DELAWARE HEALTH CARE COMMISSION

Statutory Authority: 16 Delaware Code, Section 9925(a) (16 Del.C. §9925(a))

PROPOSED

PUBLIC NOTICE

The Delaware Health Care Commission (Commission), in accordance with 16 Del.C. §9925(a) and 29 Del.C. §10115, hereby gives notice that it shall hold a public hearing on proposed regulation of the Delaware Health Information Network (DHIN). The hearing will be held at 10:00 a.m. on Tuesday, November 25, 2008, at Delaware Technical and Community College, Corporate Training Center, Room 400B, Dover, Delaware.

The intent of the proposed regulation is to streamline and reduce the legal documentation necessary to participate in the DHIN, to introduce new regulation to address provisions of dispute resolution, patient access, and to authorize the use of DHIN by participating laboratories.

The Commission will receive oral or written input at the hearing and/or written public comment through December 1, 2008. Send written comments to Leah Jones, Delaware Health Care Commission, Margaret O’Neill Building, 410 Federal Street, Suite 7, Dover, Delaware 19901.

For a copy of the proposed regulation, visit http://regulations.delaware.gov/register/november2008/proposed/index.shtml or, call the Commission office at (302) 739-2730.

102 Delaware Health Information Network Regulations on Participation

1.0 Statutory Authority

This regulation is authorized by 16 Del.C. §§ 9925 and 9926.

1.1 The Delaware Health Information Network ['DHIN"] was created by statute 16 Del.C. Ch. 99, Subchapter IV to be a public instrumentality of the State of Delaware to promote the design, implementation, operation and maintenance of facilities for public and private use of health care information. The DHIN is operated through a Board of Directors. In keeping with the purpose, it is now more convenient to promulgate a regulation that will provide the requirements of participation in the DHIN and replace the numerous written documents among the participants and the DHIN. The regulation also seeks to clarify the obligations, requirements, permitted use and privacy of data for the participants.

1.2 As use in this regulation, the term "DHIN" refers to the entity unless the context refers to the electronic interchange system operated and maintained by the entity. Unless otherwise required any action by the entity shall be by majority vote of the quorum of the present members of the Board of Directors ["Board"]. Meetings of the Board may include members that are participating electronically or telephonically, as long as the public can hear or observe the participation of such members.

2.0 Participation and withdrawal.

2.1 Participation in the DHIN is voluntary and is commenced by filing with the Executive Director ["Director"] of the DHIN a document that is known as a application for participation agreement ["Application"] The Application shall: identify the individual or entity in detail, provide its healthcare activity and purpose, shall identify the individual or individuals that have the authority to bind the entity and conduct its business affairs, and such other information as may be required by the Board. The Participation agreement shall also contain a statement that the entity agrees to be bound without reservation by this and other regulations that involve the DHIN.

2.2 The participation agreement along with other information that may be reasonable as determined by the Director and the Executive Committee ["Committee"] of the Board shall be reviewed by the Director and the Committee to their satisfaction. The Executive Committee may request additional information or may grant initial participation to the applying entity subject to certain conditions. The initial participation determination is subject to a subsequent ratification by the Board. If no action is taken by the Board during its next two regular meetings with a quorum present, the Board is deemed to have ratified the initial participation of the applying entity. If the Committee denies initial participation to an applying entity, it will provide the reason or reasons for denial. After such denial, the applying entity may request the Board reconsider the Committee's denial. If the Board denies reconsideration, the applying entity may then seek legal review in accordance with 29 Del.C. Ch. 101, Subchapter V.

2.3 Withdrawal from participation is commenced by filing with the Director and the Committee a document that is known as notice of withdrawal. The Board will provide the information and requirement that will comprise the notice of withdrawal. The Director, the Committee and the withdrawing entity shall seek agreement as to the effective date of withdrawal and any other reservations or conditions. If the parties cannot agree, the Committee with the subsequent ratification of the Board shall determine the effective date of withdrawal and any other conditions or reservations of the withdrawal.

2.4 Participation may be involuntarily terminated due to security or privacy breaches or failure or refusal to perform obligations of participation. Involuntary termination shall be subject to the procedures for dispute resolution contained below.

3.0 Privacy and security of personal health care information and obligations of participants:

3.1 The participants of the DHIN may have roles that functionally vary from transaction to transaction. A participant may be a "Covered Entity" or a "Business Associate", as those terms are defined in the HIPAA Regulations, in regards to different transactions with different participants It is desirable to import the obligations of the participants under Health Insurance Portability and Accountability Act of 1996, and regulations promulgated there under ("HIPAA Regulations"), including the Standards for Privacy of Individually Identifiable Health Information and Security Regulations, 45 Code of Federal Regulations Parts 160, 162 and 164 ("Regulations"). The importation of the participants' obligations under HIPAA is more efficient than requiring numerous written documents with the possibility of omitting such a required document. Accordingly, each participant agrees to be bound as follows:

3.1.1 Definitions. As used in this section the following terms are defined as follows:

"Disclose" and "Disclosure" mean, with respect to Health Information, the release, transfer, provision of, access to, or divulging in any other manner of Health Information outside Business Associate's internal operations or to other than its employees.

"Health Information" means information that (i) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (ii) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (iii) is received by Business Associate from or on behalf of Covered Entity, or is created by Business Associate, or is made accessible to Business Associate by Covered Entity.

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

"Use" or "Uses" mean, with respect to Health Information, the sharing, employment, application, utilization, examination or analysis of such Health Information within Business Associate's internal operations.

3.2 Obligations of Business Associate

3.2.1 Initial Effective Date of Performance. The obligations created under this section are effective upon initial participation in the DHIN.

3.2.2 Permitted Uses and Disclosures of Health Information. Business Associate shall Use and Disclose Health Information as necessary to perform services for Covered Entity, provided that such Use or Disclosure would not violate the Privacy Regulations if done by Covered Entity. Business Associate may Use and Disclose Health Information for the proper management and administration of Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that the disclosure is required by law, or the Business Associate obtains reasonable assurances in writing from the person to whom the information is disclosed that: (i) that it will be held confidentially and used or further disclosed only for the purpose for which it was disclosed; and (ii) the person is obligated to notify Business Associate (who will notify Covered Entity) of any instances of which it is aware in which the confidentiality of the information has been breached.

3.2.3 Adequate Safeguards for Health Information. Business Associate warrants that it shall implement and maintain appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity and to prevent the Use or Disclosure of Health Information in any manner other than as permitted by this Agreement.

3.2.4 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Health Information by Business Associate in violation of the requirements of this Agreement.

3.2.5 Reporting Non-Permitted Use or Disclosure. Business Associate shall report to Covered Entity each Use or Disclosure that is made by Business Associate, its employees, representatives, agents or subcontractors that is not specifically permitted by this Agreement. The initial report shall be made by telephone call to Covered Entity's Privacy Officer within forty-eight (48) hours from the time the Business Associate becomes aware of the non-permitted Use or Disclosure, followed by a written report to the Privacy Officer no later than five (5) days from the date the Business Associate becomes aware of the non-permitted Use or Disclosure. Business Associate shall report to Covered Entity any security incident of which it becomes aware.

3.2.6 Availability of Internal Practices, Books and Records to Government Agencies. Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of Health Information available to the Covered Entity, or at the request of Covered Entity, to the Secretary of the U.S. Department of Health and Human Services ("Secretary"), in a time and manner designated by the Covered Entity or the Secretary, for purposes of determining Covered Entity's compliance with the Privacy Regulations.

3.2.7 Access to and Amendment of Health Information. Business Associate shall, to the extent Covered Entity determines that any Health Information constitutes a "designated record set" under the Privacy Regulations, (a) make the Health Information specified by Covered Entity available to the individual(s) identified by Covered Entity as being entitled to access and copy that Health Information, and (b) make any amendments to Health Information that are requested by Covered Entity. Business Associate shall provide such access and make such amendments within the time and in the manner specified by Covered Entity.

3.2.8 Accounting of Disclosures. Upon Covered Entity's request, Business Associate shall provide to Covered Entity an accounting of each Disclosure of Health Information made by Business Associate or its employees, agents, representatives or subcontractors as required by the Privacy Regulations. Any accounting provided by Business Associate under this Section 3.2.8 shall include: (a) the date of the Disclosure; (b) the name, and address if known, of the entity or person who received the Health Information; (c) a brief description of the Health Information disclosed; and (d) a brief statement of the purpose of the Disclosure. For each Disclosure that requires an accounting under this Section 3.2.8, Business Associate shall track the information specified in (a) through (d), above, and shall securely maintain the information for six (6) years from the date of the Disclosure.

3.2.9 Restrictions: Requests for Confidential Communications. Business Associate will comply with any agreements for confidential communications of which it is aware and to which Covered Entity agrees pursuant to 45 C.F.R. §164.522 (b) by communicating with individuals using agreed upon alternative means or alternative locations.

3.2.10 Disposition of Health Information Upon Termination or Expiration. Upon termination or expiration of this Agreement, Business Associate shall either return or destroy, in Covered Entity's sole discretion and in accordance with any instructions by Covered Entity, all Health Information in the possession or control of Business Associate and its agents and subcontractors. However, if Covered Entity determines that neither return nor destruction of Health Information is feasible, Business Associate may retain Health Information provided that Business Associate (a) continues to comply with the provisions of this Agreement for as long as it retains Health Information, and (b) further limits Uses and Disclosures of Health Information to those purposes that make the return or destruction of Health Information infeasible.

3.2.11 Term and Termination. Unless sooner terminated, this Agreement shall continue in effect so long as Business Associate continues to provide services or perform functions on behalf of Covered Entity. A material breach by Business Associate of any provision of this Agreement, as determined by Covered Entity, shall constitute a material breach of the Agreement providing grounds for immediate termination of this Agreement. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity may provide an opportunity for Business Associate to cure the breach or end the violation and may terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, or immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible. Notwithstanding the above, any breach related to the sale, transfer, or use or disclosure of Health Information for commercial advantage, personal gain, or malicious harm shall be considered non-curable. Business Associate's obligations under Article II shall survive the termination or expiration of this Agreement. Nevertheless, DHIN may continue to hold data in the terminated participant's data stage for historical and other purposes.

3.2.12 No Third Party Beneficiaries. There are no third party beneficiaries to the obligations of the participants of DHIN under this section.

3.2.13 Use of Subcontractors and Agents. Business Associate shall require each of its agents and subcontractors that receive Health Information from Business Associate to execute a written agreement obligating the agent or subcontractor to comply with all the terms of this Agreement.

3.2.14 Amendment to Comply with Law. The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HIPAA Regulations and other applicable laws relating to the security or confidentiality of Health Information. The parties understand and agree that Covered Entity must receive satisfactory written assurance from Business Associate that Business Associate will adequately safeguard all Health Information that it receives or creates pursuant to this Agreement. Upon Covered Entity's request, Business Associate agrees to promptly enter into negotiations with Covered Entity concerning the terms of any amendment to this Agreement embodying written assurances consistent with the standards and requirements of HIPAA, the HIPAA Regulations or other applicable laws. Covered Entity may terminate this Agreement upon thirty (30) days written notice in the event (i) Business Associate does not promptly enter into negotiations to amend this Agreement when requested by Covered Entity pursuant to this Section or (ii) Business Associate does not enter into an amendment to this Agreement providing assurances regarding the safeguarding of Health Information that Covered Entity, in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA and HIPAA Regulations.

4.0 Other obligations of participation.

4.1 Application for and participation in DHIN requires each participating entity and its agents and employees to the following in addition to the obligations imposed elsewhere.

4.1.1 The participating entities, their agents and employees shall conduct their affairs with all other participates as well as the agents and employees of DHIN with the highest level of candor, complete honesty-in-fact, civility and professionalism.

4.1.2 The participants must respond to requests for information and complaints in a reasonable period. Participants must respond to requests for information and complaints that involve security and privacy within twenty-four hours unless the Director or his or her designee extends the time.

4.1.3 The participants must provide financial support by prompt payment in accordance with their prior agreement or as may be promulgated by rule by the Board in the future.

4.1.4 The participants must promptly report Security Incidents as defined in the prior section promptly to the Director and any other effected participant.

5.0 Dispute resolution and inquiries

5.1 Any dispute that involves the DHIN or its interchange shall be subject to dispute resolution under this section. Such disputes may involve participants, the DHIN or members of the public where there is a claim that this or other regulations or statutes were violated by any of the forgoing. A dispute may also be an inquiry or request for information that is not responded to in a reasonable manner.

5.2 The Chair of the Board may appoint a number of individuals subject to approval by the Committee to serve on the Dispute Resolution Committee ["DRC"]. The DRC shall be comprised of panels of no less than three or more than five members. No member may serve on a case before the DRC where that member has a conflict of interest as set forth in 29 Del.C. Chapter 58. The presiding member of the panel must be a member of the Board. The Board may promulgate rules for procedures for matters to be determined by the DRC. The DRC and the Board are authorized to grant relief to include financial penalties, suspension and termination of an entity or individual's participation or use of the DHIN.

5.3 Any party aggrieved by the decision of the Panel may seek review by filing written exceptions to the Panel's decision within ten days of the decision as would be computed in the Delaware Superior Court. The review shall be presented to the Board who may overturn the Panel's decision by a majority vote of a quorum of the Board.

5.4 A aggrieved party may seek legal review on the record only in accordance with 29 Del.C. Ch. 101, Subchapter V.

6.0 Permitted uses by participants

6.1 In an effort to maximize the health care benefits of the DHIN participants are authorized to utilize the system to its maximum extent possible while maintaining the required high level of security and privacy for the information. Participants are authorized to use the DHIN without regard to whether the ordering entity is a participant of the DHIN. This includes participants that are subject to the Clinical Laboratory Improvement Act ["CLIA"] and regulations promulgated thereunder.

6.2 Participants shall comply with the data use agreements they entered into with the DHIN. The terms, conditions and requirements of the existing and future data use agreements may be determined and amended by the Board.

7.0 Patient access

7.1 Individuals may be provided access to the information about them that is in the interchange in a manner and under terms and conditions that the Board shall set out by rule or procedure.

7.2 Individuals shall be informed of and may choose to preclude a search of their individual health information (as defined in above Section 3.1.1) in the DHIN Interchange after consultation with their health care provider and in accordance with the rules or procedures promulgated by Board.

8.0 Technical Standards

8.1 The Board by rule or procedure shall establish the technical requirements for participation in the DHIN. These standards shall adopt national standards to the extent such is feasible.

12 DE Reg. 540 (11/01/08) (Prop.)