Ky. Rev. Stat. § 216.2927

Current through 2024 Ky. Acts ch.225
Section 216.2927 - Types of data not to be published, released, or subject to inspection - Public-use data agreements and privacy rules - Confidentiality of raw data - Penalty for violation
(1) The following types of data shall be deemed as relating to personal privacy and, except by court order, shall not be published or otherwise released by the cabinet or its staff and shall not be subject to inspection under KRS 61.870 to 61.884:
(a) Any data, summary of data, correspondence, or notes that identify or could be used to identify any individual patient or member of the general public, unless the identified individual gives written permission to release the data or correspondence;
(b) Any correspondence or related notes from or to any employee or employees of a provider if the correspondence or notes identify or could be used to identify any individual employee of a provider, unless the corresponding persons grant permission to release the correspondence; and
(c) Data considered by the cabinet to be incomplete, preliminary, substantially in error, or not representative, the release of which could produce misleading information.
(2) Health-care providers submitting required data to the cabinet shall not be required to obtain individual permission to release the data, except as specified in subsection (1) of this section, and, if submission of the data to the cabinet complies with pertinent administrative regulations promulgated pursuant to KRS Chapter 13A, shall not be deemed as having violated any statute or administrative regulation protecting individual privacy.
(3)
(a) No less than sixty (60) days after the annual report or reports are published and except as otherwise provided, the cabinet shall make all aggregate data which does not allow disclosure of the identity of any individual patient, and which was obtained for the annual period covered by the reports, available to the public.
(b) Persons or organizations requesting use of the data shall agree to abide by a public-use data agreement and by HIPAA privacy rules referenced in 45 C.F.R. Part 164 . The public-use data agreement shall include, at a minimum, a prohibition against the sale or further release of data, and guidelines for the use and analysis of the data released to the public related to provider quality, outcomes, or charges.
(4) Collection of data about individual patients shall include information commonly used to identify an individual for assigning a unique patient identifier. Upon assigning a unique patient identifier, all direct identifying information shall be stripped from the data and shall not be retained by the cabinet or the cabinet's designee.
(5) All data and information collected shall be kept in a secure location and under lock and key when specifically responsible personnel are absent.
(6) Only designated cabinet staff shall have access to raw data and information. The designated staff shall be made aware of their responsibilities to maintain confidentiality. Staff with access to raw data and information shall sign a statement indicating that the staff person accepts responsibility to hold that data or identifying information in confidence and is aware of penalties under state or federal law for breach of confidentiality. Data which, because of small sample size, breaches the confidence of individual patients, shall not be released.
(7) Any employee of the cabinet who violates any provision of this section shall be fined not more than five hundred dollars ($500) for each violation or be confined in the county jail for not more than six (6) months, or both, and shall be removed and disqualified from office or employment.

KRS 216.2927

Amended by 2018 Ky. Acts ch. 143,§ 1, eff. 7/14/2018.
Amended by 2017 Ky. Acts ch. 80,§ 48, eff. 6/29/2017.
Effective:7/15/2008
Amended 2008, Ky. Acts ch. 71, sec. 3, effective7/15/2008. -- Amended 1996, Ky. Acts ch. 371, sec. 28, effective 7/15/1996. -- Created 1994 Ky. Acts ch. 512, Pt. 2, sec. 9, effective 7/15/1994.