Current through Register Vol. XLI, No. 50, December 13, 2024
Section 67-1-4 - Exchange of data and information4.1.Permitted Uses and Disclosures. The ODCP may disclose data for legitimate purposes relating to public health to participants. The ODCP shall have the sole discretion to determine what constitutes a legitimate purpose relating to public health.4.2. Participants may use and disclose data and information in furtherance of the purposes and goals of participants relevant to the development and implementation of best practices and evidence-based substance use disorder prevention, cessation, treatment and recovery programs, and youth tobacco access, smoking cessation and prevention when necessary for their proper management, administration, or execution of their legal responsibilities and privileges established herein. The participants agree not to use or further disclose data and information other than as authorized by law.4.3. Data and information maintained by the ODCP may not be disclosed for commercial purposes.4.4.Overdose Information Maintained by Participants.4.4.1. Participants will provide overdose information in electronic format as maintained on each participant's system. The specific data elements that will be exchanged are the demographic and health information being requested from the originating participant's system. The participants are not responsible for the absence of overdose information in a participant's records and are only obligated to provide such information as they currently possess. The participants acknowledge that the overdose information provided is drawn from numerous sources and the overdose information provided may not include an entire record.4.4.2. Participants shall provide overdose information to the ODCP in a timely manner.4.4.3. Participants will reasonably determine that information disclosed is accurate and complete. If a participant becomes aware of any material inaccuracies in its own overdose information or system, it agrees to communicate such inaccuracy to the ODCP as soon as reasonably possible.4.5.Access to Data and Information by Participants.4.5.1. All data requests for data and information housed and maintained by the ODCP shall be submitted to the director in a form and manner as the director may prescribe, including electronic submission.4.5.2.Functions of the Director. The director is responsible for overseeing the process from receipt of a data request to the release of the data to the requestor. Specific responsibilities include: 4.5.2.a. Reviewing each data request and identifying the information being requested;4.5.2.b. Coordinating with the department's privacy officer to determine whether a request is valid and the information may be released under applicable law;4.5.2.c. Routing the request to the appropriate person or data analyst for completion, and following up as necessary to ensure accurate and timely completion of the request;4.5.2.d. Communicating with the requestor as necessary; and4.5.2.e. Maintaining accurate records of the requests.4.5.3. Prior to receiving any data, the director may require participants to execute a data use agreement, in the form and manner as the director may prescribe.4.6.Ownership. Disclosure of data under this rule does not change the ownership of such information under state and federal law. This rule does not grant to a participant any rights in the system or any of the technology used to create, operate, enhance, or maintain the system of another participant.4.7.Privacy and Security Safeguards.4.7.1. If the data to be provided constitutes or includes PII or PHI, then only the minimum amount of PII or PHI necessary to accomplish the purposes for which the data is requested may be used or disclosed.4.7.2. Participants shall establish procedures to prevent the disclosure of data that may contain indirectly identifying information.4.7.3. Participants will use administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of data it receives and to prevent the use or disclosure of any data received other than as permitted or required by federal or state law and by this rule. To that end, participants shall: 4.7.3.a. Provide for identification and authentication of authorized users;4.7.3.b. Provide access authorization;4.7.3.c. Guard against unauthorized access to data; and4.7.3.d. Provide security audit controls and documentation.4.7.4. A participant shall apply sanctions against any person, subject to the participant's policies and procedures, who fails to comply with such policies and procedures. The type and severity of sanctions applied shall be in accordance with the participant's policies and procedures. Participants shall make employees, agents, and contractors aware that certain violations may result in notification by a participant to law enforcement officials as well as regulatory, accreditation, and licensure organizations, if applicable.4.7.5. A participant may, at its discretion, deny access to any person it has reason to believe accessed, used, or disclosed data, other than as permitted under this rule.4.7.6. Participants are also required to comply with the privacy and security provisions established by the state of West Virginia and are not required to adhere to the law or rules of or applicable to any other participant.4.8. Breach of Privacy and Security Safeguards.4.8.1. Breach of a material provision of the privacy and security safeguards contained in this section by a participant may be grounds for the director to discontinue the participant's access to data and information. Upon becoming aware of such a material breach, the director may do one or more of the following: 4.8.1.a. Provide an opportunity for the participant who has committed a material breach of the privacy and security safeguard contained in this section to cure the violation within 30 days, and if the participant does not cure or end the violation within the time specified by the director, terminate the authority of the participant to access data and information;4.8.1.b. Demand assurances from the participant that remedial actions will be taken to remedy the circumstances that gave rise to the violation within a time frame set by, or approved by, the director; and4.8.1.c. Terminate the authority to access data and information.4.8.2. A participant who is the subject of sanctions contained in subdivision 4.8.a. may request a hearing. 4.8.2.a. A request for a hearing must be made within 90 days of the date of the director's notification of a sanction contained in subdivision 4.8.a.4.8.2.b. The request for hearing must be made in writing and must clearly state the reasons for the request.4.8.2.c. Hearings will be conducted pursuant to 64CSR1.