SubTitle20-614-1_20-614-6. Electronic Data Intermediaries  

(1) "Commission" means the Commission of Pharmacy;

(2) "Department" means the Department of Consumer Protection; and

(3) "Electronic data intermediary" means "electronic data intermediary" as defined by section 20-614 of the Connecticut General Statutes.

(a) Each electronic data intermediary shall file an application for approval of its system with the commission on a form prescribed by the department. The form shall include but not be limited to the following information:

(1) the name and address of the applicant; and

(2) the business status of the applicant (sole proprietorship, partnership, corporation, limited liability company, etc.); and

(3) a description of the type of electronic data intermediary system to be used that describes:

(A) the security safeguards;

(B) the retention and retrieval capabilities of the system; and

(C) the safeguards designed to protect patient confidentiality.

(b) The commission, in its discretion, may require the applicant to provide a protocol that describes in detail the applicant's intended plan of operation. No applicant may change its protocol without review by the commission and approval by the department.

(c) The department shall approve any application filed by electronic data intermediaries that the commission has reviewed and accepted as being in compliance with the provisions of sections 20-614-3 though 20-614-6, inclusive, of the Regulations of Connecticut State Agencies.

Each electronic data intermediary system shall have security and system safeguards designed to prevent and detect unauthorized access, modification, or manipulation of prescription information in accordance with current electronic transmission standards. Each system established by an electronic data intermediary shall include procedures to:

(1) select and execute security measures;

(2) establish physical safeguards to protect computer systems and other pertinent equipment from intrusion;

(3) protect and control confidential patient information;

(4) prevent unauthorized access to the data when transmitted over communication networks or when data physically moves from one location to another using media such as magnetic tape, removable drives, CD media or any other means of data storage; and

(5) authenticate the sender's authority and credentials to transmit a prescription.

Each system established by an electronic data intermediary shall provide an audit trail of all prescriptions electronically transmitted that documents for retrieval all actions and persons who have acted on a prescription, including the authorized delegation of a transmission. Such audit trail shall be maintained for three years from the date of last activity and made available for review by investigators of the department.

Each electronic data intermediary system shall maintain the confidentiality of patient information in accordance with any applicable federal or state statute or regulation, including but not limited to 45 C.F.R. Part 160 and Part 164. Each electronic data intermediary system shall establish mechanisms in accordance with current electronic transmission standards that contain:

(1) encryption technology to maintain security;

(2) controls on employee access;

(3) protections against unauthorized access by outsiders;

(4) procedures for the permanent deletion of patient information.

No electronic data intermediary shall restrict a patient's access to the patient's pharmacy of choice.