The board shall adopt rules to provide for public access to data allowed under this chapter and to implement the requirements of this section. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
1.Confidentiality. All data collected by the organization that contain protected health information are confidential. Data of the organization may be collected, stored and released only in accordance with this chapter and rules adopted pursuant to this chapter. Data of the organization containing protected health information may not be open to public inspection, are not public records for purposes of any state or federal freedom of access laws and may not be examined in any judicial, executive, legislative, administrative or other proceeding as to the existence or content of any individual's identifying health information except that an individual's identifying health information may be used to the extent necessary to prosecute civil or criminal violations regarding information in the organization database. Decisions of the organization or employees and subcommittees of the organization on data release are not reviewable. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
2.General public access; confidentiality. The board shall adopt rules making information provided to the organization under this chapter, except protected health information and other confidential information, available to any person upon request. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
3.Release of data. The board shall adopt rules for the release of data governing all levels of information in the form of de-identified data, limited data sets and protected health information. All uses of released data are governed by the following principles of release:A. Release of protected health information must be limited to only information that is necessary for the stated purpose of the release; [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]B. Data releases must be governed by data use agreements that provide adequate privacy and security measures that include appropriate accountability and notification requirements as required of business associate agreements under HIPAA; [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]C. Follow-up must be provided to ensure data are used as specified and that no protected health information is publicly revealed. The board shall adopt rules providing for any necessary data suppression; and [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]D. Release of more protected health information than a limited data set as described in 45 Code of Federal Regulations, Section 164.514(e) must be approved by the board consistent with state and federal laws. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).] [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
4. Certain practitioners. The board shall adopt rules to protect the identity of certain health care practitioners, as it determines appropriate, except that the identity of practitioners performing abortions as defined in section 1596 must be designated as confidential and may not be disclosed. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
5.Notice and comment period. The board shall adopt rules to establish criteria for determining whether information is confidential clinical data, confidential financial data or other protected health information and specify procedures to give affected health care practitioners and payors notice and opportunity to comment in response to requests for information that may be considered confidential. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
6. Identifying information. The board shall adopt rules to provide that individuals may be directly or indirectly identified, including through a linking or reidentification process, only as provided in this chapter and the rules of the board. Any protected health information may be used only for the purposes for which the organization releases it. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
7.Minimum use. The board shall adopt rules to provide that persons gaining access to protected health information may use that information to the minimum extent necessary to accomplish the purposes for which approval was granted and for no other purpose. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
8.Limitation on release. The board may not grant approval for release of data if the board finds that the proposed identification of or contact with individuals would violate any state or federal law or diminish the confidentiality of health care information or the public's confidence in the protection of that information in a manner that outweighs the expected benefit to the public of the proposed investigation. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
9.Release; publication and use of data. The board shall adopt rules to govern the release, publication and use of analyses, reports and compilations derived from the health data made available by the organization. The rules must apply to all data collected, stored and released by the organization, including reports under section 8712. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
10.Other privacy protections. Individually identifiable data submitted to the organization that would be protected by Title 5, sections 19203 and 19203-D, Title 34-B, section 1207 or 42 United States Code, Section 290dd-2 may not be linked or reidentified in any way that identifies an individual or in any way for which there is a reasonable basis to believe the information could be used to identify an individual. The board shall adopt rules to ensure privacy and security protections of the data that are at least equivalent to the privacy and security requirements of HIPAA. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
11.Choice regarding disclosure of information. The board shall adopt rules to address the provisions for requirements regarding the disclosure of information in section 8717, subsection 3. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
12.Oversight and notification to individuals. Rules developed pursuant to this section must include a definition of "breach" and a procedure for notification to affected individuals that is equivalent to those of HIPAA. If a breach requiring notification to affected individuals has occurred, the board shall notify the joint standing committee of the Legislature having jurisdiction over health and human services matters within 30 days of the breach. Information provided pursuant to this subsection must maintain the confidentiality of all individuals affected by the breach. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
13. Individual complaints. The board shall adopt rules to establish a process for an individual to file a complaint if the individual believes that the individual's protected health information has been released by the organization, the board or an employee of the organization, in violation of the board's rules. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
14. Rulemaking. The board shall adopt rules as necessary to implement this section. Rules adopted pursuant to this section are major substantive rules as described in Title 5, chapter 375, subchapter 2-A. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
Added by 2014, c. 528,§ 10, eff. upon the final adoption of major substantive rules required to implement the provisions of 2014, c. 528.