HOME
Agency Information
Office Locations
Contact Information
Related Links
Site Map

SERVICES
Register of Regulations
Current Issue
Previous Issues
Regulatory Flexibility Act
Administrative Code
Delaware Code
Laws of Delaware
City & Town Charters
Style Manual
Cumulative Table
Subscription Services
Tour of Legislative Hall

INFORMATION
Citizen Participation

 

 

1.0 Scope and Authority

1.1 A significant part of the statutory mandate of the Delaware Health Information Network ("DHIN") is to support and improve the efforts of health care providers, payers, researchers, and state instrumentalities in improving the quality and lowering the costs of health care in the State of Delaware. As a part of that mandate, the General Assembly has authorized DHIN, where permitted by its agreements with its Data Sending Organizations, to permit appropriate individuals and organizations to access clinical data in its possession for approved research purposes. Such access must be limited and comply with the terms and conditions established by DHIN to protect the safety and confidentiality of patient information. Nothing in this regulation is intended to alter the ability of Data Receiving Organizations (as that term is defined in 1 DE Admin. Code 101) to use clinical data received from DHIN consistent with existing data use and business associate agreements each has entered into with DHIN.

1.2 DHIN has been authorized by statute, 16 Del.C. §§10306 & 10307, to promulgate rules and regulations to carry out its statutory mandate.

 

2.0 Definitions

The following words and terms, when used in this regulation, have the following meaning unless the context clearly indicates otherwise:

"Act" means DHIN's enabling legislation, 16 Del.C. Chapter 103.

"Approved User" means any person or organization that DHIN has authorized to view or access Available Clinical Data.

"Available Clinical Data" means Data included in DHIN's Clinical Data Repositories as to which DHIN has appropriate agreements in place with the Data Sending Organization that provided the Data to DHIN to permit use of that Data for the analytic purposes identified in this regulation.

"Board" means DHIN's Board of Directors, as established by the Act.

"Bylaws" means the Bylaws as approved by the Board.

"Clinical Data Access Committee" or "Committee" means the subcommittee established by the Board and governed by its Bylaws that has the authority to determine when applications for Available Clinical Data should be provided to a data requestor to facilitate the purposes of the Act, and such other duties as designated by the Board consistent with the Act. If the Board so determines, the Committee can (but need not) be the same committee that determines access to claims data held within the Delaware Health Care Claims Database, as set forth in 1 DE Admin. Code 104.

"Data" means medical or other health care information of or about an individual which is transmitted or available from Data Sending Organizations for transmission to DHIN and included in DHIN's clinical data repositories. The term includes PHI.

"Data Sending Organization" means an organization that contracts with DHIN to provide Data to DHIN for use in its clinical data repositories for purposes consistent with the Act, these regulations, and the contract between DHIN and Data Sending Organization. The term does not include organizations that solely provide claims data to the Health Care Claims Database pursuant to 1 DE Admin. Code 104, or organizations that solely contract with DHIN to receive analytic services or clinical data for approved analytic use cases pursuant to 1 DE Admin. Code 102.

"De-identified data" means de-identified data as defined in HIPAA. Unless otherwise defined in HIPAA, it shall mean health information that is not considered PHI because it excludes the following direct and indirect patient identifiers:

"HIPAA" means the Health Insurance Portability and Accountability Act of 1996 as amended and associated regulations, including the Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) and Security Rule (45 CFR Part 160 and Subparts A and C of Part 164).

"Identified data" means health information as defined in HIPAA that contains direct patient identifiers.

"Limited data set" means a limited data set as defined in HIPAA. Unless otherwise set forth in HIPAA, the term means PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's authorization or a waiver or an alteration of authorization for its use and disclosure, with a data use agreement. The following data elements are removed from a limited data set:

A limited data set may include

"Protected health information" or "PHI" means individually identifiable health information, as that term is defined in HIPAA.

"Provider" means a hospital, facility, or any health care practitioner licensed, certified, or authorized under State law to provide health care services and includes hospitals and health care practitioners participating in group arrangements, including accountable care organizations, in which the hospital or health care practitioners agree to assume responsibility for the quality and cost of health care for a designated group of beneficiaries.

"Re-disclosure" means the publication, distribution or other dissemination of Available Clinical Data released to an Approved User using any medium and in any format, context or structure.

 

3.0 General Data Access Provisions

3.1 Available Clinical Data may be released to a person or organization for purposes of:

3.1.1 Facilitating data-driven, evidence-based improvements in access to and quality of health care;

3.1.2 Improving the health of Delawareans generally;

3.1.3 Lowering the growth in per-capita health care costs; or

3.1.4 Providing enhanced provider experience that promotes patient engagement.

3.2 Unless otherwise provided for in this regulation, requests for access to Available Clinical Data or for analytic services based thereupon shall require completion of a written Data access application, in a form to be published by DHIN on its website, that describes the intended purpose and use of the data, the justification for the data request, and the security and privacy measures that will be used to safeguard the data and prevent unauthorized access to or use of the data. DHIN may require such additional information from a data requestor as DHIN determines, in its discretion, is required to evaluate any particular request. Exceptions to this rule include:

3.2.1 Requests by a Data Sending Organization for access to its own data or for analytic services based upon its own data shall not require Committee review or approval.

3.2.2 The Committee, at a duly noticed public meeting, may authorize additional exceptions to this rule, provided such exceptions are consistent with the requirements of the Act, HIPAA, and relevant Delaware law. Any such exceptions shall be identified publicly on DHIN's website.

3.3 If authorized by the Committee or the Board, de-identified data or the analytic evaluation thereof may be released to applying parties or the public without obtaining full Board or Committee review.

3.3.1 Release of such de-identified data shall be pursuant to such terms and conditions as are established by the Committee or the Board.

3.3.2 Release of such de-identified data shall only be permitted if the purposes for such release are consistent with the purposes for release of data set forth in the Act and this regulation.

3.4 Requests for limited data sets or identified data, or for analytic services based upon such data, must be reviewed by the Committee to determine whether the request complies with the purposes of the Act and this regulation.

3.5 DHIN shall not provide identified data to any requesting party without first obtaining or being provided with written consent from the patient authorizing such disclosure. Such consent must be in a form consistent with HIPAA and must explicitly authorize DHIN or health information exchanges generally to release identified data to the requesting party.

 

4.0 Structure and Duties of the Committee

4.1 The Committee shall have a chairperson and members appointed by the Board.

4.2 The Committee shall be comprised of five (5) to eleven (11) members and shall be representative of various stakeholder groups, including, where possible, consumers, employers, health plans, hospitals, physicians, ACO Administrators, researchers, and State government.

4.3 The Committee shall finalize a data request application, establish business operating rules for the review and consideration of applications, and determine a schedule for reviewing applications. These business rules shall be subject to periodic updates by the Committee and shall be maintained on the DHIN website.

4.4 The Committee shall consider any comments received from Data Sending Organizations whose Available Clinical Data is being requested. The Committee shall approve an application by majority vote after finding the following:

4.4.1 The intended use is consistent with the Act;

4.4.2 Access to the requested data is necessary to achieve the intended goals, including but not limited to the need for any requested identifiable data;

4.4.3 The request complies with all applicable state and federal laws relating to the privacy and security of PHI; and

4.4.4 The applicant is qualified to serve as a responsible steward of the requested data.

4.5 The Committee reserves the right to ask an applicant to acquire Institutional Review Board review, or its equivalent, prior to approving an application.

4.6 The Committee may ask for any information or assurances from a requesting party that it determines, in its discretion, may be needed in order to evaluate the application.

4.7 After a decision is reached by the Committee, public notice will be posted on the DHIN website that an application for data access was received, by whom it was submitted and for what purposes, and the decision of the Committee to grant or deny the application. The final determination of the Committee shall not be subject to appeal.

 

5.0 Notification to Data Sending Organizations

5.1 The DHIN shall notify a Data Sending Organization when an application is received for a limited data set or identified data containing Available Clinical Data that was submitted to DHIN by that Data Sending Organization.

5.2 The notification shall include but not be limited to: a summary of the request; the specific clinical data element or elements being requested; and the name of the requestor. Data Sending Organizations will have ten business days to provide written comment to DHIN regarding the request.

 

6.0 Additional Agreements

6.1 Upon the Committee's approval of an application for Available Clinical Data or DHIN's agreement to provide de-identified data following the conclusion of any process or procedures required by the Committee or the Board, the requesting party shall sign a legally binding data use agreement.

6.2 The data use agreement will include but not be limited to:

6.2.1 Confirmation of compliance with such confidentiality and data security protocols as may be required by DHIN or the Committee, in all cases to include compliance with HIPAA and relevant Delaware law on the privacy and security of health information;

6.2.2 Confirmation of compliance with the re-disclosure requirements set forth in this regulation and identified in the application;

6.2.3 Commitment to use Available Clinical Data for the sole purpose of executing the project identified in the application and approved by DHIN or the Committee;

6.2.4 Commitment to document data destruction processes at the end of the project; and

6.2.5 Commitment to comply with all statutory and regulatory requirements.

6.3 DHIN may require a successful applicant to enter into such additional agreements as may be determined by DHIN or the Committee, in their discretion, to be necessary or desirable to permit DHIN to comply with its legal obligations in fulfilling the requirements of this regulation.

 

7.0 Re-Disclosure Requirements

7.1 DHIN may issue public reports containing or based upon de-identified data without Committee review and approval.

7.2 Any other re-disclosure of Available Clinical Data shall require Committee review and approval.

7.3 All Available Clinical Data that is shared publicly or re-disclosed to anyone other than an Approved User shall adhere to federal Centers for Medicare & Medicaid Services ("CMS") cell size suppression requirements for CMS Research Identifiable Files.

 

8.0 Fees

8.1 DHIN may charge a reasonable cost-based fee for preparing and transmitting Available Clinical Data to an approved applicant. This fee may include:

8.1.1 Costs of aggregating, storing, extracting, de-identifying, and transmitting the information;

8.1.2 Associated infrastructure and staff labor costs;

8.1.3 Costs for programming and data generation;

8.1.4 Allocated indirect operating costs;

8.1.5 Other costs associated with the production and transmission of data sets; and

8.1.6 Such other costs or fees as DHIN determines necessary.

8.2 DHIN may charge such fees as it may determine are appropriate for the provision of analytic services.

8.3 At DHIN's discretion, fees may be reduced or waived for certain entities or in response to certain requests.

8.4 DHIN shall have a record of payment in full or other adequate assurances as it may determine are sufficient prior to providing data or analytic services to Approved Users.

8.5 Fees shall be deposited into a DHIN account and use to support DHIN's operating costs.

 

9.0 Penalties

9.1 If an Approved User violates the terms of the data use agreement, DHIN may take one or more of the following actions:

9.1.1 Revoke permission to use the data and require its return or destruction;

9.1.2 Pursue civil or administrative enforcement action under applicable Delaware state law;

9.1.3 Notify the Approved User's licensing body, if any, and if none, its accreditation body;

9.1.4 If the violation pertains to access or misuse of the data, DHIN may report the violation to the office of the Attorney General, pursuant to the Act.

12 DE Reg. 979 (01/01/09)

25 DE Reg. 624 (12/01/21)