DELAWARE HEALTH INFORMATION NETWORK
PROPOSED
PUBLIC NOTICE
104 Delaware Health Care Claims Database Data Access Regulation
Agency: Delaware Health Information Network
Contact: Dr. Jan Lee
Chief Executive Officer
(302) 678-0220
Submit Comments by email to info@dhin.org by January 16, 2018.
Title of Proposed Regulation: Delaware Health Care Claims Database Data Access Regulation
Summary of the Regulation:
This regulation supports implementation of 16 Del.C. Ch. 103, Subchapter II, The Delaware Health Care Claims Database. It summarizes the allowable purposes for access to claims data, the process by which a request for access to claims data will be reviewed and evaluated, and factors that will be considered in granting or denying such requests. It delineates the structure and duties of the Health Care Claims Database Committee.
Sub-regulatory information may be found on the DHIN web site at www.DHIN.org to include the form to be used for requesting access to claims data and the general business rules to be followed by the Health Care Claims Database Committee.
104 Delaware Health Care Claims Database Data Access Regulation
1.1 Statutory Authority. 16 Del.C. §10306 authorizes the Delaware Health Information Network (DHIN) to promulgate rules and regulations to carry out its objectives under 16 Del.C. Ch. 103, Subchapter II.
1.2 The Health Care Claims Database ("HCCD") was created by statute, pursuant to Chapter 103, Subchapter II of Title 16, under the purview of DHIN, to achieve the "Triple Aim" of the State's ongoing health care innovation efforts: (1) improved health; (2) health care quality and experience; and (3) affordability for all Delawareans. The HCCD is created and maintained by the DHIN, to facilitate data driven, evidence-based improvements in access, quality, and cost of healthcare and to promote and improve the public health through increased transparency of accurate Claims Data and information. To accomplish those objectives, a centralized Health Care Claims Database was established to enable the State to more effectively understand utilization across the continuum of health care in Delaware and achieve the Triple Aim.
The following words and terms, when used in this regulation, have the following meaning unless the context clearly indicates otherwise:
"Approved User" means any person or organization that DHIN has authorized to view or access data from the Health Care Claims Database, including Delaware state agencies and DHIN itself.
"Claims Data" includes Required Claims Data and any additional health care information that a voluntary reporting entity elects, through entry into an appropriate Data Submission and Use Agreement, to submit to the Delaware Health Care Claims Database.
"Clinical Proxy Data Elements" means any health care information contained within Claims Data which describes a rendered clinical service, including but not limited to: procedure codes, diagnosis codes, dates and locations of clinical services, healthcare providers, and pharmacy data, and excludes Pricing Information.
"Collaborating State Agencies" shall refer to the Delaware Office of Management and Budget, State Employee Benefits Committee, Division of Public Health, and Division of Medicaid and Medical Assistance and their successors, if applicable.
"Data Submission and Use Agreement" or "DSUA" shall mean the agreement between the HCCD Administrator and the Reporting Entity describing the specific terms and conditions for data submission and use.
"De-Identified Data" refers to health information as defined in the HIPAA Privacy Rule, which is not considered PHI because it excludes the following direct and indirect patient identifiers:
"HCCD Administrator" shall mean the Delaware Health Information Network and its staff and contractor(s) that are responsible for collecting data submissions, providing secure production services and providing data access for approved users.
"Health Care Claims Database" or "HCCD" shall mean the database and associated technology components maintained by DHIN and authorized under 16 Del.C. Ch. 103, Subchapter II.
"Health Care Claims Database Committee" (the "Committee") shall mean the subcommittee established by the Delaware Health Information Network Board of Directors and governed by its by-laws that has the authority to determine when applications for Claims Data should be provided to a data requestor to facilitate the purposes of the enabling legislation, and such other duties as designated by the DHIN Board of Directors consistent with the enabling legislation.
"Health care services" means as defined in 18 Del.C. §6403.
"Identified Data" refers to data that contains direct patient identifiers.
"Limited Data Set" refers to a limited set of PHI as defined in the HIPAA Privacy Rule, which excludes direct patient identifiers. A Limited Data Set excludes all of the same data elements as De-Identified Data, with the following exceptions:
"Mandatory Reporting Entity" means the following entities, except as prohibited under federal law:
"Member" means individuals, employees, and dependents for which the Reporting Entity has an obligation to adjudicate, pay or disburse claims payments. The term includes covered lives. For employer-sponsored coverage, Members include certificate holders and their dependents. This definition includes all members of the State Group Health Insurance Program regardless of state of residence.
"Pricing Information" includes the pre-adjudicated price charged by a Provider to a Reporting Entity for Health Care Services, the amount paid by a Member or insured party, including co-pays and deductibles, and the post-adjudicated price paid by a Reporting Entity to a Provider for Health Care Services.
"Protected Health Information" or "PHI" refers to individually identifiable health information as defined in the HIPAA Privacy Rule.
"Provider" means a hospital, facility, or any health care practitioner licensed, certified, or authorized under State law to provide Health Care Services and includes hospitals and health care practitioners participating in group arrangements, including accountable care organizations, in which the hospital or health care practitioners agree to assume responsibility for the quality and cost of health care for a designed group of beneficiaries.
"Reporting Entity" means either a Mandatory Reporting Entity or a Voluntary Reporting Entity.
"Required Claims Data" as authorized under 16 Del.C. §10312(8) shall mean the required data containing records of member eligibility, medical services claims and pharmacy claims as specified in the Submission Guide.
"Submission Guide" shall mean the document providing the specific formats, timelines, data quality standards and other requirements for claims data submission, incorporated as Addendum One to the DSUA. It shall be established and maintained as technical guidance document and substantively updated on an annual basis.
"Voluntary Reporting Entity" includes any of the following entities that has chosen to submit or has been instructed to submit data at the request of an employer or client and enters into a Data Submission and Use Agreement, unless such entity is a Mandatory Reporting Entity:
3.1 HCCD data may be released to a person or organization for purposes of:
3.1.1 Promoting and improving public health;
3.1.2 Advancing the "Triple Aim" of improving health, improving health care quality and experience, and improving affordability;
3.1.3 Providing information to effectively manage risk for the health needs of a population.
3.2 The DHIN may provide HCCD data or data access at the following levels of detail, per the procedures established in this Regulation:
3.2.1 De-Identified Data
3.2.2 Limited Data Sets
3.2.3 Identified Data
3.3 Except as otherwise specified in this Regulation, all requests for HCCD data or data access shall require a written application that describes the intended purpose and use of the data and the security and privacy measures that will be used to safeguard the data and prevent unauthorized access to or use of the data. Exceptions to this rule include:
3.3.1 DHIN may incorporate HCCD Clinical Proxy Data Elements into the Community Health Record for purposes of treatment and care coordination, without a written application or Committee review.
3.3.2 DHIN may make HCCD Clinical Proxy Data Elements available to the Members to whom they apply without a written application or Committee review.
3.3.3 Requests from Reporting Entities for their own data will not require Committee review.
3.3.4 Collaborating State Agencies may access HCCD data without Committee review by entering into an interagency agreement with the DHIN. The interagency agreement shall include but not be limited to the following:
3.3.4.1 Confirmation that the Collaborating State Agency will conform to DHIN's confidentiality and data security protocols and all applicable state and federal laws relating to the privacy and security of PHI;
3.3.4.2 Confirmation that the Collaborating State Agency will abide by re-disclosure requirements as specified in Section 6 of this Regulation.
3.4 Applications for De-Identified Data may be eligible for expedited review.
3.5 The Committee shall review, without exception, the following types of applications to confirm the intended use is consistent with the statutory purpose of the HCCD:
3.5.1 Applications for Limited Data Sets;
3.5.2 Applications for Identified Data;
3.5.3 Applications from out-of-state commercial requestors who are not Reporting Entities and whose intended use will not directly benefit Delawareans;
3.5.4 Applications for Pricing Information and other sensitive financial data elements.
4.1 The Committee shall have a chairperson and members appointed by the DHIN Board of Directors.
4.2 The Committee shall be comprised of five (5) to eleven (11) members and shall be representative of various stakeholder groups.
4.3 The Committee shall finalize a data request application, establish business operating rules for the review and consideration of applications, and determine a schedule for reviewing applications. These business rules shall be subject to periodic updates by the Committee and shall be maintained on the DHIN website.
4.4 The Committee shall determine by majority vote whether an application should be approved. As part of their review, the Committee shall consider:
4.4.1 Whether the intended use is consistent with the statutory purpose of the HCCD;
4.4.2 Whether access to the requested data is necessary to achieve the intended goals, including but not limited to the need for identifiable data, if requested;
4.4.3 Whether access to the requested data may provide an unfair competitive advantage to the requestor;
4.4.4 Whether any comments were received from Reporting Entities whose Claims Data is being requested, if applicable;
4.4.5 Whether the request complies with all applicable state and federal laws relating to the privacy and security of PHI;
4.4.6 Whether the request complies, to the fullest extent practicable, with guidance found in Statement 6 of the Department of Justice and Federal Trade Commission Enforcement Policy regarding the exchange of price and cost information;
4.4.7 Whether the applicant is qualified to serve as a responsible steward of the requested data.
4.5 The Committee reserves the right to ask an applicant to acquire Institutional Review Board review, or its equivalent, prior to approving an application.
4.6 The final determination of the Committee shall not be subject to appeal.
5.1 The DHIN shall notify a Reporting Entity when an application is received for Claims Data which was submitted to the HCCD by that Reporting Entity. The notification shall include but not be limited to: a summary of the request; the specific Claims Data element(s) being requested; and the name of the requestor. Reporting Entities will have ten business days to provide written comment to DHIN regarding the request.
5.2 Upon the Committee's approval of an application for HCCD data, the applicant shall sign a legally binding data use agreement. The data use agreement will include but not be limited to:
5.2.1 Confirmation of compliance with the DHIN's confidentiality and data security protocols;
5.2.2 Confirmation of compliance with the HCCD re-disclosure requirements;
5.2.3 Commitment to use HCCD data for the sole purpose of executing the approved research project;
5.2.4 Commitment to document data destruction processes at the end of the project.
6.1 The DHIN and Collaborating State Agencies may issue public reports with aggregated HCCD data that adhere to the re-disclosure requirements without Committee review and approval.
6.2 Any re-disclosure of HCCD data made by anyone other than DHIN or a Collaborating State Agency, shall require Committee review and approval. All HCCD data shared publicly or re-disclosed to anyone other than an Approved User shall adhere to the following re-disclosure requirements:
6.2.1 Adhere to CMS cell size suppression requirements for CMS Research Identifiable Files;
6.2.2 Exclude any Reporting Entity-specific Pricing Information that includes post-adjudicated claims data.
7.1 DHIN may charge a reasonable cost-based fee for preparing and transmitting HCCD data. This fee may include: costs of aggregating, storing, extracting, de-identifying, and transmitting the information; associated infrastructure and staff labor costs; costs for programming and data generation; allocated indirect operating costs; and other costs associated with the production and transmission of data sets.
7.2 HCCD data and data access will always be provided free of charge to the following entities:
7.2.1 The Office of Management and Budget;
7.2.2 State Employee Benefits Committee;
7.2.3 Division of Public Health;
7.2.4 Division of Medicaid and Medical Assistance.
7.3 At DHIN's discretion, fees may be reduced or waived for certain entities, including but not limited to:
7.3.1 CMS;
7.3.2 Reporting Entities;
7.3.3 Entities that submit other data to the DHIN.
7.4 The DHIN shall have a record of payment in full prior to providing data or access to Approved Users.
7.5 Fees shall be deposited into a DHIN account to support costs of operating the HCCD.
8.1 If an Approved User violates the terms of the data use agreement, the DHIN may take one or more of the following actions:
8.1.1 Revoke permission to use the data;
8.1.2 Pursue civil or administrative enforcement action under applicable Delaware state law.