Sec. 10.25.18.10. Requirements for Accessing, Using, or Disclosing of Data Through an HIE for Secondary Use  

A. Population Care Management.

(1) An HIE may disclose de-identified data or a limited data set to a care management organization for purposes related to population care management, if approval is obtained from an internal review committee designated by the care management organization, which has:

(a) Entered into a data use agreement with the HIE; and

(b) Attested that the request is:

(i) For population care management purposes; and

(ii) Limited to the minimum necessary to complete the function.

(2) An HIE may disclose identifiable data to a care management organization for purposes related to population care management, if:

(a) The requirements of §A(1)(a) and (b) of this regulation are met;

(b) Appropriate notice has been provided to health care consumers whose information is being requested, and either:

(i) The health care consumers have authorized the release of their information to the requesting entity; or

(ii) An external and independent review committee has waived the need for the requesting entity to obtain authorization from those health care consumers who were provided appropriate notice, in accordance with Regulation .02B(2) of this chapter; and

(c) The disclosure is consistent with the authorization.

(3) Any external and independent review committee identified by the care management organization may approve an authorization waiver request where the requesting care management organization has demonstrated that:

(a) Appropriate notice to each health care consumer was provided and no authorization or denial of authorization was received from each health care consumer within the 30-day time frame;

(b) The objectives for which the data was requested could not be met without access to the requested data; and

(c) The requested use or disclosure involves no more than minimal risk to the privacy of those health care consumers whose authorization will be waived based on the presence of attributes that include, at a minimum:

(i) An adequate plan presented to the external and independent review committee to protect PHI from improper use, storage, and disclosure in accordance with current legal requirements and industry standards and practices as determined by the external and independent review committee;

(ii) An adequate plan to destroy the PHI when the purposes for which it has been requested are completed, unless such retention is authorized under the waiver or otherwise required by law; and

(iii) Adequate written assurances that the PHI will not be reused or disclosed to any person or entity, except as authorized under the waiver, as required or permitted by law, or for authorized oversight of the use.

(4) An HIE may not disclose a patient’s sensitive health information for population care management purpose unless permitted by applicable federal and State laws and regulations.

B. Research.

(1) An HIE may disclose de-identified data to a qualified research organization for research purposes if a privacy board has evaluated and confirmed that the:

(a) Requesting entity is a qualified research organization; and

(b) Requested data to be disclosed:

(i) Is for purposes related to research;

(ii) Is limited to the minimum necessary to complete the research purpose;

(iii) Will be used to serve a legitimate purpose consistent with the interest of the subject individuals; and

(iv) Meets the de-identification standard and specifications in accordance with 45 CFR 45 CFR §164.514(a)-(c).

(2) An HIE may disclose identifiable data to a qualified research organization for research purposes if:

(a) Approval is obtained from an IRB or privacy board in accordance with 45 CFR §164.512, including documentation of waiver approval as detailed in 45 CFR §164.512(i)(2); and

(b) The IRB or privacy board has evaluated the request and confirmed that the requirements of §B(1)(a) and (b)(i)-(iii) of this regulation are met.

(3) If an IRB or privacy board does not waive or alter the requirement of authorization from health care consumers whose identifiable data is to be disclosed, an HIE may only disclose identifiable data of health care consumers who have provided authorization, which must meet the requirements as set forth in 45 CFR §164.508.

(4) If an IRB or privacy board declines jurisdiction, then the disclosure of identifiable data may only be made if health care consumer authorization is obtained.

(5) As part of an HIE’s data use agreement with an entity to which it disclosed identifiable data for secondary use, there must be oversight by an IRB or privacy board for the duration of the research use.

(6) If an IRB or privacy board determines that the qualified research organization has failed to use or protect the data in accordance with the approved secondary use, the IRB or privacy board must report its findings to the HIE and the HIE must:

(a) Report the findings to federal and State agencies with jurisdiction over the violation, as deemed appropriate;

(b) Immediately terminate the data use agreement; and

(c) Direct the qualified research organization to destroy the data previously released by the HIE and attest that the data has been destroyed.

(7) The qualified research organization receiving data from an HIE for research purposes:

(a) Must contractually agree not to attempt to link de-identified data received from the HIE with other data sources in an effort to re-identify the data, or otherwise attempt in any other way to re-identify the data; and

(b) May disclose data to a third party acting on behalf of the qualified research organization only if the qualified research organization and third party enter into a data use agreement that requires the third party to be bound by the same provisions in the data use agreement between the HIE and qualified research organization.

(8) An HIE may charge a reasonable fee to a qualified research organization to which it discloses data for research, which fee must reflect the effort and be no greater than the actual direct and indirect costs required to prepare and release the data specific to the purpose authorized.

(9) An HIE may not disclose a patient’s sensitive health information for research purpose unless permitted by applicable federal or State laws and regulations.

C. Enforcement and Reporting.

(1) An HIE is not required to take legal or equitable action to enforce the requirements of the data use agreement or of any other contractual assurance provided for in Regulation .05C of this chapter.

(2) An HIE shall make summary reports available to the public quarterly that provide specific information about requests for data for secondary use and the release of data for secondary purposes.

(3) An HIE shall report at least annually to the Commission and more frequently, if requested by the Commission, regarding the release of information for population care management. The Commission may:

(a) Require a care management organization to provide additional information for review by the Commission or the Commission’s designated third party regarding the care management organization’s use of data from an HIE for population care management;

(b) Require the HIE to conduct an audit of the disclosure and use of the data utilizing a third-party auditor at the expense of either the recipient of the data or the HIE, as determined by Commission;

(c) Require the receiving entity to destroy the data received and cease any further use of the data; or

(d) Prohibit an HIE from releasing data for all or certain secondary data use purposes.

(4) An HIE shall, upon the request by a health care consumer, provide an accounting of any disclosures made to a receiving entity for secondary data use purposes, in accordance with Regulation .03C(4) of this chapter.