, each registered KSTARS user must agree to follow the terms and conditions of the KSTARS End Users Security Policy. As part of the “New Account” process, agency administrators must supply each new end user with a copy of the Security Policy. Agency administrators should answer any questions the end user may have regarding the policy. If the agency administrator is unable to answer a specific question, they may contact the KBEMS Data Administrator for clarification.

_____________________________________________________________________________________