Section 2080.207  EHR Integration with the PMP


a)         EHR systems are required to be integrated via PMPnow through a one-to-one secure link from the EHR to the PMP servers to allow information to return from the PMP servers to the Requester directly.


1)         The connecting entity must maintain both an electronic and physical safeguard of the information.


2)         Security failures or misuse will be handled as any other violation of the Health Insurance Portability and Accountability Act (HIPAA) (42 USC 1320 et seq.).


3)         A list of providers and locations served by the EHR system must be provided to the PMP on a semi-annual basis and:


A)        Shall contain the following information:


i)          Location name;


ii)         Address;


iii)        City;


iv)        State;


v)         Zip code;


vi)        Contact at facility;


vii)       Facility contact email address;


viii)      Health care provider name (first and last);


ix)        Health care provider DEA;


x)         Health care provider NPI (National Provider Identifier); and


xi)        Health care provider license number.


B)        Shall be sent to the PMP in one of the following electronic formats:


i)          Excel (.xlsx or .xls); or


ii)         Comma separated values (.csv).


4)         When requested, the entity must provide an audit of the user that performed the search, the patient information that was searched on, and the date and time of the search.


b)         Electronic integration shall be done using the following process:


1)         The entity shall either email dhs.pmp@illinois.gov to request the PMPnow integration or request that the EHR vendor provide PMPnow integration to the vendor's Requesters as a function of its general software configuration.


2)         The entity shall determine its feasibility for connectivity to the PMPnow service.  PMPnow supports the following connectivity options, one of which must be used by the connecting entity:


A)        A SOAP-based web service that uses a PMIX-based protocol;


B)        A RESTful-based web service that uses the NCPDP protocol;


C)        A RESTful-based web service that uses a PMIX-based protocol;


D)        Fast Healthcare Interoperability Resources (FHIR);


E)        Access to PMP through a verified RxCheck connection; or


F)         The use of a PMP authorized/funded integration application.


3)         Following successful testing, the connection is ready to be activated.  PMP will activate the production environment for the entity's use in exchanging transactions.


c)         Data Uses and Retention


1)         Data passed directly from the PMP to the EHR authenticated Requester shall not be:


A)        Unencrypted in transit;


B)        Analyzed;


C)        Data mined or scrapped;


D)        Deconstructed; or


E)        Used for other collection of individual data points.


2)         An EHR authenticated Requester is an individual granted a username and password by the facility/location for which the EHR is utilized for patient care.


3)         With permission from the PMP, electronic messaging to authenticate that the Requester performed a qualified search of the PMP may be returned to the EHR for documentation of the query.


4)         Data sets displayed through the ILPMP extend beyond controlled substances and shall not be distributed or accessed without authorized permission.


d)         The Department may impose a civil fine of $50 per user per month on any facility and/or EHR vendor that willfully fails to comply with statutory integration requirements as reflected in this Section.  Assessment of the fine may begin on January 1, 2022, one year after the statutory requirement took effect on January 1, 2021, and shall remain in effect until the facility completes the EHR integration process.  Fines shall be payable to the Prescription Monitoring Program.


e)         Injury and Accident Notifications.  Medical facilities that are connecting entities shall send the PMP real-time, patient information related to injuries and accidents based upon diagnosis codes set forth by the PMP.  Data received from medical facilities will be displayed on the PMP website (www.ilpmp.org) and PMPnow integration tool.  Medical facilities must follow PMP technical standards.


f)         A one-to-one secure link (see subsection (a)) connects the provider and the PMP through an EHR.  An EHR system may provide this connection.  An EHR may, alternatively, designate a Health IT Module that is an integrated component of that EHR to provide that connection when the following requirements are met:


1)         The Health IT Module connection shall ensure that the Requester has access to the PMP data at any point in the Requester's workflow.


2)         The MME calculations shall remain consistent with the presentation of this information when provided by the PMP directly through an EHR vendor.


3)         Attestation to the existence of a legal agreement between the EHR vendor and the Health IT Module vendor and attestation that the Health IT Module serves as an integrated component of the EHR when using a Health IT Module access method.


4)         The Health IT Module connection must meet the security requirements for electronic health record systems set forth by the Office of the National Coordinator for Health Information Technology (ONC).


5)         The Health IT Module must be certified by the ONC or an ONC-Authorized Certification Body (ONC-ACB).  Certification must be published on the ONC's Certified Health IT Product List.  PMP reserves the right to terminate the connection points if the vendor/product is decertified by an ONC-ACB.


(Source:  Added at 45 Ill. Reg. 8351, effective June 24, 2021)