The State of Delaware New Regulations Management System is coming soon in 2024 More Info

Delaware.gov logo


Regulatory Flexibility Act Form
Authenticated PDF Version

DELAWARE HEALTH INFORMATION NETWORK

 

Statutory Authority: 16 Delaware Code, Sections 10306 and 10314(d)(16 Del.C. §§10306 & 10314(d))
1 DE Admin. Code 104

PROPOSED

PUBLIC NOTICE

104 Delaware Health Care Claims Database Data Access Regulation

In compliance with the State's Administrative Procedures Act (APA - Title 29, Chapter 101 of the Delaware Code) and under the authority of Title 16 of the Delaware Code, Chapter 103, Sections 10306 and 10314(d), the Delaware Health Information Network (DHIN) is proposing an amendment to its regulations governing access and use of clinical data held in the Delaware Health Care Claims Database.

Any person who wishes to make written suggestions, compilations of data, testimony, briefs or other written materials concerning the proposed regulatory amendments must submit same to, the Scott Perkins, General Counsel, Delaware Health Information Network, 107 Wolf Creek Blvd., Suite 2, Dover, Delaware 19901 or by email to Scott.Perkins@dhin.org by 4:30 p.m. on October 29, 2021. Please identify in the subject line: DHIN Delaware Healthcare Claims Database Data Access Regulation.

The action concerning the determination of whether to adopt the proposed regulations will be based upon the results of DHIN and DHIN staff analysis and the consideration of the comments and written materials filed by other interested persons.

SUMMARY OF PROPOSAL

The purpose of this notice is to advise the public that DHIN is proposing amendments to its regulations governing the access to claims data contained in the Delaware Healthcare Claims Database.

Statutory Authority

16 Del.C. §§ 10306 and 10314(d).

Background

The Delaware Healthcare Claims Database (HCCD) was established within DHIN in 2016. The HCCD was intended to support the State's ongoing healthcare innovation efforts by supporting researchers, healthcare organizations, and other third parties engaged in activities designed to improve health, health care quality and experience, and affordability for all Delawareans. DHIN promulgated regulations to support these goals and to set up the regulatory framework through which reporting entities would provide data to DHIN and DHIN would review and act upon applications to receive data. The amendments to the regulations are intended to codify certain best practices identified during the first few years of HCCD operations, to reflect changes to the HCCD enabling legislation that have occurred since the regulations were first issued, and to provide additional clarity and confirmation regarding DHIN's treatment and handling of applications that, by statute, do not require review by DHIN's HCCD Access Committee.

Summary of Proposal

Summary of Proposed Changes

DHIN plans to publish the proposed amendments to the regulations governing the access to data contained in the HCCD and to hold them out for public comment per Delaware law. The amendments update the regulatory language to more clearly define the respective roles and responsibilities of DHIN and data applicants, to make technical changes, and to update the regulations to take into account changes to the HCCD statute concerning state agencies that receive access at no charge to data reported by DHIN.

Public Notice

In accordance with the state public notice requirements of Title 29, Chapter 101 of the Delaware Code, DHIN gives public notice and provides an open comment period for more than thirty (30) days to allow all stakeholders an opportunity to provide input on the proposed regulation. Comments must be received by 4:30 p.m. on October 29, 2021.

Fiscal Impact

Not applicable

104 Delaware Health Care Claims Database Data Access Regulation

1.0 Authority and Purpose

1.1 Statutory Authority. 16 Del.C. §10306 authorizes the Delaware Health Information Network (DHIN) to promulgate rules and regulations to carry out its objectives under 16 Del.C. Ch. 103, Subchapter II.

1.2 The Health Care Claims Database ("HCCD") was created by statute, pursuant to Chapter 103, Subchapter II of Title 16, under the purview of DHIN, to achieve the "Triple Aim" of the State's ongoing health care innovation efforts: (1) improved health; (2) health care quality and experience; and (3) affordability for all Delawareans. The HCCD is created and maintained by the DHIN, to facilitate data-driven, evidence-based improvements in access, quality, and cost of healthcare and to promote and improve the public health through increased transparency of accurate Claims Data and information. To accomplish those objectives, a centralized Health Care Claims Database was established to enable the State to more effectively understand utilization across the continuum of health care in Delaware and achieve the Triple Aim.

2.0 Definitions

The following words and terms, when used in this regulation, have the same following meaning as those in CDR 1-100-103 §2.0 unless the context clearly indicates otherwise:

"Approved User" means any person or organization that DHIN has authorized to view or access data from the Health Care Claims Database, including Delaware state agencies and DHIN itself.

"Claims Data" means Required Claims Data and any additional health care information that a voluntary reporting entity elects, through entry into an appropriate Data Submission and Use Agreement, to submit to the Delaware Health Care Claims Database.

"Clinical Proxy Data Elements proxy data elements" means any health care information contained within Claims Data which describes a rendered clinical service, including but not limited to: procedure codes, diagnosis codes, dates and locations of clinical services, healthcare providers, and pharmacy data, and excludes Pricing Information.

"Collaborating State Agencies" means the Delaware Office of Management and Budget, State Employee Benefits Committee, Division of Public Health, and Division of Medicaid and Medical Assistance Assistance, and their successors, if applicable any other agencies identified in 16 Del.C. §10314(c).

Community Health Record” or “CHR” means a searchable online portal that presents authorized users with a view of a patient’s aggregated clinical data from all sources that contribute health data to DHIN. Access to patient records in the Community Health Record is on the basis of an established relationship between the patient and the end user for purposes of Treatment, Payment, and Operations treatment, payment, operations and public health purposes, as those terms are defined in the HIPAA regulations, for Public Health purposes as defined in the HIPAA Privacy Rule, or by patient consent or patient request, or otherwise as set forth in DHIN’s enabling legislation and associated regulations. Patients can opt out of allowing their CHR data to be searchable by anyone who was not the ordering Provider provider, but may not opt out of reporting required by law or regulation, such as, but not limited to, reporting of certain conditions to the Division of Public Health.

"Data Submission and Use Agreement" or "DSUA" means the agreement between the HCCD Administrator and the Reporting Entity describing the specific terms and conditions for data submission and use.

Data Submission Guide” means the document providing the specific content, formats, timelines, data quality standards and other requirements for claims data submission, incorporated as Addendum One to the DSUA. It shall be established and maintained as a technical guidance document and substantively updated on an annual basis.

"De-Identified Data De-identified data" means health information as defined in the HIPAA Privacy Rule, which is not considered PHI because it excludes the following direct and indirect patient identifiers:

Direct Patient Identifiers
Names;
Telephone numbers;
Fax numbers;
Email addresses;
Social security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers;
Device identifiers and serial numbers;
URL's;
IP addresses;
Biometric identifiers, including fingerprints;
Full-face photographs;
Any other unique identifying characteristic or code.
Indirect Patient Identifiers
All geographic subdivisions smaller than a state, except for the initial three digits of a zip code;
All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.

"HCCD Administrator" means the Delaware Health Information Network and its staff and contractor(s) any contractors that are responsible for collecting data submissions, providing secure production services and providing data access for approved users.

"Health Care Claims Database" or "HCCD" means the database and associated technology components maintained by DHIN and authorized under 16 Del.C. Ch. 103, Subchapter II.

"Health Care Claims Database Committee" (the "Committee") means the subcommittee established by the Delaware Health Information Network Board of Directors and governed by its by-laws that has the authority to determine when applications for Claims Data should be provided to a data requestor to facilitate the purposes of the enabling legislation, and such other duties as designated by the DHIN Board of Directors consistent with the enabling legislation.

"Health care services" means as defined in 18 Del.C. §6403.

Health Insurermeans as defined in 16 Del.C. §10312.

"Identified Data data" means data that contains direct patient identifiers.

"Limited Data Set data set" means PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization authorization or a waiver or an alteration of Authorization authorization for its use and disclosure, with a data use agreement. The following data elements are removed from a Limited Data Set limited data set:

Names;
Postal address information, other than town or city, state, and ZIP Code;
Telephone number;
Fax numbers;
Electronic mail addresses;
Social Security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web universal resource locators (URLs);
Internet protocol (IP) address numbers;
Biometric identifiers, including fingerprints and voiceprints;
Full-face photographic images and any comparable images.

A Limited Data Set limited data set may include:

City, state, ZIP Code;
Elements of dates;
Other numbers, characteristics, or codes not listed as direct identifiers.

"Mandatory Reporting Entity" means the following entities, except as prohibited under federal law:

The State Employee Benefits Committee and the Office of Management and Budget, under each entity's respective statutory authority to administer the State Group Health Insurance Program in 19 Del.C. Ch. 96, and any Health Insurer, Third Party Administrator, or other entity that receives or collects charges, contributions, or premiums for, or adjusts or settles health claims for, any State employee, or their spouses or dependents, participating in the State Group Health Insurance Program, except for any carrier, as defined in 29 Del.C. §5290, selected by the State Group Health Insurance Plan to offer supplemental insurance program coverage under 29 Del.C. Ch. 52C.
The Division of Medicaid and Medical Assistance, with respect to services provided under programs administered under Titles XIX and XXI of the Social Security Act.
Any Health Insurer or other entity that is certified as a qualified health plan on the Delaware Health Insurance Marketplace for plan year 2017 or any subsequent plan year.
Any federal health insurance plan providing Health Care Services to a resident of this State, including Medicare fee for service, Medicare Part C/Medicare Advantage and Medicare Part D Prescription Drug plans and the Federal Employees Health Benefits Plan.

"Member" means individuals, employees, and dependents for which the Reporting Entity has an obligation to adjudicate, pay or disburse claims payments. The term includes covered lives. For employer-sponsored coverage, Members include certificate holders and their dependents. This definition includes all members of the State Group Health Insurance Program regardless of state of residence.

"Pricing Information" means any information referring to prices charged or paid, and includes the pre-adjudicated price charged by a Provider to a Reporting Entity for Health Care Services, the amount paid by a Member or insured party, including co-pays and deductibles, and the post-adjudicated price paid by a Reporting Entity to a Provider for Health Care Services.

"Protected Health Information health information" or "PHI" means individually identifiable health information as defined in the HIPAA Privacy Rule.

"Provider" means a hospital, facility, or any health care practitioner licensed, certified, or authorized under State law to provide Health Care Services and includes hospitals and health care practitioners participating in group arrangements, including accountable care organizations, in which the hospital or health care practitioners agree to assume responsibility for the quality and cost of health care for a designated group of beneficiaries.

"Re-disclosure" means the publication, distribution or other dissemination of Claims Data released to an Approved User using any medium and in any format, context or structure.

"Reporting Entity" means either a Mandatory Reporting Entity or a Voluntary Reporting Entity.

"Required Claims Data" as authorized under 16 Del.C. §10312(8) means the required data containing records of member eligibility, medical services claims and pharmacy claims as specified in the Data Submission Guide.

"Submission Guide" means the document providing the specific formats, timelines, data quality standards and other requirements for claims data submission, incorporated as Addendum One to the DSUA. It shall be established and maintained as technical guidance document and substantively updated on an annual basis.

"Voluntary Reporting Entity" means any of the following entities that has chosen to submit or has been instructed to submit data at the request of an employer or client and enters into a Data Submission and Use Agreement, unless such entity is a Mandatory Reporting Entity:

Any Health Insurer.
Any Third Party Administrator not otherwise required to report.
Any entity, which is not a Health Insurer or Third Party Administrator, when such entity receives or collects charges, contributions, or premiums for, or adjusts or settles health care claims for, residents of this State.
3.0 General Data Access Provisions

3.1 HCCD data may be released to a person or organization for purposes of:

3.1.1 Promoting and improving public health;

3.1.2 Advancing the "Triple Aim" of improving health, improving health care quality and experience, and improving affordability;

3.1.3 Providing information to effectively manage risk for the health needs of a population.

3.2 The DHIN may provide HCCD data or data access at the following levels of detail, per the procedures established in this Regulation:

3.2.1 De-Identified Data De-identified data

3.2.2 Limited Data Sets data sets

3.2.3 Identified Data data

3.3 Except as otherwise specified in this Regulation, all requests for HCCD data or data access shall require completion of a written Data Access Application data request application that describes the intended purpose and use or uses of the data, the justification for the data request, and the security and privacy measures that will be used to safeguard the data and prevent unauthorized access to or use of the data as well as such other acknowledgments as may be included on the Data Request Application application. Exceptions to this rule include:

3.3.1 DHIN may incorporate HCCD Clinical Proxy Data Elements clinical proxy data elements into the Community Health Record for purposes of treatment and care coordination, without a written application or Committee review.

3.3.2 DHIN may make HCCD Clinical Proxy Data Elements clinical proxy data elements available to the Members to whom they apply without a written application or Committee review. Members may access their health data by enrolling in DHIN’s Personal Health Record on the DHIN website at www.DHIN.org.

3.4 The Committee shall review submitted data request applications pursuant to business rules established by the Committee consistent with Section 4.0 below and the HCCD’s enabling legislation. Exceptions to this rule include:

3.3.33.4.1 Requests from Reporting Entities for their own data will not require Committee review.

3.3.43.4.2 Collaborating State Agencies may access HCCD data without Committee review by entering into an interagency agreement with the DHIN. The allowable uses of Claims Data by Collaborating State Agencies will be posted on DHIN’s web site for public transparency. The interagency agreement shall include but not be limited to the following:

3.3.4.13.4.2.1 Confirmation that the Collaborating State Agency will conform to DHIN's confidentiality and data security protocols and all applicable state and federal laws relating to the privacy and security of PHI;

3.3.4.23.4.2.2 Confirmation that the Collaborating State Agency will abide by re-disclosure requirements as specified in Section 6 Section 6.0 of this Regulation regulation.

3.3.53.4.3 Requests from Providers for their own data, as submitted by Reporting Entities, will not require Committee review.

3.43.4.4 Applications for De-Identified Data de-identified data may be eligible for expedited review.

3.5 The Committee shall review, without exception, the following types of applications to confirm the intended use is consistent with the statutory purpose of the HCCD:

3.5.1 Applications for Limited Data Sets;

3.5.2 Applications for Identified Data;

3.5.3 Applications from out-of-state commercial requestors who are not Reporting Entities and whose intended use will not directly benefit Delawareans;

3.5.4 Applications for Pricing Information and other sensitive financial data elements.

3.63.5 DHIN will post an annual summary of disclosures on its website.

4.0 Structure and Duties of the Committee

4.1 The Committee shall have a chairperson and members appointed by the DHIN Board of Directors.

4.2 The Committee shall be comprised of five (5) to eleven (11) members and shall be representative of various stakeholder groups, including, where possible, consumers, employers, health plans, hospitals, physicians, researchers, and State government.

4.3 The Committee shall finalize a data request application, establish business operating rules for the review and consideration of applications, and determine a schedule for reviewing applications. These business rules shall be subject to periodic updates by the Committee and shall be maintained on the DHIN website.

4.4 The Committee shall consider any comments received from Reporting Entities whose Claims Data is being requested in all circumstances where Committee review is required by the enabling legislation and these regulations. The Committee shall approve an application by majority vote after finding the following:

4.4.1 The intended use is consistent with the statutory purpose of the HCCD;

4.4.2 Access to the requested data is necessary to achieve the intended goals, including but not limited to the need for identifiable data, if requested;

4.4.3 The request complies with all applicable state and federal laws relating to the privacy and security of PHI;

4.4.4 The request complies, to the fullest extent practicable, with guidance found in Statement 6 of the Department of Justice and Federal Trade Commission Enforcement Policy regarding the exchange of price and cost information;

4.4.5 The applicant is qualified to serve as a responsible steward of the requested data.

4.5 The Committee reserves the right to ask an applicant to acquire Institutional Review Board review, or its equivalent, prior to approving an application.

4.6 After a decision is reached by the Committee, public notice will be posted on the DHIN website that an application for data access was received, by whom it was submitted and for what purposes, and the decision of the Committee to grant or deny the application. The final determination of the Committee shall not be subject to appeal.

4.7 In circumstances in which no Committee review of the application is required by this regulation, DHIN staff shall consider the information identified in subsection 4.4 prior to releasing data, and reserves the same rights as the Committee in subsection 4.5. DHIN’s final determination shall not be subject to appeal. DHIN shall post disclosures made without Committee review as required by subsection 3.5.

5.0 Applications for HCCD Data

5.1 The DHIN shall notify a Reporting Entity when an application is received for Claims Data which was submitted to the HCCD by that Reporting Entity, irrespective of whether the particular application is subject to Committee Review. The notification shall include but not be limited to: a summary of the request; the specific Claims Data element(s) element or elements being requested; and the name of the requestor. Reporting Entities will have ten business days to provide written comment to DHIN regarding the request.

5.2 Upon the Committee's approval of an application for HCCD data, or DHIN’s approval in circumstances where these regulations do not require Committee review, the applicant shall sign a legally binding data use agreement. The data use agreement will include but not be limited to:

5.2.1 Confirmation of compliance with the DHIN's confidentiality and data security protocols;

5.2.2 Confirmation of compliance with the HCCD re-disclosure requirements;

5.2.3 Commitment to use HCCD data for the sole purpose of executing the approved research project;

5.2.4 Commitment to document data destruction processes at the end of the project.

5.2.5 Confirmation of compliance with all statutory and regulatory requirements.

6.0 Re-Disclosure Requirements

6.1 The DHIN and Collaborating State Agencies may issue public reports with aggregated HCCD data that adhere to the re-disclosure requirements without Committee review and approval.

6.2 Any re-disclosure of HCCD data made by anyone other than DHIN or a Collaborating State Agency, shall require Committee review and approval. All HCCD data shared publicly or re-disclosed to anyone other than an Approved User shall adhere to the following re-disclosure requirements:

6.2.1 Adhere to CMS federal Centers for Medicare & Medicaid Services (“CMS”) cell size suppression requirements for CMS Research Identifiable Files research identifiable files;

6.2.2 Exclude any Reporting Entity-specific Pricing Information that includes post-adjudicated claims data.

6.2.3 Follow guidance found in Statement 6 of the Department of Justice and Federal Trade Commission Enforcement Policy regarding the exchange of price and cost information.

7.0 Fees

7.1 DHIN may charge a reasonable cost-based fee for preparing and transmitting HCCD data. This fee may include: costs of aggregating, storing, extracting, de-identifying, and transmitting the information; associated infrastructure and staff labor costs; costs for programming and data generation; allocated indirect operating costs, other costs associated with the production and transmission of data sets, and such other costs or fees as DHIN determines necessary.

7.2 HCCD data and data access will always be provided free of charge to the following entities: DHIN shall provide Collaborating State Agencies with access, at no cost, to claims data reported by the HCCD. When access is authorized by this regulation, such data will be provided to a Collaborating State Agency in a standard data set to be established by DHIN and updated from time to time. Nothing in this regulation precludes DHIN from charging reasonable fees to state agencies, including Collaborating State Agencies, for analytic services and data access beyond the standard data sets reported by the HCCD.

7.2.1 The Office of Management and Budget;

7.2.2 State Employee Benefits Committee;

7.2.3 Division of Public Health;

7.2.4 Division of Medicaid and Medical Assistance.

7.3 At DHIN's discretion, fees may be reduced or waived for certain entities, including but not limited to:

7.3.1 CMS;

7.3.2 Reporting Entities;

7.3.3 Entities that submit other data to the DHIN.

7.4 The DHIN shall have a record of payment in full or other adequate assurances as it may determine are sufficient prior to providing data or access to Approved Users.

7.5 Fees shall be deposited into a DHIN account to support costs of operating the HCCD.

8.0 Penalties

8.1 If an Approved User violates the terms of the data use agreement, the DHIN may take one or more of the following actions:

8.1.1 Revoke permission to use the data;

8.1.2 Pursue civil or administrative enforcement action under applicable Delaware state law.

8.1.3 Notify the requester’s licensing body, if any, and if none, its accreditation body.

8.2 If the violation pertains to access or misuse of the data, the DHIN shall report the violation to the office of the Attorney General, pursuant to 16 Del.C. §10307(c) DHIN’s enabling legislation.

21 DE Reg. 712 (03/01/18)
25 DE Reg. 259 (09/01/21) (Prop.)
 
+