Authenticated PDF Version



Statutory Authority: 16 Delaware Code, Section 10306 (16 Del.C. § 10306)
1 DE Admin. Code 102



102 Delaware Health Information Network Regulations on Participation

The Delaware Health Information Network ("DHIN") published a notice of proposed regulation changes in the September 2021 Delaware Register of Regulations pursuant to 16 Del. C. § 10306 and Senate Bill 88 of the 151st General Assembly (2021), requiring written materials and suggestions from the public concerning the proposed regulations to be produced by October 29, 2021 at which time DHIN would receive information, factual evidence and public comment to the proposed changes to the regulations.

Summary of Proposed Changes

Senate Bill 88 of the 151st General Assembly provides a framework through which approved researchers, health care organizations, and other third parties can access clinical data held by DHIN for approved analytic purposes. DHIN's proposed regulations set up the regulatory framework through which applications for data will be processed, reviewed, and acted upon. The regulations also contain protections for members of the public to ensure that patient identifiable data is not used without the explicit permission of the patient. The statutory authority for the changes is 16 Del. C. § 10306 and Senate Bill 88 of the 151st General Assembly (2021).

The proposed changes to DHIN's regulations were published in the Register of Regulations, Volume 25, Issue 3 on September 1, 2021. Comments were to have been received by 4:30 p.m. on October 29, 2021.

Summary of Comments Received and DHIN Response

Two comments were received by DHIN, by the Governor's Advisory Council for Exceptional Citizens and by the State Council for Persons with Disabilities. Both comments endorsed the regulatory changes. DHIN appreciates the thoughtful input given by both organizations and appreciates the support.

Both organizations mentioned a distinction between 1 DE Admin. Code 104 (governing access to and use of claims data from the Delaware Health Care Claims Database) and this proposed regulation (governing access to and use of clinical data held by DHIN) in their treatment of state agencies that seek data reported by DHIN. The reason for this distinction is found in the enabling legislation governing that access. The legislation that created the Delaware Health Care Claims Database contained specific requirements concerning state agency access to and use of data reported by DHIN. The legislation governing use of clinical data held by DHIN contains no such requirements.

Findings of Fact and Conclusions

The public was given notice and an opportunity to provide DHIN with comments in writing on the proposed amendments to DHIN's regulations. There were two public comments provided to DHIN in writing during the comment period, both of which were supportive of the proposed regulatory changes.

Pursuant to 16 Del. C. § 10306, DHIN has the statutory authority to promulgate rules and regulations.

Having considered the public comments received, DHIN finds no reason to amend the regulations as proposed.

Decision and Effective Date

DHIN hereby adopts the changes to its regulations as proposed, to be effective 10 days following publication of this Order in the Register of Regulations. The new regulations are attached hereto as Exhibit A.

IT IS SO ORDERED this 12th day of November, 2021.


Janice Lee, MD

Chief Executive Officer

102 Delaware Health Information Network Regulations on Participation Use of Clinical Data for Approved Analytic Purposes

1.0 Statutory Authority

This regulation is authorized by 16 Del.C. §§ 9925 and 9926.

1.1 The Delaware Health Information Network ['DHIN"] was created by statute, 16 Del.C. Ch. 99, Subchapter IV, to be a public instrumentality of the State of Delaware to promote the design, implementation, operation and maintenance of facilities for public and private use of health care information. The DHIN is operated through a Board of Directors. In keeping with the purpose, it is now more convenient to promulgate a regulation that will provide the requirements of participation in the DHIN and replace the numerous written documents among the participants and the DHIN. The regulation also seeks to clarify the obligations, requirements, permitted use and privacy of data for the participants.

1.2 As use in this regulation, the term "DHIN" refers to the entity unless the context refers to the electronic interchange system operated and maintained by the entity. Unless otherwise required any action by the entity shall be by majority vote of the quorum of the present members of the Board of Directors ["Board"]. Meetings of the Board may include members that are participating electronically or telephonically, as long as the public can hear or observe the participation of such members.

2.0 Participation and withdrawal.

2.1 Participation in the DHIN is voluntary and is commenced by filing with the Executive Director ["Director"] of the DHIN a document that is known as an application for participation agreement ["Application"]. The Application shall: identify the individual or entity in detail, provide its healthcare activity and purpose, identify the individual or individuals that have the authority to bind the entity and conduct its business affairs, and include such other information as may be required by the Board. The Participation agreement shall also contain a statement that the entity agrees to be bound without reservation by this and other regulations,policies and/or procedures that involve the DHIN.

2.2 The participation agreement along with other information that may be reasonable as determined by the Director and the Executive Committee ["Committee"] of the Board shall be reviewed by the Director and the Committee to their satisfaction. The Executive Committee may request additional information or may grant initial participation to the applying entity subject to certain conditions. The initial participation determination is subject to a subsequent ratification by the Board. If no action is taken by the Board during its next two regular meetings with a quorum present, the Board is deemed to have ratified the initial participation of the applying entity. If the Committee denies initial participation to an applying entity, it will provide the reason or reasons for denial. After such denial, the applying entity may request the Board reconsider the Committee's denial. If the Board denies reconsideration, the applying entity may then seek legal review in accordance with 29 Del.C. Ch. 101, Subchapter V.

2.3 Withdrawal from participation is commenced by filing with the Director and the Committee a document that is known as notice of withdrawal. The Board will determine the specific information and other requirements that will be contained in the notice of withdrawal. The Director, the Committee and the withdrawing entity shall seek agreement as to the effective date of withdrawal and any other reservations or conditions. If the parties cannot agree, the Committee with the subsequent ratification of the Board shall determine the effective date of withdrawal and any other conditions or reservations of the withdrawal.

2.4 Participation may be involuntarily terminated due to security or privacy breaches or failure or refusal to perform obligations of participation. Involuntary termination shall be subject to the procedures for dispute resolution contained below.

3.0 Privacy and security of personal health care information and obligations of participants:

3.1 The participants of the DHIN may have roles that functionally vary from transaction to transaction. A participant may be a "Covered Entity" or a "Business Associate", as those terms are defined in the HIPAA Regulations, in regards to different transactions with different participants It is desirable to import the obligations of the participants under Health Insurance Portability and Accountability Act of 1996, and regulations promulgated there under ("HIPAA Regulations"), including the Standards for Privacy of Individually Identifiable Health Information and Security Regulations, 45 Code of Federal Regulations Parts 160, 162 and 164 ("Regulations"). The importation of the participants' obligations under HIPAA is more efficient than requiring numerous written documents with the possibility of omitting such a required document. Accordingly, each participant agrees to be bound as follows:

3.1.1 Definitions. As used in this section the following terms are defined as follows:

"Disclose" and "Disclosure" mean, with respect to Health Information, the release, transfer, provision of, access to, or divulging in any other manner of Health Information outside Business Associate's internal operations or to other than its employees.

"Health Information" means information that (i) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (ii) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (iii) is received by Business Associate from or on behalf of Covered Entity, or is created by Business Associate, or is made accessible to Business Associate by Covered Entity.

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

"Use" or "Uses" mean, with respect to Health Information, the sharing, employment, application, utilization, examination or analysis of such Health Information within Business Associate's internal operations.

3.2 Obligations of Business Associate

3.2.1 Initial Effective Date of Performance. The obligations created under this section are effective upon initial participation in the DHIN.

3.2.2 Permitted Uses and Disclosures of Health Information. Business Associate shall Use and Disclose Health Information as necessary to perform services for Covered Entity, provided that such Use or Disclosure would not violate the Privacy Regulations if done by Covered Entity. Business Associate may Use and Disclose Health Information for the proper management and administration of Business Associate, or to carry out the legal responsibilities of the Business Associate, provided that the disclosure is required by law, or the Business Associate obtains reasonable assurances in writing from the person to whom the information is disclosed that: (i) that it will be held confidentially and used or further disclosed only for the purpose for which it was disclosed; and (ii) the person is obligated to notify Business Associate (who will notify Covered Entity) of any instances of which it is aware in which the confidentiality of the information has been breached.

3.2.3 Adequate Safeguards for Health Information. Business Associate warrants that it shall implement and maintain appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity and to prevent the Use or Disclosure of Health Information in any manner other than as permitted by this Agreement.

3.2.4 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Health Information by Business Associate in violation of the requirements of this Agreement.

3.2.5 Reporting Non-Permitted Use or Disclosure. Business Associate shall report to Covered Entity each Use or Disclosure that is made by Business Associate, its employees, representatives, agents or subcontractors that is not specifically permitted by this Agreement. The initial report shall be made by telephone call to Covered Entity's Privacy Officer within forty-eight (48) hours from the time the Business Associate becomes aware of the non-permitted Use or Disclosure, followed by a written report to the Privacy Officer no later than five (5) days from the date the Business Associate becomes aware of the non-permitted Use or Disclosure. Business Associate shall report to Covered Entity any security incident of which it becomes aware.

3.2.6 Availability of Internal Practices, Books and Records to Government Agencies. Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of Health Information available to the Covered Entity, or at the request of Covered Entity, to the Secretary of the U.S. Department of Health and Human Services ("Secretary"), in a time and manner designated by the Covered Entity or the Secretary, for purposes of determining Covered Entity's compliance with the Privacy Regulations.

3.2.7 Access to and Amendment of Health Information. Business Associate shall, to the extent Covered Entity determines that any Health Information constitutes a "designated record set" under the Privacy Regulations, (a) make the Health Information specified by Covered Entity available to the individual(s) identified by Covered Entity as being entitled to access and copy that Health Information, and (b) make any amendments to Health Information that are requested by Covered Entity. Business Associate shall provide such access and make such amendments within the time and in the manner specified by Covered Entity.

3.2.8 Accounting of Disclosures. Upon Covered Entity's request, Business Associate shall provide to Covered Entity an accounting of each Disclosure of Health Information made by Business Associate or its employees, agents, representatives or subcontractors as required by the Privacy Regulations. Any accounting provided by Business Associate under this Section 3.2.8 shall include: (a) the date of the Disclosure; (b) the name, and address if known, of the entity or person who received the Health Information; (c) a brief description of the Health Information disclosed; and (d) a brief statement of the purpose of the Disclosure. For each Disclosure that requires an accounting under this Section 3.2.8, Business Associate shall track the information specified in (a) through (d), above, and shall securely maintain the information for six (6) years from the date of the Disclosure.

3.2.9 Restrictions: Requests for Confidential Communications. Business Associate will comply with any agreements for confidential communications of which it is aware and to which Covered Entity agrees pursuant to 45 C.F.R. §164.522 (b) by communicating with individuals using agreed upon alternative means or alternative locations.

3.2.10 Disposition of Health Information Upon Termination or Expiration. Upon termination or expiration of this Agreement, Business Associate shall either return or destroy, in Covered Entity's sole discretion and in accordance with any instructions by Covered Entity, all Health Information in the possession or control of Business Associate and its agents and subcontractors. However, if Covered Entity determines that neither return nor destruction of Health Information is feasible, Business Associate may retain Health Information provided that Business Associate (a) continues to comply with the provisions of this Agreement for as long as it retains Health Information, and (b) further limits Uses and Disclosures of Health Information to those purposes that make the return or destruction of Health Information infeasible.

3.2.11 Term and Termination. Unless sooner terminated, this Agreement shall continue in effect so long as Business Associate continues to provide services or perform functions on behalf of Covered Entity. A material breach by Business Associate of any provision of this Agreement, as determined by Covered Entity, shall constitute a material breach of the Agreement providing grounds for immediate termination of this Agreement. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity may provide an opportunity for Business Associate to cure the breach or end the violation and may terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, or immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible. Notwithstanding the above, any breach related to the sale, transfer, or use or disclosure of Health Information for commercial advantage, personal gain, or malicious harm shall be considered non-curable. Business Associate's obligations under Article II shall survive the termination or expiration of this Agreement. Nevertheless, DHIN may continue to hold data in the terminated participant's data stage for historical and other purposes.

3.2.12 No Third Party Beneficiaries. There are no third party beneficiaries to the obligations of the participants of DHIN under this section.

3.2.13 Use of Subcontractors and Agents. Business Associate shall require each of its agents and subcontractors that receive Health Information from Business Associate to execute a written agreement obligating the agent or subcontractor to comply with all the terms of this Agreement.

3.2.14 Amendment to Comply with Law. The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HIPAA Regulations and other applicable laws relating to the security or confidentiality of Health Information. The parties understand and agree that Covered Entity must receive satisfactory written assurance from Business Associate that Business Associate will adequately safeguard all Health Information that it receives or creates pursuant to this Agreement. Upon Covered Entity's request, Business Associate agrees to promptly enter into negotiations with Covered Entity concerning the terms of any amendment to this Agreement embodying written assurances consistent with the standards and requirements of HIPAA, the HIPAA Regulations or other applicable laws. Covered Entity may terminate this Agreement upon thirty (30) days written notice in the event (i) Business Associate does not promptly enter into negotiations to amend this Agreement when requested by Covered Entity pursuant to this Section or (ii) Business Associate does not enter into an amendment to this Agreement providing assurances regarding the safeguarding of Health Information that Covered Entity, in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA and HIPAA Regulations.

4.0 Other obligations of participation.

4.1 Application for and participation in DHIN requires each participating entity and its agents and employees to the following provisions of this section as well as the obligations imposed elsewhere.

4.1.1 The participating entities, their agents and employees shall conduct their affairs with all other participants as well as the agents and employees of DHIN with the highest level of candor, complete honesty-in-fact, civility and professionalism.

4.1.2 The participants must respond to requests for information and complaints in a reasonable period. Participants must respond to requests for information and complaints that involve security and privacy within twenty-four hours unless the Director or his or her designee extends the time.

4.1.3 The participants must provide financial support by prompt payment in accordance with their prior agreement or as may be promulgated by rule by the Board in the future.

4.1.4 The participants must promptly report Security Incidents as defined in the prior section promptly to the Director and any other affected participant.

5.0 Dispute resolution and inquiries

5.1 Any dispute that involves the DHIN or its interchange shall be subject to dispute resolution under this section. Such disputes may involve participants, the DHIN or members of the public where there is a claim that this or other regulations or statutes were violated by any of the forgoing. A dispute may also be an inquiry or request for information that is not responded to in a reasonable manner.

5.2 The Chair of the Board may appoint a number of individuals subject to approval by the Committee to serve on the Dispute Resolution Committee ["DRC"]. The DRC shall be comprised of panels of no less than three or more than five members. No member may serve on a case before the DRC where that member has a conflict of interest as set forth in 29 Del.C. Chapter 58. The presiding member of the panel must be a member of the Board. The Board may promulgate rules for procedures for matters to be determined by the DRC. The DRC and the Board are authorized to grant relief to include financial penalties, suspension and termination of an entity or individual's participation or use of the DHIN.

5.3 Any party aggrieved by the decision of the Panel may seek review by filing written exceptions to the Panel's decision within ten days of the decision as would be computed in the Delaware Superior Court. The review shall be presented to the Board who may overturn the Panel's decision by a majority vote of a quorum of the Board.

5.4 A aggrieved party may seek legal review on the record only in accordance with 29 Del.C. Ch. 101, Subchapter V.

6.0 Permitted uses by participants

6.1 In an effort to maximize the health care benefits of the DHIN, participants are authorized to utilize the system to its maximum extent possible while maintaining the required high level of security and privacy for the information. Participants are authorized to use the DHIN without regard to whether the ordering entity is a participant of the DHIN. This includes participants that are subject to the Clinical Laboratory Improvement Act ["CLIA"] and regulations promulgated thereunder.

6.2 Participants shall comply with the data use agreements they entered into with the DHIN. The terms, conditions and requirements of the existing and future data use agreements may be determined and amended by the Board.

7.0 Patient access

7.1 Individuals may be provided access to the information about them that is in the interchange in a manner and under terms and conditions that the Board shall set out by rule or procedure.

7.2 Individuals shall be informed of and may choose to preclude a search of their individual health information (as defined in above Section 3.1.1) in the DHIN Interchange after consultation with their health care provider and in accordance with the rules or procedures promulgated by Board.

8.0 Technical Standards

8.1 The Board by rule or procedure shall establish the technical requirements for participation in the DHIN. These standards shall conform to or incorporate national standards to the extent such is feasible.

1.0 Scope and Authority

1.1 A significant part of the statutory mandate of the Delaware Health Information Network ("DHIN") is to support and improve the efforts of health care providers, payers, researchers, and state instrumentalities in improving the quality and lowering the costs of health care in the State of Delaware. As a part of that mandate, the General Assembly has authorized DHIN, where permitted by its agreements with its Data Sending Organizations, to permit appropriate individuals and organizations to access clinical data in its possession for approved research purposes. Such access must be limited and comply with the terms and conditions established by DHIN to protect the safety and confidentiality of patient information. Nothing in this regulation is intended to alter the ability of Data Receiving Organizations (as that term is defined in 1 DE Admin. Code 101) to use clinical data received from DHIN consistent with existing data use and business associate agreements each has entered into with DHIN.

1.2 DHIN has been authorized by statute, 16 Del.C. §§10306 & 10307, to promulgate rules and regulations to carry out its statutory mandate.

2.0 Definitions

The following words and terms, when used in this regulation, have the following meaning unless the context clearly indicates otherwise:

"Act" means DHIN's enabling legislation, 16 Del.C. Chapter 103.

"Approved User" means any person or organization that DHIN has authorized to view or access Available Clinical Data.

"Available Clinical Data" means Data included in DHIN's Clinical Data Repositories as to which DHIN has appropriate agreements in place with the Data Sending Organization that provided the Data to DHIN to permit use of that Data for the analytic purposes identified in this regulation.

"Board" means DHIN's Board of Directors, as established by the Act.

"Bylaws" means the Bylaws as approved by the Board.

"Clinical Data Access Committee" or "Committee" means the subcommittee established by the Board and governed by its Bylaws that has the authority to determine when applications for Available Clinical Data should be provided to a data requestor to facilitate the purposes of the Act, and such other duties as designated by the Board consistent with the Act. If the Board so determines, the Committee can (but need not) be the same committee that determines access to claims data held within the Delaware Health Care Claims Database, as set forth in 1 DE Admin. Code 104.

"Data" means medical or other health care information of or about an individual which is transmitted or available from Data Sending Organizations for transmission to DHIN and included in DHIN's clinical data repositories. The term includes PHI.

"Data Sending Organization" means an organization that contracts with DHIN to provide Data to DHIN for use in its clinical data repositories for purposes consistent with the Act, these regulations, and the contract between DHIN and Data Sending Organization. The term does not include organizations that solely provide claims data to the Health Care Claims Database pursuant to 1 DE Admin. Code 104, or organizations that solely contract with DHIN to receive analytic services or clinical data for approved analytic use cases pursuant to 1 DE Admin. Code 102.

"De-identified data" means de-identified data as defined in HIPAA. Unless otherwise defined in HIPAA, it shall mean health information that is not considered PHI because it excludes the following direct and indirect patient identifiers:

Direct Patient Identifiers
Telephone numbers;
Fax numbers;
Email addresses;
Social security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers;
Device identifiers and serial numbers;
IP addresses;
Biometric identifiers, including fingerprints;
Full-face photographs;
Any other unique identifying characteristic or code.
Indirect Patient Identifiers
All geographic subdivisions smaller than a state, except for the initial three digits of a zip code;
All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.

"HIPAA" means the Health Insurance Portability and Accountability Act of 1996 as amended and associated regulations, including the Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) and Security Rule (45 CFR Part 160 and Subparts A and C of Part 164).

"Identified data" means health information as defined in HIPAA that contains direct patient identifiers.

"Limited data set" means a limited data set as defined in HIPAA. Unless otherwise set forth in HIPAA, the term means PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's authorization or a waiver or an alteration of authorization for its use and disclosure, with a data use agreement. The following data elements are removed from a limited data set:

Postal address information, other than town or city, state, and ZIP Code;
Telephone number;
Fax numbers;
Electronic mail addresses;
Social Security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web universal resource locators (URLs);
Internet protocol (IP) address numbers;
Biometric identifiers, including fingerprints and voiceprints;
Full-face photographic images and any comparable images.

A limited data set may include

City, state, ZIP Code;
Elements of dates;
Other numbers, characteristics, or codes not listed as direct identifiers.

"Protected health information" or "PHI" means individually identifiable health information, as that term is defined in HIPAA.

"Provider" means a hospital, facility, or any health care practitioner licensed, certified, or authorized under State law to provide health care services and includes hospitals and health care practitioners participating in group arrangements, including accountable care organizations, in which the hospital or health care practitioners agree to assume responsibility for the quality and cost of health care for a designated group of beneficiaries.

"Re-disclosure" means the publication, distribution or other dissemination of Available Clinical Data released to an Approved User using any medium and in any format, context or structure.

3.0 General Data Access Provisions

3.1 Available Clinical Data may be released to a person or organization for purposes of:

3.1.1 Facilitating data-driven, evidence-based improvements in access to and quality of health care;

3.1.2 Improving the health of Delawareans generally;

3.1.3 Lowering the growth in per-capita health care costs; or

3.1.4 Providing enhanced provider experience that promotes patient engagement.

3.2 Unless otherwise provided for in this regulation, requests for access to Available Clinical Data or for analytic services based thereupon shall require completion of a written Data access application, in a form to be published by DHIN on its website, that describes the intended purpose and use of the data, the justification for the data request, and the security and privacy measures that will be used to safeguard the data and prevent unauthorized access to or use of the data. DHIN may require such additional information from a data requestor as DHIN determines, in its discretion, is required to evaluate any particular request. Exceptions to this rule include:

3.2.1 Requests by a Data Sending Organization for access to its own data or for analytic services based upon its own data shall not require Committee review or approval.

3.2.2 The Committee, at a duly noticed public meeting, may authorize additional exceptions to this rule, provided such exceptions are consistent with the requirements of the Act, HIPAA, and relevant Delaware law. Any such exceptions shall be identified publicly on DHIN's website.

3.3 If authorized by the Committee or the Board, de-identified data or the analytic evaluation thereof may be released to applying parties or the public without obtaining full Board or Committee review.

3.3.1 Release of such de-identified data shall be pursuant to such terms and conditions as are established by the Committee or the Board.

3.3.2 Release of such de-identified data shall only be permitted if the purposes for such release are consistent with the purposes for release of data set forth in the Act and this regulation.

3.4 Requests for limited data sets or identified data, or for analytic services based upon such data, must be reviewed by the Committee to determine whether the request complies with the purposes of the Act and this regulation.

3.5 DHIN shall not provide identified data to any requesting party without first obtaining or being provided with written consent from the patient authorizing such disclosure. Such consent must be in a form consistent with HIPAA and must explicitly authorize DHIN or health information exchanges generally to release identified data to the requesting party.

4.0 Structure and Duties of the Committee

4.1 The Committee shall have a chairperson and members appointed by the Board.

4.2 The Committee shall be comprised of five (5) to eleven (11) members and shall be representative of various stakeholder groups, including, where possible, consumers, employers, health plans, hospitals, physicians, ACO Administrators, researchers, and State government.

4.3 The Committee shall finalize a data request application, establish business operating rules for the review and consideration of applications, and determine a schedule for reviewing applications. These business rules shall be subject to periodic updates by the Committee and shall be maintained on the DHIN website.

4.4 The Committee shall consider any comments received from Data Sending Organizations whose Available Clinical Data is being requested. The Committee shall approve an application by majority vote after finding the following:

4.4.1 The intended use is consistent with the Act;

4.4.2 Access to the requested data is necessary to achieve the intended goals, including but not limited to the need for any requested identifiable data;

4.4.3 The request complies with all applicable state and federal laws relating to the privacy and security of PHI; and

4.4.4 The applicant is qualified to serve as a responsible steward of the requested data.

4.5 The Committee reserves the right to ask an applicant to acquire Institutional Review Board review, or its equivalent, prior to approving an application.

4.6 The Committee may ask for any information or assurances from a requesting party that it determines, in its discretion, may be needed in order to evaluate the application.

4.7 After a decision is reached by the Committee, public notice will be posted on the DHIN website that an application for data access was received, by whom it was submitted and for what purposes, and the decision of the Committee to grant or deny the application. The final determination of the Committee shall not be subject to appeal.

5.0 Notification to Data Sending Organizations.

5.1 The DHIN shall notify a Data Sending Organization when an application is received for a limited data set or identified data containing Available Clinical Data that was submitted to DHIN by that Data Sending Organization.

5.2 The notification shall include but not be limited to: a summary of the request; the specific clinical data element or elements being requested; and the name of the requestor. Data Sending Organizations will have ten business days to provide written comment to DHIN regarding the request.

6.0 Additional Agreements

6.1 Upon the Committee's approval of an application for Available Clinical Data or DHIN's agreement to provide de-identified data following the conclusion of any process or procedures required by the Committee or the Board, the requesting party shall sign a legally binding data use agreement.

6.2 The data use agreement will include but not be limited to:

6.2.1 Confirmation of compliance with such confidentiality and data security protocols as may be required by DHIN or the Committee, in all cases to include compliance with HIPAA and relevant Delaware law on the privacy and security of health information;

6.2.2 Confirmation of compliance with the re-disclosure requirements set forth in this regulation and identified in the application;

6.2.3 Commitment to use Available Clinical Data for the sole purpose of executing the project identified in the application and approved by DHIN or the Committee;

6.2.4 Commitment to document data destruction processes at the end of the project; and

6.2.5 Commitment to comply with all statutory and regulatory requirements.

6.3 DHIN may require a successful applicant to enter into such additional agreements as may be determined by DHIN or the Committee, in their discretion, to be necessary or desirable to permit DHIN to comply with its legal obligations in fulfilling the requirements of this regulation.

7.0 Re-Disclosure Requirements

7.1 DHIN may issue public reports containing or based upon de-identified data without Committee review and approval.

7.2 Any other re-disclosure of Available Clinical Data shall require Committee review and approval.

7.3 All Available Clinical Data that is shared publicly or re-disclosed to anyone other than an Approved User shall adhere to federal Centers for Medicare & Medicaid Services ("CMS") cell size suppression requirements for CMS Research Identifiable Files.

8.0 Fees

8.1 DHIN may charge a reasonable cost-based fee for preparing and transmitting Available Clinical Data to an approved applicant. This fee may include:

8.1.1 Costs of aggregating, storing, extracting, de-identifying, and transmitting the information;

8.1.2 Associated infrastructure and staff labor costs;

8.1.3 Costs for programming and data generation;

8.1.4 Allocated indirect operating costs;

8.1.5 Other costs associated with the production and transmission of data sets; and

8.1.6 Such other costs or fees as DHIN determines necessary.

8.2 DHIN may charge such fees as it may determine are appropriate for the provision of analytic services.

8.3 At DHIN's discretion, fees may be reduced or waived for certain entities or in response to certain requests.

8.4 DHIN shall have a record of payment in full or other adequate assurances as it may determine are sufficient prior to providing data or analytic services to Approved Users.

8.5 Fees shall be deposited into a DHIN account and use to support DHIN's operating costs.

9.0 Penalties

9.1 If an Approved User violates the terms of the data use agreement, DHIN may take one or more of the following actions:

9.1.1 Revoke permission to use the data and require its return or destruction;

9.1.2 Pursue civil or administrative enforcement action under applicable Delaware state law;

9.1.3 Notify the Approved User's licensing body, if any, and if none, its accreditation body;

9.1.4 If the violation pertains to access or misuse of the data, DHIN may report the violation to the office of the Attorney General, pursuant to the Act.

12 DE Reg. 979 (01/01/09)
25 DE Reg. 624 (12/01/21) (Final)