The following requirements apply to QHINs that offer Individual Access Services:

(a) A QHIN must obtain express consent from any individual before providing Individual Access Services.

(b) A QHIN must make publicly available a privacy and security notice that meets minimum TEFCA standards.

(c) A QHIN, that is the IAS provider for an Individual, must delete the individual's Individually Identifiable Information maintained by the QHIN upon request by the individual except as prohibited by Applicable Law or where such information is contained in audit logs.

(d) A QHIN must permit any Individual to export in a computable format all of the Individual's Individually Identifiable Information maintained by the QHIN as an Individual Access Services provider.

(e) All Individually Identifiable Information the QHIN maintains must satisfy the following criteria:

(1) All Individually Identifiable Information must be encrypted.

(2) Without unreasonable delay and in no case later than sixty (60) calendar days following discovery of the unauthorized acquisition, access, Disclosure, or Use of Individually Identifiable Information, the QHIN must notify in plain language each Individual whose Individually Identifiable Information has been or is reasonably believed to have been affected by unauthorized acquisition, access, Disclosure, or Use involving the QHIN.

(3) A QHIN must have an agreement with a qualified, independent third-party credential service provider and must verify, through the credential service provider, the identities of Individuals seeking Individual Access Services prior to the Individuals' first use of such services and upon expiration of their credentials.