EXECUTIVE DEPARTMENT

Delaware Health Care Commission

Statutory Authority: 16 Delaware Code, Section 9925(a) (16 Del.C. §9925(a))

FINAL

ORDER

Report and Recommendation

Introduction

The Chair of the Delaware Health Care Commission appointed Leah Jones as the hearing officer for the public hearing and comments on the proposed regulation for the Delaware Health Information Network [“DHIN”]. The public hearing was convened on Tuesday, November 25, 2008 at the Delaware Technical and Community College, Room 400B, Dover, Delaware. The proceedings opened at or about 10:00 a.m. and concluded prior to noon. There was no public comment or testimony offered at the hearing (the transcript record of the hearing is maintained by the staff of the Commission).

Pursuant to 29 Del.C. Subchapter II, the proposed regulation was published in the Register of Regulations on November 1, 2008 at Volume 12, Issue 5, Page 540. The legal reference is 12 DE Reg. 540. Additionally, Notice of the Public Hearing was advertised in the two newspapers of general circulation, The News Journal and the Delaware State News, on Saturday, November 1, 2008. The Notice contained a summary of the proposed regulation, announced the time and place of the public hearing, and invited written comment up to the close of business on December 1, 2008. Two written public comments were received. The first was a November 18, 2008 letter from the Chair of the Delaware Developmental Disabilities Council and the second was a November 26, 2008 Memorandum from the Chair of the State Council for Persons with Disabilities.

Discussion

While the documents were received from different organizations on different dates, the content of both is almost identical. The comments suggest a number of mostly grammatical or word changes for clarity. The commenters do suggest at least two substantive changes: as to the proposed §3.2.12, it is suggested that it should be deleted to “enhance enforcement”; and §5.2, where it is suggested by the commenters that the imposition of financial sanctions may be “ultra vires” under 16 Del.C. § 9926. (November 18, 2008 Letter from Chair of Delaware Disabilities Council, page 2; November 26, 2008 Memorandum from Chair of State Council for Persons with Disabilities, page 2)

The public comments have been reviewed by the hearing officer and, after consultation with staff and counsel for the Commission and the Delaware Health Information Network, makes the following recommendations:

Some of the suggested grammatical or word changes for purposes of clarity should be incorporated into the proposed regulation. Those include changes to §§1.1, 2.1, 2.3, 4.1, 4.1.1, 4.1.4, 6.1 and 8.1. However, the balance of the suggested changes or comments should not be made for 3.2.12 and §5.2 either for clarity or substantive reasons.

While it is recognized that §§3.2.2, 3.2.3, 3.2.5, 3.2.9 are seemingly long and difficult to parse, they reflect the essential terms of a highly technical nature of the required Business Associate [“BA”] agreements required by HIPAA (Health Insurance Portability and Accountability Act of 1996, and regulations promulgated there under, including the Standards for Privacy of Individually Identifiable Health Information and Security Regulations, 45 Code of Federal Regulations Parts 160, 162 and 164.) One of the fundamental purposes of the proposed regulation was to streamline the application process by importing the HIPAA standards for the required BA agreements into the fabric of DHIN participation. Those sections are the boilerplate provisions of BA agreements which affect a ‘covered entity’s’ obligation to maintain control over the sensitive health care information through its agents or subcontractors.

For these same reasons, the proposed elimination of § 3.2.12 should be rejected as well. The commenters suggest without explanation that the elimination of that section will “enhance enforcement.” In fact the opposite is more likely, it will unnecessarily complicate the duties of the parties under a BA agreement. The purpose under HIPAA for BA agreements is for the covered entity to control the sensitive health care information delivered to its agent or contractor. Elimination of the section (which both the Commission and DHIN routinely use in their own contracts) would engender confusion and permit individuals such as competitors to make a legal argument that they have rights under the BA agreements. Additionally, elimination of the section would invite litigation under this sensitive area that is precluded by the very statutory provisions that created the DHIN. (see 16 Del.C. §§9923, 9925 and 9926)

The commenters suggest that §5.2 may be “ultra vires”, but do not suggest any changes. The term “ultra vires” is reference to a legal doctrine that an organization cannot act in excess of its authority. Specifically, the commenters suggest that the possible awarding of financial sanctions may exceed the statutory mandate of 16 Del.C. §9926. However, the section in question is directed to dispute resolution which is authorized under 16 Del.C. §9925. Additionally, the issue of financial sanctions is also part of the participation agreement and is enforceable under contract. It is recommended that no change be made to proposed §5.2.

The final proposed regulation is attached with the proposed changes to the published Regulation. The changes made in response to the public hearing, are indicated in [BOLD] brackets and deletions are shown in bold bracketed [strike-outs].

Recommendation

The hearing officer herby recommended that the proposed Regulation with the above changes, which are not substantive, be promulgated as the final Regulation to be effective 10 days after the Commission’s Order adopting the Regulation is published.

Hearing Officer Leah Jones

IT IS SO ORDERED this 4th day of December 2008, that the proposed 12 DE Reg. 540 with the non-substantive changes from public comments is hereby adopted by the Delaware Health Care Commission. The staff is directed to transmit this order and form of regulation to the Register for publication.

John C. Carney, Jr.

Lisa C. Barkley, MD Vincent P. Meconi

Theodore W. Becker, Jr. Janice E. Nevin, MD, MPH

Richard S. Cordrey Dennis Rochford

Matthew Denn Henry Smith

A. Richard Heffron Frederick A. Townsend

102 Delaware Health Information Network Regulations on Participation

1.0 Statutory Authority

This regulation is authorized by 16 Del.C. §§ 9925 and 9926.

1.1 The Delaware Health Information Network ['DHIN"] was created by statute, 16 Del.C. Ch. 99, Subchapter IV, to be a public instrumentality of the State of Delaware to promote the design, implementation, operation and maintenance of facilities for public and private use of health care information. The DHIN is operated through a Board of Directors. In keeping with the purpose, it is now more convenient to promulgate a regulation that will provide the requirements of participation in the DHIN and replace the numerous written documents among the participants and the DHIN. The regulation also seeks to clarify the obligations, requirements, permitted use and privacy of data for the participants.

1.2 As use in this regulation, the term "DHIN" refers to the entity unless the context refers to the electronic interchange system operated and maintained by the entity. Unless otherwise required any action by the entity shall be by majority vote of the quorum of the present members of the Board of Directors ["Board"]. Meetings of the Board may include members that are participating electronically or telephonically, as long as the public can hear or observe the participation of such members.

2.0 Participation and withdrawal.

2.1 Participation in the DHIN is voluntary and is commenced by filing with the Executive Director ["Director"] of the DHIN a document that is known as [a an] application for participation agreement ["Application"]. The Application shall: identify the individual or entity in detail, provide its healthcare activity and purpose, [shall] identify the individual or individuals that have the authority to bind the entity and conduct its business affairs, and [include] such other information as may be required by the Board. The Participation agreement shall also contain a statement that the entity agrees to be bound without reservation by this and other regulations[,policies and/or procedures] that involve the DHIN.

2.2 The participation agreement along with other information that may be reasonable as determined by the Director and the Executive Committee ["Committee"] of the Board shall be reviewed by the Director and the Committee to their satisfaction. The Executive Committee may request additional information or may grant initial participation to the applying entity subject to certain conditions. The initial participation determination is subject to a subsequent ratification by the Board. If no action is taken by the Board during its next two regular meetings with a quorum present, the Board is deemed to have ratified the initial participation of the applying entity. If the Committee denies initial participation to an applying entity, it will provide the reason or reasons for denial. After such denial, the applying entity may request the Board reconsider the Committee's denial. If the Board denies reconsideration, the applying entity may then seek legal review in accordance with 29 Del.C. Ch. 101, Subchapter V.

2.3 Withdrawal from participation is commenced by filing with the Director and the Committee a document that is known as notice of withdrawal. The Board will [provide determine] the [specific] information and [other] requirement[s] that will [comprise be contained in] the notice of withdrawal. The Director, the Committee and the withdrawing entity shall seek agreement as to the effective date of withdrawal and any other reservations or conditions. If the parties cannot agree, the Committee with the subsequent ratification of the Board shall determine the effective date of withdrawal and any other conditions or reservations of the withdrawal.

2.4 Participation may be involuntarily terminated due to security or privacy breaches or failure or refusal to perform obligations of participation. Involuntary termination shall be subject to the procedures for dispute resolution contained below.

3.0 Privacy and security of personal health care information and obligations of participants:

3.1 The participants of the DHIN may have roles that functionally vary from transaction to transaction. A participant may be a "Covered Entity" or a "Business Associate", as those terms are defined in the HIPAA Regulations, in regards to different transactions with different participants It is desirable to import the obligations of the participants under Health Insurance Portability and Accountability Act of 1996, and regulations promulgated there under ("HIPAA Regulations"), including the Standards for Privacy of Individually Identifiable Health Information and Security Regulations, 45 Code of Federal Regulations Parts 160, 162 and 164 ("Regulations"). The importation of the participants' obligations under HIPAA is more efficient than requiring numerous written documents with the possibility of omitting such a required document. Accordingly, each participant agrees to be bound as follows:

3.1.1 Definitions. As used in this section the following terms are defined as follows:

"Disclose" and "Disclosure" mean, with respect to Health Information, the release, transfer, provision of, access to, or divulging in any other manner of Health Information outside Business Associate's internal operations or to other than its employees.

"Health Information" means information that (i) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (ii) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (iii) is received by Business Associate from or on behalf of Covered Entity, or is created by Business Associate, or is made accessible to Business Associate by Covered Entity.

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

"Use" or "Uses" mean, with respect to Health Information, the sharing, employment, application, utilization, examination or analysis of such Health Information within Business Associate's internal operations.

3.2 Obligations of Business Associate

3.2.1 Initial Effective Date of Performance. The obligations created under this section are effective upon initial participation in the DHIN.

3.2.2 Permitted Uses and Disclosures of Health Information. Business Associate shall Use and Disclose Health Information as necessary to perform services for Covered Entity, provided that such Use or Disclosure would not violate the Privacy Regulations if done by Covered Entity. Business Associate may Use and Disclose Health Information for the proper management and administration of Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that the disclosure is required by law, or the Business Associate obtains reasonable assurances in writing from the person to whom the information is disclosed that: (i) that it will be held confidentially and used or further disclosed only for the purpose for which it was disclosed; and (ii) the person is obligated to notify Business Associate (who will notify Covered Entity) of any instances of which it is aware in which the confidentiality of the information has been breached.

3.2.3 Adequate Safeguards for Health Information. Business Associate warrants that it shall implement and maintain appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity and to prevent the Use or Disclosure of Health Information in any manner other than as permitted by this Agreement.

3.2.4 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Health Information by Business Associate in violation of the requirements of this Agreement.

3.2.5 Reporting Non-Permitted Use or Disclosure. Business Associate shall report to Covered Entity each Use or Disclosure that is made by Business Associate, its employees, representatives, agents or subcontractors that is not specifically permitted by this Agreement. The initial report shall be made by telephone call to Covered Entity's Privacy Officer within forty-eight (48) hours from the time the Business Associate becomes aware of the non-permitted Use or Disclosure, followed by a written report to the Privacy Officer no later than five (5) days from the date the Business Associate becomes aware of the non-permitted Use or Disclosure. Business Associate shall report to Covered Entity any security incident of which it becomes aware.

3.2.6 Availability of Internal Practices, Books and Records to Government Agencies. Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of Health Information available to the Covered Entity, or at the request of Covered Entity, to the Secretary of the U.S. Department of Health and Human Services ("Secretary"), in a time and manner designated by the Covered Entity or the Secretary, for purposes of determining Covered Entity's compliance with the Privacy Regulations.

3.2.7 Access to and Amendment of Health Information. Business Associate shall, to the extent Covered Entity determines that any Health Information constitutes a "designated record set" under the Privacy Regulations, (a) make the Health Information specified by Covered Entity available to the individual(s) identified by Covered Entity as being entitled to access and copy that Health Information, and (b) make any amendments to Health Information that are requested by Covered Entity. Business Associate shall provide such access and make such amendments within the time and in the manner specified by Covered Entity.

3.2.8 Accounting of Disclosures. Upon Covered Entity's request, Business Associate shall provide to Covered Entity an accounting of each Disclosure of Health Information made by Business Associate or its employees, agents, representatives or subcontractors as required by the Privacy Regulations. Any accounting provided by Business Associate under this Section 3.2.8 shall include: (a) the date of the Disclosure; (b) the name, and address if known, of the entity or person who received the Health Information; (c) a brief description of the Health Information disclosed; and (d) a brief statement of the purpose of the Disclosure. For each Disclosure that requires an accounting under this Section 3.2.8, Business Associate shall track the information specified in (a) through (d), above, and shall securely maintain the information for six (6) years from the date of the Disclosure.

3.2.9 Restrictions: Requests for Confidential Communications. Business Associate will comply with any agreements for confidential communications of which it is aware and to which Covered Entity agrees pursuant to 45 C.F.R. §164.522 (b) by communicating with individuals using agreed upon alternative means or alternative locations.

3.2.10 Disposition of Health Information Upon Termination or Expiration. Upon termination or expiration of this Agreement, Business Associate shall either return or destroy, in Covered Entity's sole discretion and in accordance with any instructions by Covered Entity, all Health Information in the possession or control of Business Associate and its agents and subcontractors. However, if Covered Entity determines that neither return nor destruction of Health Information is feasible, Business Associate may retain Health Information provided that Business Associate (a) continues to comply with the provisions of this Agreement for as long as it retains Health Information, and (b) further limits Uses and Disclosures of Health Information to those purposes that make the return or destruction of Health Information infeasible.

3.2.11 Term and Termination. Unless sooner terminated, this Agreement shall continue in effect so long as Business Associate continues to provide services or perform functions on behalf of Covered Entity. A material breach by Business Associate of any provision of this Agreement, as determined by Covered Entity, shall constitute a material breach of the Agreement providing grounds for immediate termination of this Agreement. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity may provide an opportunity for Business Associate to cure the breach or end the violation and may terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, or immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible. Notwithstanding the above, any breach related to the sale, transfer, or use or disclosure of Health Information for commercial advantage, personal gain, or malicious harm shall be considered non-curable. Business Associate's obligations under Article II shall survive the termination or expiration of this Agreement. Nevertheless, DHIN may continue to hold data in the terminated participant's data stage for historical and other purposes.

3.2.12 No Third Party Beneficiaries. There are no third party beneficiaries to the obligations of the participants of DHIN under this section.

3.2.13 Use of Subcontractors and Agents. Business Associate shall require each of its agents and subcontractors that receive Health Information from Business Associate to execute a written agreement obligating the agent or subcontractor to comply with all the terms of this Agreement.

3.2.14 Amendment to Comply with Law. The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HIPAA Regulations and other applicable laws relating to the security or confidentiality of Health Information. The parties understand and agree that Covered Entity must receive satisfactory written assurance from Business Associate that Business Associate will adequately safeguard all Health Information that it receives or creates pursuant to this Agreement. Upon Covered Entity's request, Business Associate agrees to promptly enter into negotiations with Covered Entity concerning the terms of any amendment to this Agreement embodying written assurances consistent with the standards and requirements of HIPAA, the HIPAA Regulations or other applicable laws. Covered Entity may terminate this Agreement upon thirty (30) days written notice in the event (i) Business Associate does not promptly enter into negotiations to amend this Agreement when requested by Covered Entity pursuant to this Section or (ii) Business Associate does not enter into an amendment to this Agreement providing assurances regarding the safeguarding of Health Information that Covered Entity, in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA and HIPAA Regulations.

4.0 Other obligations of participation.

4.1 Application for and participation in DHIN requires each participating entity and its agents and employees to the following [in addition to provisions of this section as well as] the obligations imposed elsewhere.

4.1.1 The participating entities, their agents and employees shall conduct their affairs with all other [participates participants] as well as the agents and employees of DHIN with the highest level of candor, complete honesty-in-fact, civility and professionalism.

4.1.2 The participants must respond to requests for information and complaints in a reasonable period. Participants must respond to requests for information and complaints that involve security and privacy within twenty-four hours unless the Director or his or her designee extends the time.

4.1.3 The participants must provide financial support by prompt payment in accordance with their prior agreement or as may be promulgated by rule by the Board in the future.

4.1.4 The participants must promptly report Security Incidents as defined in the prior section promptly to the Director and any other [effected affected] participant.

5.0 Dispute resolution and inquiries

5.1 Any dispute that involves the DHIN or its interchange shall be subject to dispute resolution under this section. Such disputes may involve participants, the DHIN or members of the public where there is a claim that this or other regulations or statutes were violated by any of the forgoing. A dispute may also be an inquiry or request for information that is not responded to in a reasonable manner.

5.2 The Chair of the Board may appoint a number of individuals subject to approval by the Committee to serve on the Dispute Resolution Committee ["DRC"]. The DRC shall be comprised of panels of no less than three or more than five members. No member may serve on a case before the DRC where that member has a conflict of interest as set forth in 29 Del.C. Chapter 58. The presiding member of the panel must be a member of the Board. The Board may promulgate rules for procedures for matters to be determined by the DRC. The DRC and the Board are authorized to grant relief to include financial penalties, suspension and termination of an entity or individual's participation or use of the DHIN.

5.3 Any party aggrieved by the decision of the Panel may seek review by filing written exceptions to the Panel's decision within ten days of the decision as would be computed in the Delaware Superior Court. The review shall be presented to the Board who may overturn the Panel's decision by a majority vote of a quorum of the Board.

5.4 A aggrieved party may seek legal review on the record only in accordance with 29 Del.C. Ch. 101, Subchapter V.

6.0 Permitted uses by participants

6.1 In an effort to maximize the health care benefits of the DHIN, participants are authorized to utilize the system to its maximum extent possible while maintaining the required high level of security and privacy for the information. Participants are authorized to use the DHIN without regard to whether the ordering entity is a participant of the DHIN. This includes participants that are subject to the Clinical Laboratory Improvement Act ["CLIA"] and regulations promulgated thereunder.

6.2 Participants shall comply with the data use agreements they entered into with the DHIN. The terms, conditions and requirements of the existing and future data use agreements may be determined and amended by the Board.

7.0 Patient access

7.1 Individuals may be provided access to the information about them that is in the interchange in a manner and under terms and conditions that the Board shall set out by rule or procedure.

7.2 Individuals shall be informed of and may choose to preclude a search of their individual health information (as defined in above Section 3.1.1) in the DHIN Interchange after consultation with their health care provider and in accordance with the rules or procedures promulgated by Board.

8.0 Technical Standards

8.1 The Board by rule or procedure shall establish the technical requirements for participation in the DHIN. These standards shall [adopt conform to or incorporate] national standards to the extent such is feasible.

12 DE Reg. 979 (01/01/09) (Final)

That section provides: “No Third Party Beneficiaries. There are no third party beneficiaries to the obligations of the participants of DHIN under this section.”

Subsection (c) provides: “Any violation of the Commission’s rules or regulations regarding access or misuse of the DHIN health information shall be reported to the office of the Attorney General….(emphasis added)”