5.1Authority
These regulations are promulgated pursuant to the authority conferred under R.I. Gen. Laws § 23-17.17-4(b) and are established for the purpose of defining the reporting requirements for health plans and Insurers to submit data and information to the Rhode Island All-Payer Claims Database (APCD), and to define the parameters for release of data, including the administrative process for release in a manner that maximizes public access while adhering to the highest standards of data privacy and security as permitted by applicable state and federal law.
5.2Definitions
A.Wherever used in this Part, the following terms shall be construed as follows:
1.“Applicant” means an individual or organization that requests health care data and information in accordance with the procedures and requirements instituted by the Department pursuant to this Part.
2.“Data aggregator” means a vendor selected by the Director that has a contract to act on behalf of the Department to collect and process health care claims data on behalf of the Director.
3.“Department” means the Rhode Island Department of Health.
4.“Dental claims file” means a data file composed of service-level remittance information for all submitted and non-denied adjudicated claims for each billed dental service, including but not limited to Member Encrypted Unique Identifier, provider information, charge/payment information, and dental procedure codes.
5.“Director” means the Director of the Department of Health or his or her duly authorized designee.
6.“Direct personal identifier” means any information, as to a Member, other than case or code numbers used to create anonymous or encrypted data, that plainly discloses the identity of an individual, including:
a.Names;
b.Street addresses (other than town or city, state and 5-digit ZIP code);
c.Telephone numbers;
d.Fax numbers;
e.Electronic mail addresses;
f.Social Security numbers;
g.Medical record numbers;
h.Health plan beneficiary numbers;
i.Patient account numbers;
j.Certificate license numbers;
k.Vehicle identifiers and serial numbers, including license plate numbers;
l.Device identifiers and serial numbers;
m.Uniform resource locators (URL);
n.Personal Internet protocol (IP) addresses;
o.Biometric identifiers, including finger and voice prints; and
p.Full face photographs (or comparable images).
7.“Disclosure” means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.
8.“Encrypted unique identifier” means a code or other means of record identification to allow each Patient, Member or enrollee to be tracked across the data set, including across payers and over time, without revealing Direct Personal Identifiers. Encrypted Unique Identifiers are assigned to each Patient, Member or enrollee in order that all Direct Personal Identifiers can be removed from the data when data is submitted. Using the Encrypted Unique Identifier, all records relating to a Patient, Member or enrollee can be linked for analytical, public reporting and research purposes without identifying the Patient, Member or enrollee.
9.“Encrypted unique identifier vendor” means a vendor selected and approved by the Director to collect demographic data only from Insurers, assign an Encrypted Unique Identifier to each Patient, Member, or enrollee, and transmit that identifier to the Insurer.
10.“Hashing” means a one-way method by which the true value of data has been transformed (through the conversion of the information into an unrecognizable string of characters) in order to prevent the identification of persons or groups. True value of hashed elements is deliberately non-recoverable by any recipient, including the Data Aggregator.
11.“Health benefit plan” means a policy, contract, certificate or agreement entered into, or offered by an Insurer to provide, deliver, arrange for, pay for or reimburse any of the costs of health care services.
12.“Health care data set” means a collection of individual data files, including Dental Claims File, Medical Claims Files, Pharmacy Claims Files, Member Eligibility Files and Provider Files, whether in electronic or manual form.
13.“Health care facility” means the same meaning as contained in R.I. Gen. Laws Chapter 23-17 and the regulations promulgated pursuant to that Chapter.
14.“Health care provider” means any person or entity licensed to provide or lawfully providing health care services, including, but not limited to, a physician, hospital, intermediate care facility or other Health Care Facility, dentist, nurse, optometrist, podiatrist, physical therapist, psychiatric social worker, pharmacist or psychologist, and any officer, employee, or agent of that provider acting in the course and scope of his or her employment or agency related to or supportive of health care services.
15.“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (45 C.F.R. Parts 160 through 164).
16.“Insurer” means any entity subject to the insurance laws and regulations of Rhode Island, that contracts or offers to contract to provide, deliver, arrange for, pay for, or reimburse any of the costs of health care services and/or dental services, including, without limitation, an insurance company offering accident and sickness insurance, a health maintenance organization, as defined by R.I. Gen. Laws § 27-41-1, a nonprofit hospital or medical service corporation, as defined by R.I. Gen. Laws Chapters 27-19 and 27-20, or any other entity providing a plan of health insurance or health benefits. For the purpose of this Part, a Third-party Payer, Third-party Administrator, Pharmacy Benefits Manager or Medicare or Medicaid health plan sponsor is also deemed to be an Insurer.
17.“Medical claims file” means all submitted and non-denied adjudicated claims for each billed service paid by an Insurer as defined in § 5.2(A)(16) of this Part on behalf of a Member as defined in § 5.2(A)(18) of this Part regardless of where the service was provided. This data file includes but is not limited to service level remittance information including, but not limited to, Member Encrypted Unique Identifier, provider information, charge/payment information, and clinical diagnosis/procedure codes as described further in the RIAPCD Technical Specification Manual.
18.“Member” means a Rhode Island resident who is a Subscriber and any spouse or dependent who is covered by the Subscriber’s policy under contract with an Insurer. The term also includes Members of a small employer health insurance plan as defined by R.I. Gen Laws § 27-50-3 regardless of the state of residency of the Member.
19.“Member eligibility file” means a data file composed of demographic information for each individual Member eligible for medical or pharmacy benefits as specified in the RIAPCD Technical Specification Manual, for one or more days of coverage at any time during the reporting month.
20.“Patient” means any person in the data set that is the subject of the activities of the claim submitted to and/or paid by the Insurer or covered by the health benefits plan.
21.“Personal health information” means information, as to a Member, about health status or provision of healthcare, including demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
22.“Pharmacy benefits manager” or “PBM” means any person or entity that develops or manages pharmacy benefits, pharmacy network contracts, or the pharmacy benefit bid process pursuant to a contract held with an Insurer for the provision of such services.
23.“Pharmacy claims file” means a data file composed of service-level remittance information including, but not limited to, Member demographics, provider information, charge/payment information, and national drug codes from all submitted and non-denied adjudicated claims for each prescription filled.
24.“Provider file” means a data file composed of provider information for each provider included on a medical, pharmacy or dental claim submitted during the reporting period, regardless of the type of provider or location where the services were provided, as specified in the RIAPCD Technical Specification Manual.
25.“Rhode Island all-payer claims database” or “RIAPCD” means a health care quality and value database for the collection, management and reporting of eligibility, claims and provider data submitted pursuant to R.I. Gen. Laws Chapter 23-17.17.
26.“RIAPCD technical specification manual” means the document entitled RIAPCD Technical Specification Manual Version 1.6 issued by the Department, or its contracted agent, that sets forth the required data file format, record specifications, data elements, definitions, code tables and edit specifications.
27.“Subscriber” means the individual responsible for payment of premiums to an Insurer or whose employment is the basis for eligibility for Membership in a Health Benefit Plan.
28.“Third-party administrator” or “TPA” means any person with a certificate of authority, issued pursuant to R.I. Gen Laws § 27-20.7-12, who directly or indirectly solicits or effects coverage of, underwrites, collects charges or premiums from, or adjusts or settles claims on Members, pursuant to R.I. Gen. Laws § 27-20.7-2(1).
29.“Third-party payer” means a state agency that pays for health care services, or an Insurer, carrier, including a carrier that provides only administrative services for plan sponsors, nonprofit hospital, medical services organization, or managed care organization licensed in Rhode Island.
30.“User” means any person who the Department has authorized to access and use data from the Rhode Island All-Payer Claims Database.
5.3General Provisions
5.3.1Applicability
Unless specifically exempted pursuant to § 5.3.2 of this Part, this Part applies to all Insurers, as defined in § 5.2(A)(16) of this Part.
5.3.2Exemptions
A.The requirements of this Part shall not apply to:
1.An Insurer that on January 1 of a reporting year has less than three thousand (3,000) enrolled or covered Members; or
2.Insurance coverage providing benefits for:
a.Hospital confinement indemnity;
b.Disability income;
c.Accident only;
d.Long-term care;
e.Medicare supplement;
f.Limited benefit health insurance as defined by R.I. Gen. Laws § 27-50-3(x);
g.Specified disease indemnity;
h.Sickness or bodily injury or death by accident or both; or
i.Other limited benefit policies, including but not limited to those exempt from the application of R.I. Gen. Laws § 27-50-3 pursuant to subsection (t)(2) through (4) of that statute.
5.3.3Optional Consent
A.A covered Insurer must permit enrolled or covered Members to “opt out” of having any information or health care claims relating to them submitted to the RIAPCD.
1.The State will contract with a commercial vendor to operate a secure online portal to administer members’ opt-out requests. The online portal will be available twenty-four (24) hours a day, except for scheduled maintenance time, and will allow members to opt-out, opt back in, and check the status of their opt-out request.
2.The State will also offer a toll-free telephone number that members can call to opt-out over the phone.
3.Each covered Insurer shall notify all existing or new members of the option to opt-out via the secure portal or the toll-free telephone number, prior to submitting any of the members’ data to the RIAPCD. Each member must be notified of the opt-out provision at least once during their membership duration.
4.The method of notifying members of the opt-out provision will be at the discretion of each covered Insurer. Insurers may follow existing business practices to provide this notification.
5.4Confidentiality
5.4.1Access to RIAPCD Information
A.Health Care Data Sets and any other information submitted pursuant to this Part, by and between Insurers, the Rhode Island All-Payer Claims Database (RIAPCD), the Data Aggregator, and the Encrypted Unique Identifier Vendor:
1.Shall not be a public record as defined pursuant to R.I. Gen. Laws § 38-2-2. No Disclosure of any RIAPCD data set(s) or health information shall be made unless specifically authorized by the Director pursuant to this Part and as otherwise may be prescribed by law or regulation.
2.Shall be transmitted in accordance with the rules adopted in HIPAA (45 C.F.R. Parts 160 through 164), Confidentiality of Health Care Communications and Information Act (R.I. Gen. Laws Chapter 5-37.3) and other applicable law(s).
5.4.2Removal of Direct Personal Identifiers
All Health Care Data Sets submitted to the Department or Data Aggregator pursuant to § 5.5 of this Part shall be protected by the removal or Hashing of all Direct Personal Identifiers. The Department or Data Aggregator shall not collect any data containing Direct Personal Identifiers.
5.4.3Encrypted Unique Identifier
A.Insurers shall submit a Member Eligibility File, as specified in the RIAPCD Technical Specification Manual, for each of its Members to the Encrypted Unique Identifier Vendor to effectuate this requirement in accordance with the timeline outlined in § 5.6.2 of this Part. Under no circumstances shall the Insurer submit any Personal Health Information to the Encrypted Unique Identifier Vendor at any time or for any reason. Only Member demographic information, devoid of all Personal Health Information of any kind, shall be submitted to the Encrypted Unique Identifier Vendor.
1.Demographic data elements include but are not limited to: Member name, date of birth, Social Security number if available and date of enrollment.
2.The Encrypted Unique Identifier Vendor shall assign each Member an Encrypted Unique Identifier and transmit that information to the Insurer.
3.The Encrypted Unique Identifier Vendor shall maintain records wholly separately from the Director, the Department, the Data Aggregator and the All-Payer Claims Database as defined by R.I. Gen. Laws Chapter 23-17.17 and referenced by R.I. Gen. Laws § 23-17.17-10(b).
4.Notwithstanding any contractual arrangements, any Member’s Direct Personal Identifiers sent by an Insurer to the Encrypted Unique Identifier Vendor shall not be shared with any other party including the Department, the Director, the Data Aggregator or with the All-Payer Claims Database.
5.Data which is required to be sent to the Encrypted Unique Identifier Vendor by the Insurers shall not be considered data collected by the Department, the Director, the Data Aggregator or the All-Payer Claims Database.
5.4.4Transmission of Encrypted Unique Identifier to Insurers.
A.The Encrypted Unique Identifier vendor shall provide the Encrypted Unique Identifier assigned to a Member to the Insurer of record for that Member. Prior to sending data sets to the Data Aggregator, the Insurer shall attach the assigned Encrypted Unique Identifier to each record. Prior to transmitting the data sets and Encrypted Unique Identifier to the Data Aggregator, all Direct Personal Identifiers shall be removed and/or hashed.
1.The Insurer and/or payer shall maintain a record of the assignment of the Encrypted Unique Identifier assigned to each Member in such a way that would permit an audit or ongoing maintenance by the Director if necessary. Under no circumstance shall such audit or ongoing maintenance allow the Department, the Director, the Data Aggregator, or the RIAPCD to re-identify a Member.
2.The Insurer and/or payer being audited may request that such audit include a third-party review of the Unique Encrypted Identifier Vendor’s process for assignment and transmission of the Encrypted Unique Identifier assigned to each Member of that submitter. However, approval of a third-party review shall be at the sole discretion of the Director.
5.5Submission Requirements
5.5.1Specific Submission Requirements
A.Except as specifically exempted pursuant to § 5.3.2 of this Part, each Insurer shall submit to the Director a Health Care Data Set including claims-line detail for all health care services provided to a Member, whether or not the health care was provided within Rhode Island. Such data shall include, but shall not be limited to, fully-insured and self-funded accounts, all commercial medical products for all individuals and all group sizes and Medicare or Medicaid health plans. Such data shall not include Direct Personal Identifiers.
1.Should the Insurer have insufficient information to populate a Provider File in compliance with § 5.5.3(E) of this Part for services provided to a Member by an out-of-state, out-of-network provider, the Insurer may omit the Provider File from an otherwise complete health care data file submission.
2.Each Insurer shall also be responsible for the submission of all health care claims processed by any sub-contractor on its behalf unless such sub-contractor is already submitting the identical data as an Insurer in its own right.
3.The Health Care Data Set submitted shall include, where applicable, a Member Eligibility File, not including any Direct Personal Identifiers, but utilizing the Unique Encrypted Identifier assigned to the Member, covering every Member enrolled during the reporting month whether or not the Member utilized services during the reporting period, and a Provider File, to be defined in the RIAPCD Technical Specification Manual.
4.The data submitted shall also include supporting definition files for payer specific provider specialty taxonomy codes and procedure and/or diagnosis codes.
B.The Health Care Data Sets shall be submitted to the Data Aggregator in the format required in the RIAPCD Technical Specification Manual.
1.All Health Care Data Sets submitted to the Data Aggregator will have a Unique Identifier attached and shall be protected by the removal or Hashing of all Direct Personal Identifiers.
C.Insurers shall transmit the required Health Care Data Sets by means of a secure file transfer system to the Data Aggregator in a manner that is fully compliant with HIPAA and applicable Rhode Island statute and regulation.
5.5.2RIAPCD Contact and Enrollment Update Form
A.Each Insurer shall submit to the Director or his or her designee by December 31st of each year, in a format outlined in the RIAPCD Technical Specification Manual, a contact and enrollment update form indicating if health care claims are being paid for Members and, if applicable, the types of coverage and estimated enrollment for the following calendar year.
B.It shall be the responsibility of the Insurer to resubmit or amend the form whenever modifications occur relative to the health care data files, type(s) of business conducted, or contact information.
5.5.3Health Care Data Files to be Submitted
A.Medical Claims File: Insurers shall submit data files consistent with the definition contained in § 5.2(A)(17) of this Part. As detailed in the RIAPCD Technical Specification Manual, payers shall report information about services provided to Members under all reimbursement arrangements, including but not limited to fee for service, capitated arrangements, and any other claims-based payment methods.
B.Pharmacy Claims File: Insurers shall submit data files consistent with the definition contained in § 5.2(A)(23) of this Part for all pharmacy paid claims for covered pharmacy benefits that were actually dispensed to Members.
C.Dental Claims File: Insurers shall submit data files consistent with the definition contained in § 5.2(A)(4) of this Part for all dental paid claims for covered dental benefits that were actually dispensed to Members.
D.Member Eligibility File: Insurers shall submit data files consistent with the definition contained in § 5.2(A)(19) of this Part. As detailed in the RIAPCD Technical Specification Manual, payers shall report information on every Member enrolled during the reporting month whether or not the Member utilized services during the reporting period. This data submission shall not include the Member’s Direct Personal Identifiers. The submission will have a Unique Identifier attached and shall be protected by the removal or Hashing of all Direct Personal Identifiers.
E.Provider File: Insurers shall submit files consistent with the definition contained in § 5.2(A)(24) of this Part. As detailed in the RIAPCD Technical Specification Manual, payers shall report information that will uniquely identify Health Care Providers and allow retrieval of related information from Eligibility, Medical and Pharmacy Claims Files.
1.Tax ID numbers shall be submitted as part of the dataset except in the case that a provider uses their personal social security number as their tax ID number in which case the tax ID number need not be submitted.
5.5.4Information Collected in Addition to the Health Care Data Set
A.The Director may require Insurers to submit and periodically update information about the insurance product covering each Member, including covered services, market sector, plan characteristics, total premiums, deductibles, co-insurance and copayments as set forth in the RIAPCD Technical Specification Manual.
B.The Director may require Insurers to report information about payments received under all reimbursement arrangements, including, but not limited to, fee-for-service, capitated arrangements, pay-for-performance and any other payment methods.
5.6Technical Requirements
5.6.1Code Sources and File Specifications
Only code sources and file specifications specified in this Part and/or the RIAPCD Technical Specification Manual shall be utilized in submission of the Health Care Data Sets required pursuant to § 5.5 of this Part.
5.6.2Schedule for Submissions
A.Insurers shall submit information to the RIAPCD and the Encrypted Unique Identifier Vendor in the specified format in accordance with the following schedule:
1.Test Data Submissions
a.Within one hundred twenty (120) days of notification by the Department, or other date mutually agreed upon by the Department and Insurer, Insurers shall submit test files containing a month of representative Member Eligibility Files or as specified in the RIAPCD Technical Specification Manual to the Encrypted Unique Identifier Vendor.
b.The Encrypted Unique Identifier Vendor shall return the Member Eligibility File to the Insurer with an assigned Encrypted Unique Identifier within fifteen (15) days of a test file submission by an Insurer.
c.Within one hundred and fifty (150) days of notification by the Department, or other date mutually agreed upon by the Department and Insurer, Insurers shall submit part one of their test files containing a month of representative Member Eligibility Files, Medical Claims Files, Pharmacy Files, Dental Files, and Provider Files as specified in the RIAPCD Technical Specification Manual to the Data Aggregator.
2.Historical Data Submissions
a.Within two hundred and seventy (270) days of notification by the Department, or other date mutually agreed upon by the Department and Insurer, Insurers shall submit Member Eligibility Files as specified in the RIAPCD Technical Specification Manual to the Encrypted Unique Identifier Vendor.
b.The Encrypted Unique Identifier Vendor shall return the historical Member Eligibility File to the Insurer with an assigned Encrypted Unique Identifier within thirty (30) days of a submission of historical files by an Insurer. Within three hundred and thirty (330) days of notification by the Department, or other date mutually agreed upon by the Department and Insurer, Insurers shall submit Member Eligibility Files, Medical Claims Files, Pharmacy Files, Dental Files, and Provider Files as specified in the RIAPCD Technical Specification Manual, to the Data Aggregator.
(1)This submission period may be extended within the discretion of the Director to up to three hundred and sixty (360) days from notification by the Department, or other date mutually agreed upon by the Department and Insurer.
c.Submissions of additional Health Care Data Sets for remaining dates of service for months up to thirty (30) days prior to three hundred and thirty (330) days of notification by the Department shall be submitted according to a schedule provided within the RIAPCD Technical Specification Manual.
3.Regular Data Submissions
a.Upon completion of Historical Data Submissions as required by § 5.6.2(A)(2) of this Part, Insurers shall commence Regular Data Submissions.
(1)The timeline for Regular Data Submissions shall commence with the next month following the completion of Historical Data Submissions.
b.Insurers shall submit a Member Eligibility File for each of its Members, as specified in the RIAPCD Technical Specification Manual, to the Encrypted Unique Identifier Vendor.
(1)Monthly data files are due twenty-one (21) business days after the month’s end.
(2)For example, files containing data relating to eligibility during September 2018 shall be submitted by October 30, 2018 (accounts for weekends and holidays).
c.The Encrypted Unique Identifier Vendor shall return the Member Eligibility File to the Insurer with an assigned Encrypted Unique Identifier within ten (10) business days of a regular data submission by an Insurer.
d.Effective upon ten (10) business days after the receipt of the Member Eligibility File from the Encrypted Unique Identifier Vendor, Insurers shall submit Member Eligibility Files, Medical Claims Files, Pharmacy Claims Files, Dental Claims Files, and Provider Files, as specified in the RIAPCD Technical Specification Manual, to the Data Aggregator.
(1)Monthly data files are due within ten (10) business days of receipt of the assigned Encrypted Unique Identifier by the Insurer.
(2)For example, files containing data relating to services paid during September 2018 shall be submitted to the Data Aggregator by November 29, 2018 (accounts for weekends and holidays).
e.Within five (5) business days of the Insurer’s submission to the Data Aggregator, the Insurer will submit data resubmissions as required by the Data Aggregator, which will communicate discrepancies, failures, and resubmissions.
4.All Health Care Data Sets submitted to the Data Aggregator will have a Unique Identifier attached and shall be protected by the removal of all Direct Personal Identifiers and/or hashed. The Department or Data Aggregator shall not collect any data containing Direct Personal Identifiers.
5.The Director has the authority within his or her discretion to modify the RIAPCD Technical Specification Manual to effect changes to the submissions schedule.
5.7Compliance with Data Standards
5.7.1Standards
A.The Data Aggregator shall evaluate each Member Eligibility File, Provider File, Medical Claims File, Pharmacy Claims File, and Dental File in accordance with the following standards:
1.The applicable code for each data element shall be as identified in the RIAPCD Technical Specification Manual and shall be included within eligible values for the element;
2.Coding values indicating “data not available”, “data unknown”, or the equivalent shall not be used for individual data elements unless specified as an eligible value for the element;
3.The Encrypted Unique Identifier assigned to each Member shall be consistent across files; and
4.Files submitted to the Data Aggregator shall not contain Direct Personal Identifiers.
5.7.2Notification
Upon completion of this evaluation, the Director or his or her designee will notify each Insurer whose data submissions do not satisfy the standards for any reporting period. This notification will identify the specific file and the data elements that are determined to be unsatisfactory.
5.7.3Response
A.Each Insurer notified under § 5.7.2 of this Part shall resubmit within ten (10) business days of the date of notification with the required changes.
1.The Director shall have the discretion to require a response as required by this subsection in a reasonable time commensurate with the level of difficulty for the level of correction required to a data submission.
5.7.4Compliance
Failure to file, report, or correct Health Care Data Sets in accordance with the provisions of this Part may be considered a violation of R.I. Gen. Laws Chapter 23-17.17 except that an Insurer may seek a variance as specified in § 5.10 of this Part.
5.8Procedures for the Approval and Release of Data
5.8.1Release Policies and Procedures
A.General Provisions
1.The Department may release RIAPCD data to a person or organization engaged in improving, evaluating, or otherwise measuring health care provided to Members.
2.The Department may provide pre-determined files at varying levels of detail to meet requests for RIAPCD data, per the procedures established by the Department, pursuant to this Part.
3.All Users of RIAPCD data, including Rhode Island state agencies, shall adhere to the following privacy guidelines:
a.No User shall attempt to identify an individual Member using RIAPCD data, or data outputs derived from RIAPCD data.
b.RIAPCD data shall not be linked with any other data source that could potentially re-identify a member or patient.
c.All Users shall adhere to RIAPCD data display and reporting requirements when disclosing RIAPCD data or data outputs to the public or any person who has not been authorized as a User by the Department, as follows, and as specified in the Data Use Agreement entered into by the User and the Department:
(1)“Outputs” refers to any reports, analyses, displays, products, tables, manuscripts, presentations, and other data uses derived from APCD Data.
(2)All RI APCD Data Outputs must adhere to CMS cell size suppression requirements for CMS Research Identifiable Files.
(3)Outputs must use complementary cell suppression techniques to ensure that observations in suppressed cells cannot be identified by manipulating data in the Output.
(4)Member-level records may not be disseminated or published in any form.
B.RI APCD Public Reports
1.The Department may issue reports with aggregated RIAPCD data that adhere to RIAPCD data display and reporting requirements on the Department or another state agency’s website.
C.Requests for RI APCD Data
1.The Director or his or her designee may approve requests for reports with aggregated RIAPCD data.
2.The Director or his or her designee may approve requests for access to the RIAPCD by Rhode Island state agencies under the Executive Office of Health and Human Services, the Office of the Health Insurance Commissioner (OHIC), and the Health Benefits Exchange (also known as HealthSource RI or HSRI), or from persons or organizations performing work on behalf of these agencies, subject to the terms of a Data Use Agreement.
a.All other requests for RIAPCD data shall require a written application that
(1)Describes the intended purpose and justifies why de-identified data is necessary for the project and, if applicable, why more sensitive member-specific data elements such as service dates and member five (5) digit zip codes are necessary.
(2)Specifies the security and privacy measures that will be used to safeguard Member privacy and prevent unauthorized access to or use of the data.
(3)Describes how the results of the applicant’s analysis will be published and follow RIAPCD data display and reporting requirements, as specified in § 5.8.1(A)(3)(b) of this Part.
(4)Describes the steps the applicant will take to prevent re-identification of members if linking to other data sets.
b.The Department shall post all applications to the Department’s website for a minimum of ten (10) business days to invite written public comments on the applications. The Department shall not post those portions of applications that specify security measures or applications from law enforcement entities to the extent that posting the application on the website may impede the investigatory process. The Department shall have a mechanism for alerting interested parties when a new application is posted.
3.A Data Release Review Board or “Board” shall review requests for RIAPCD data and advise the Director on whether the final products of the proposed project present minimal risk of identification of Members.
a.The Board shall have a chairperson and Members appointed by the Director. Board Members shall have demonstrated expertise in a diverse range of health care areas including, but not limited to, state and federal privacy law and data security. The Board shall be comprised of eleven (11) to fifteen (15) Members and shall include but not be limited to:
(1)At least two members representing Health Insurers;
(2)At least one member representing Health Care Facilities;
(3)At least one member representing Health Care Providers;
(4)At least one member representing health care consumers;
(5)At least one member representing a privacy protection advocacy organization;
(6)At least one member representing researchers;
(7)At least one member representing the Department;
(8)At least one member representing OHIC;
(9)At least one member representing EOHHS;
(10)At least one member representing HSRI.
b.The Board shall provide a non-binding recommendation to the Director regarding requests for RIAPCD data.
c.The Board and Director, as part of their review, shall consider:
(1)Whether access to the requested data is necessary to achieve the proposed project’s intended goals;
(2)Whether the Applicant will adhere to the RIAPCD data display and reporting requirements in any data outputs;
(3)Whether the RIAPCD data will or could be linked to other data sets that could be used to re-identify an individual Member;
(4)Whether the appropriate privacy and security controls are in place to protect Member privacy; and
(5)Whether the Applicant is qualified to protect and responsibly handle the requested data.
d.The Director shall make a final decision to approve or deny requests for RIAPCD data. The Director’s decisions shall be final except as provided for in Rhode Island statute.
e.Upon approval of the request, the Applicant shall sign a Data Use Agreement specifying that the Applicant shall adhere to RIAPCD privacy guidelines and shall fully execute the approved data management plan, and that the Applicant shall not combine RIAPCD data with other data sets unless explicitly approved by the Director or his or her designee.
4.The fees for RIAPCD data sets that have been approved for release by the Department include the costs for programming and report generation, duplicating charges and other costs associated with the production and transmission of data sets.
a.Fees shall be deposited into a restricted receipt account to support costs of producing reports, program planning, management operations and infrastructure;
b.The Department and other state agencies may issue reports that are available to the public at no charge;
c.The fees may be reduced or waived for the following entities at the discretion of the Department:
(1)CMS;
(2)Rhode Island state agencies;
(3)Submitting Insurers; and
(4)Other entities that have extenuating circumstances that prevent them from paying the full fee.
d.The Department shall have a record of payment in full prior to providing data to approved Applicants.
5.9Compliance and Enforcement
5.9.1Enforcement Options
A.The Director may pursue any combination of the following administrative and judicial enforcement actions, depending upon the circumstances and gravity of each case:
1.Compliance orders pursuant to R.I. Gen. Laws § 23-1-20;
2.Immediate compliance orders pursuant to R.I. Gen. Laws § 23-1-21;
3.Enforcement of compliance orders pursuant to R.I. Gen. Laws § 23-1-23; and
4.Criminal penalties pursuant to R.I. Gen. Laws § 23-1-25.
B.The imposition of one or more remedies and/or penalties provided in § 5.9.1(A) of this Part shall not prevent the Director from jointly exercising any other remedy or penalty available to him or her by statute or regulation.
C.Consent Agreement/Order
1.Nothing in this Part shall preclude the Director from resolving outstanding violations or penalties through a Consent Agreement or Consent Order at any time he or she deems appropriate.
5.10Variance Procedure
The Department may grant a variance from the provisions of a rule or regulation in a specific case if it finds that enforcement of such provision will result in unnecessary hardship to the Applicant and that such a variance will not be contrary to the public interest, public health and/or health and safety of residents.
5.11Rules Governing Practices and Procedures
All hearings and reviews required under the provisions of R.I. Gen. Laws Chapter 23-17.17 shall be held in accordance with the provisions of the Rules and Regulations Pertaining to Practices and Procedures Before the Rhode Island Department of Health (Subchapter 05 Part 4 of this Chapter) and Access to Public Records (Subchapter 05 Part 1 of this Chapter).
5.12Severability
A.If any provision of this Part or their applicability to any person or circumstance shall be held invalid, such holding shall not affect the provisions or application of this Part that can be given effect, and to this end the provisions of this Part are declared to be severable.
B.If the effect of such a holding that a provision or application of this Part is invalid is to compromise any of the Member privacy or data security measures contained herein, such that Direct Personal Identifiers may be in any way put at risk of Disclosure, the Director shall have the authority, upon his or her discretion, to suspend the release of all Health Care Data Set(s) and/or analytic files for a period of time sufficient to address such concerns.