Skip to Page Content
Delaware.gov  |  Text OnlyGovernor | General Assembly | Courts | Elected Officials | State Agencies
 Photo: Featured Delaware Photo
 
 
 Phone Numbers Mobile Help Size Print Email

Delaware General AssemblyDelaware RegulationsMonthly Register of RegulationsMarch 2018

Authenticated PDF Version

In accordance with 16 Del.C. §10306, and for the reasons set forth herein, the Delaware Health Information Network (DHIN) enters this Order adopting the Delaware Health Care Claims Database Data Access Regulation.
Pursuant to its authority under 16 Del.C. §10306, DHIN proposes to adopt a regulation to establish allowable purposes for access to health claims data, the process by which a request for access to claims data will be reviewed and evaluated, and factors that will be considered in granting or denying such requests.
DHIN gave notice of its intent to adopt the proposed regulation in the December 1, 2017 issue of the Delaware Register of Regulations. DHIN solicited written comments from the public for forty-seven (47) days as mandated by 29 Del.C. §10118(a).
THEREFORE, IT IS SO ORDERED, this 15th day of February, 2018, that the proposed Delaware Health Care Claims Database Data Access Regulation 104 is adopted and shall become effective ten (10) days following publication in the Delaware Register of Regulations, in accordance with 29 Del.C. §10118(e) and (g).
1.1 Statutory Authority. 16 Del.C. §10306 authorizes the Delaware Health Information Network (DHIN) to promulgate rules and regulations to carry out its objectives under 16 Del.C. Ch. 103, Subchapter II.
The following words and terms, when used in this regulation, have the [following meaning same meaning as those in CDR 1-100-103 §2.0] unless the context clearly indicates otherwise:
"Approved User" means any person or organization that DHIN has authorized to view or access data from the Health Care Claims Database, including Delaware state agencies and DHIN itself.
"Claims Data" [includes means] Required Claims Data and any additional health care information that a voluntary reporting entity elects, through entry into an appropriate Data Submission and Use Agreement, to submit to the Delaware Health Care Claims Database.
"Clinical Proxy Data Elements" means any health care information contained within Claims Data which describes a rendered clinical service, including but not limited to: procedure codes, diagnosis codes, dates and locations of clinical services, healthcare providers, and pharmacy data, and excludes Pricing Information.
"Collaborating State Agencies" [shall refer to means] the Delaware Office of Management and Budget, State Employee Benefits Committee, Division of Public Health, and Division of Medicaid and Medical Assistance and their successors, if applicable.
[“Community Health Record” or “CHR” means a searchable online portal that presents authorized users with a view of a patient’s aggregated clinical data from all sources that contribute health data to DHIN. Access to patient records in the Community Health Record is on the basis of an established relationship between the patient and the end user for purposes of Treatment, Payment, and Operations, as those terms are defined in the HIPAA regulations, for Public Health purposes as defined in the HIPAA Privacy Rule, or by patient consent or patient request. Patients can opt out of allowing their CHR data to be searchable by anyone who was not the ordering Provider, but may not opt out of reporting required by law or regulation, such as, but not limited to, reporting of certain conditions to the Division of Public Health.]
"Data Submission and Use Agreement" or "DSUA" [shall mean means] the agreement between the HCCD Administrator and the Reporting Entity describing the specific terms and conditions for data submission and use.
"De-Identified Data" [refers to means] health information as defined in the HIPAA Privacy Rule, which is not considered PHI because it excludes the following direct and indirect patient identifiers:
Any other unique identifying [numbers characteristic or code].
"HCCD Administrator" [shall mean means] the Delaware Health Information Network and its staff and contractor(s) that are responsible for collecting data submissions, providing secure production services and providing data access for approved users.
"Health Care Claims Database" or "HCCD" [shall mean means] the database and associated technology components maintained by DHIN and authorized under 16 Del.C. Ch. 103, Subchapter II.
"Health Care Claims Database Committee" (the "Committee") [shall mean means] the subcommittee established by the Delaware Health Information Network Board of Directors and governed by its by-laws that has the authority to determine when applications for Claims Data should be provided to a data requestor to facilitate the purposes of the enabling legislation, and such other duties as designated by the DHIN Board of Directors consistent with the enabling legislation.
"Health care services" means as defined in 18 Del.C. §6403.
[“Health Insurer” means as defined in 16 Del.C. §10312.]
"Identified Data" [refers to means] data that contains direct patient identifiers.
"Limited Data Set" [refers to a limited set of PHI as defined in the HIPAA Privacy Rule, which excludes direct patient identifiers. A Limited Data Set excludes all of the same data elements as De-Identified Data, with the following exceptions:
Elements of dates are allowed
means PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or a waiver or an alteration of Authorization for its use and disclosure, with a data use agreement. The following data elements are removed from a Limited Data Set:
"Mandatory Reporting Entity" means the following entities, except as prohibited under federal law:
The State Employee Benefits Committee and the Office of Management and Budget, under each entity's respective statutory authority to administer the State Group Health Insurance Program in 19 Del.C. Ch. 96, and any Health Insurer, Third Party Administrator, or other entity that receives or collects charges, contributions, or premiums for, or adjusts or settles health claims for, any State employee, or their spouses or dependents, participating in the State Group Health Insurance Program, except for any carrier, as defined in 29 Del.C. §5290, selected by the State Group Health Insurance Plan to offer supplemental insurance program coverage under 29 Del.C. Ch. 52C.
"Member" means individuals, employees, and dependents for which the Reporting Entity has an obligation to adjudicate, pay or disburse claims payments. The term includes covered lives. For employer-sponsored coverage, Members include certificate holders and their dependents. This definition includes all members of the State Group Health Insurance Program regardless of state of residence.
"Pricing Information" [means any information referring to prices charged or paid, and] includes the pre-adjudicated price charged by a Provider to a Reporting Entity for Health Care Services, the amount paid by a Member or insured party, including co-pays and deductibles, and the post-adjudicated price paid by a Reporting Entity to a Provider for Health Care Services.
"Protected Health Information" or "PHI" [refers to means] individually identifiable health information as defined in the HIPAA Privacy Rule.
"Provider" means a hospital, facility, or any health care practitioner licensed, certified, or authorized under State law to provide Health Care Services and includes hospitals and health care practitioners participating in group arrangements, including accountable care organizations, in which the hospital or health care practitioners agree to assume responsibility for the quality and cost of health care for a [designed designated] group of beneficiaries.
["Re-disclosure" means the publication, distribution or other dissemination of Claims Data released to an Approved User using any medium and in any format, context or structure.]
"Reporting Entity" means either a Mandatory Reporting Entity or a Voluntary Reporting Entity.
"Required Claims Data" as authorized under 16 Del.C. §10312(8) [shall mean means] the required data containing records of member eligibility, medical services claims and pharmacy claims as specified in the Submission Guide.
"Submission Guide" [shall mean means] the document providing the specific formats, timelines, data quality standards and other requirements for claims data submission, incorporated as Addendum One to the DSUA. It shall be established and maintained as technical guidance document and substantively updated on an annual basis.
"Voluntary Reporting Entity" [includes means] any of the following entities that has chosen to submit or has been instructed to submit data at the request of an employer or client and enters into a Data Submission and Use Agreement, unless such entity is a Mandatory Reporting Entity:
3.3 Except as otherwise specified in this Regulation, all requests for HCCD data or data access shall require [completion of] a written [application Data Access Application] that describes the intended purpose and use of the data[, the justification for the data request,] and the security and privacy measures that will be used to safeguard the data and prevent unauthorized access to or use of the data [as well as such other acknowledgments as may be included on the Data Request Application]. Exceptions to this rule include:
3.3.2 DHIN may make HCCD Clinical Proxy Data Elements available to the Members to whom they apply without a written application or Committee review. [Members may access their health data by enrolling in DHIN’s Personal Health Record on the DHIN website at www.DHIN.org.]
3.3.4 Collaborating State Agencies may access HCCD data without Committee review by entering into an interagency agreement with the DHIN. [The allowable uses of Claims Data by Collaborating State Agencies will be posted on DHIN’s web site for public transparency.] The interagency agreement shall include but not be limited to the following:
4.2 The Committee shall be comprised of five (5) to eleven (11) members and shall be representative of various stakeholder groups[, including, where possible, consumers, employers, health plans, hospitals, physicians, researchers, and State government].
4.4 The Committee shall [determine by majority vote whether an application should be approved. As part of their review, the Committee shall] consider [any comments received from Reporting Entities whose Claims Data is being requested. The Committee shall approve an application by majority vote after finding the following]:
4.4.1 [Whether the The] intended use is consistent with the statutory purpose of the HCCD;
4.4.2 [Whether access Access] to the requested data is necessary to achieve the intended goals, including but not limited to the need for identifiable data, if requested;
[4.4.3 Whether access to the requested data may provide an unfair competitive advantage to the requestor;
4.4.5 4.4.3 Whether the The] request complies with all applicable state and federal laws relating to the privacy and security of PHI;
[4.4.6 4.4.4 Whether the The] request complies, to the fullest extent practicable, with guidance found in Statement 6 of the Department of Justice and Federal Trade Commission Enforcement Policy regarding the exchange of price and cost information;
[4.4.7 4.4.5 Whether the The] applicant is qualified to serve as a responsible steward of the requested data.
4.6 [After a decision is reached by the Committee, public notice will be posted on the DHIN website that an application for data access was received, by whom it was submitted and for what purposes, and the decision of the Committee to grant or deny the application.] The final determination of the Committee shall not be subject to appeal.
6.0 [Public Reports and] Re-Disclosure [Requirements]
Last Updated: December 31 1969 19:00:00.
site map   |   about this site   |    contact us   |    translate   |    delaware.gov