Delaware Administrative Code
Title 1 - Authorities, Boards and Commissions
100 - Delaware Health Information Network
102 - Delaware Health Information Network Regulations on Use of Clinical Data for Approved Analytic Purposes
Section 102-2.0 - Definitions
The following words and terms, when used in this regulation, have the following meaning unless the context clearly indicates otherwise:
"Act" means DHIN's enabling legislation, 16 Del.C. Chapter 103.
"Approved User" means any person or organization that DHIN has authorized to view or access Available Clinical Data.
"Available Clinical Data" means Data included in DHIN's Clinical Data Repositories as to which DHIN has appropriate agreements in place with the Data Sending Organization that provided the Data to DHIN to permit use of that Data for the analytic purposes identified in this regulation.
"Board" means DHIN's Board of Directors, as established by the Act.
"Bylaws" means the Bylaws as approved by the Board.
"Clinical Data Access Committee" or "Committee" means the subcommittee established by the Board and governed by its Bylaws that has the authority to determine when applications for Available Clinical Data should be provided to a data requestor to facilitate the purposes of the Act, and such other duties as designated by the Board consistent with the Act. If the Board so determines, the Committee can (but need not) be the same committee that determines access to claims data held within the Delaware Health Care Claims Database, as set forth in 1 DE Admin. Code 104.
"Data" means medical or other health care information of or about an individual which is transmitted or available from Data Sending Organizations for transmission to DHIN and included in DHIN's clinical data repositories. The term includes PHI.
"Data Sending Organization" means an organization that contracts with DHIN to provide Data to DHIN for use in its clinical data repositories for purposes consistent with the Act, these regulations, and the contract between DHIN and Data Sending Organization. The term does not include organizations that solely provide claims data to the Health Care Claims Database pursuant to 1 DE Admin. Code 104, or organizations that solely contract with DHIN to receive analytic services or clinical data for approved analytic use cases pursuant to 1 DE Admin. Code 102.
"De-identified data" means de-identified data as defined in HIPAA. Unless otherwise defined in HIPAA, it shall mean health information that is not considered PHI because it excludes the following direct and indirect patient identifiers:
* Direct Patient Identifiers
* Names;
* Telephone numbers;
* Fax numbers;
* Email addresses;
* Social security numbers;
* Medical record numbers;
* Health plan beneficiary numbers;
* Account numbers;
* Certificate/license numbers;
* Vehicle identifiers and serial numbers;
* Device identifiers and serial numbers;
* URL's;
* IP addresses;
* Biometric identifiers, including fingerprints;
* Full-face photographs;
* Any other unique identifying characteristic or code.
* Indirect Patient Identifiers
* All geographic subdivisions smaller than a state, except for the initial three digits of a zip code;
* All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
"HIPAA" means the Health Insurance Portability and Accountability Act of 1996 as amended and associated regulations, including the Privacy Rule ( 45 CFR Part 160 and Subparts A and E of Part 164) and Security Rule ( 45 CFR Part 160 and Subparts A and C of Part 164).
"Identified data" means health information as defined in HIPAA that contains direct patient identifiers.
"Limited data set" means a limited data set as defined in HIPAA. Unless otherwise set forth in HIPAA, the term means PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's authorization or a waiver or an alteration of authorization for its use and disclosure, with a data use agreement. The following data elements are removed from a limited data set:
* Names;
* Postal address information, other than town or city, state, and ZIP Code;
* Telephone number;
* Fax numbers;
* Electronic mail addresses;
* Social Security numbers;
* Medical record numbers;
* Health plan beneficiary numbers;
* Account numbers;
* Certificate/license numbers;
* Vehicle identifiers and serial numbers, including license plate numbers;
* Device identifiers and serial numbers;
* Web universal resource locators (URLs);
* Internet protocol (IP) address numbers;
* Biometric identifiers, including fingerprints and voiceprints;
* Full-face photographic images and any comparable images.
A limited data set may include
* City, state, ZIP Code;
* Elements of dates;
* Other numbers, characteristics, or codes not listed as direct identifiers.
"Protected health information" or "PHI" means individually identifiable health information, as that term is defined in HIPAA.
"Provider" means a hospital, facility, or any health care practitioner licensed, certified, or authorized under State law to provide health care services and includes hospitals and health care practitioners participating in group arrangements, including accountable care organizations, in which the hospital or health care practitioners agree to assume responsibility for the quality and cost of health care for a designated group of beneficiaries.
"Re-disclosure" means the publication, distribution or other dissemination of Available Clinical Data released to an Approved User using any medium and in any format, context or structure.
