Current through Register Vol. 51, No. 19, September 20, 2024
A. The following data requests are not
subject to review by the DRAC:
(1) Those
categories of data requests and data release described in Regulation
.01D(1)"(5) of this chapter;
(2)
Requests for data submitted by a governmental entity that the Executive
Director determines warrants an expedited review under Regulation .05 of this
chapter; and
(3) Requests for
aggregate, summarized data as described in Regulation .03C(3)(b) of this
chapter.
B. In reviewing
an application, the DRAC shall consider the criteria for approval and reasons
for disapproval of an application in §§C and D of this regulation and
all public comment received under Regulation .07 of this chapter before
preparing a written report and recommendation.
C. The DRAC shall determine whether an
application has met the following criteria for approval:
(1) An applicant has provided documentation
of relevant education, training, and experience that demonstrates the applicant
is capable of undertaking and accomplishing the objective of the proposed use
of the data and being a responsible steward of the requested data.
(2) The data elements requested by an
applicant are the minimum amount necessary to achieve the intended purpose for
which the data is requested.
(3)
The proposed use of the data complies with applicable State and federal laws,
including those laws relating to the privacy and security of protected health
information (PHI).
(4) The
applicant has provided a written data management plan that demonstrates
appropriate privacy and security controls for access and storage of the data
and for safeguarding individual privacy and preventing unauthorized access and
use of the data.
(5) The
requirement of obtaining written authorization from each individual who is the
subject of requested identifiable data can be waived in accordance with
45 CFR § 164.512.
(6) If the applicant has proposed linkage of
the requested data to other data source(s), the applicant has provided:
(a) Sufficient written justification of the
need to link the requested data to the other data source(s) named in the
application to accomplish the objective and achieve the results of the proposed
use of the data; and
(b) Written
proof that an additional level of data privacy and security controls will be in
place to protect the privacy and identification of the individuals who are the
subject of the requested data and the other data source(s) to which the
requested data is to be linked.
(7) An applicant who proposes to develop and
sell a product that contains de-identified data has provided satisfactory
written justification of how the proposed sale of the product using the
deidentified data will serve the public interest.
(8) The proposed use of the data is in the
public interest. Examples of uses of data that serve the public interest
include:
(a) Health care cost and utilization
analysis to guide and develop public policy;
(b) Studies that promote improvement in
public health, health care quality, and health care access;
(c) Health planning and resource allocation
studies;
(d) Making information on
cost and quality accessible to the public; and
(e) Studies directly tied to evaluation and
improvement of federal and State government initiatives.
D. The DRAC shall determine
whether an application has met any of the following criteria for disapproval:
(1) The proposed use of the data violates
State or federal law.
(2) The
proposed use of the data is not in the public interest.
(3) The proposed use of the data is designed
so that the stated objective of the project cannot be met.
(4) False information or documentation on, or
related to, an application was provided to Commission staff, the DRAC, the
Executive Director, or the Commission.
(5) An applicant provided incomplete
information upon which to base a decision on the application.
(6) An applicant or any person or entity that
is an officer, owner, operator, or part of management of an applicant's
organization who will have access and use of the requested data is currently,
or has been within 10 years prior to the date of the application, a subject of
or a party to a state or federal regulatory agency action or civil or criminal
action involving a data breach, HIPAA violation, or other matter involving
unauthorized access, use, and disclosure of data regardless of whether there
has been a finding or admission of guilt, including being:
(a) Convicted of a felony or pleading guilty,
nolo contendere, entering a best interest plea of guilty, or receiving a
diversionary disposition regarding a felony;
(b) A subject of an investigation conducted
by, or a pending complaint, charges, or indictment issued by a local, state, or
federal governmental regulatory agency or other state or federal law
enforcement agency; or
(c) A party
to a final dispositive action in a state or federal governmental agency
regulatory action or a civil action that resulted in entry into a settlement
agreement, consent agreement, decree or order, corporate integrity agreement,
corrective action agreement, or other similar agreement or other disposition in
a civil action regardless of whether there has been an admission or finding of
guilt or liability.
(7)
Violation of a previous data use agreement.
(8) The data management plan does not
demonstrate privacy and security controls for safeguarding individual privacy
and preventing unauthorized access to or use of the data.
(9) The proposed use of the data is for an
impermissible purpose, which includes but is not limited to:
(a) Using the requested data to identify an
individual using a particular product or drug in order to develop a marketing
campaign and directly contact an individual;
(b) Using the requested data to contact an
individual for fund-raising purposes directly; and
(c) Using the requested data to contact an
individual who is the subject of the data for any reason.
(10) An applicant who proposes to develop and
sell a product that contains requested de-identified data has not provided
satisfactory written justification of how the proposed sale of the product
using the de-identified data will serve the public interest.
E. A member of the DRAC who has an
affiliation with an applicant, or with any entity sponsoring, participating, or
otherwise affiliated with an applicant's proposed use of the requested data or
any other conflict of interest or appearance of impropriety, shall recuse from
consideration of that applicant's application and may not participate in any
discussions with other DRAC members or vote on the application.
F. The DRAC may request that the Executive
Director authorize the DRAC to invite an individual with expertise and
competence in certain areas to assist the DRAC in the review of complex issues
that require expertise beyond, or in addition to, that available among the
membership of the DRAC. An individual invited pursuant to this section may not:
(1) Have an affiliation with an applicant, or
with any entity sponsoring, participating in, or otherwise affiliated with an
applicant's proposed use of the requested data or any other conflict of
interest or appearance of impropriety; and
(2) Vote on an application.
G. The DRAC may require an
applicant to obtain Institutional Review Board review prior to deciding on a
recommendation for an application.
H. The DRAC may request that Commission staff
obtain additional information and documentation from an applicant if needed to
determine whether the criteria for approval in §C of this regulation have
been met or the reasons for disapproval in §D of this regulation exist. If
an applicant does not provide the additional information within the time limit
specified by the DRAC, the DRAC may refer the application to Commission staff
with a request that the application submitted by the applicant be
administratively closed per Regulation .06B(7) of this chapter.
I. The DRAC, at its discretion, may require
that an applicant meet with the DRAC to provide additional information, answer
questions, or provide clarification on information provided in an application,
the proposed use of the data requested, or the capability of an applicant to
accomplish the objective of the proposed use of requested data.
J. The DRAC shall review and consider all
public comment received regarding an application under Regulation .07 of this
chapter before making a recommendation to the Executive Director.
K. The DRAC, with the administrative support
of Commission staff, shall prepare a written report and recommendation for the
Executive Director on each application reviewed, which shall address:
(1) Each of the approval criteria in §C
of this regulation;
(2) Each of the
disapproval criteria in §D of this regulation;
(3) Any public comment received;
and
(4) The DRAC's recommendation
on whether an application should be approved, approved with conditions, or
disapproved.
L. After an
application is approved pursuant to Regulation .10 of this chapter, Commission
staff may:
(1) Seek the advice and expertise
of the DRAC on any issues regarding the applicant's receipt of data or
compliance with the terms and conditions of a data use agreement entered into
under Regulation .13 of this chapter; and
(2) Request that the DRAC prepare a written
report and recommendation to the Executive Director regarding whether any
compliance and enforcement actions may be warranted under Regulation .14 of
this chapter.
M. A DRAC
recommendation on an application or on other issues related to an applicant's
receipt of data or compliance with the terms and conditions of a data use
agreement entered into under Regulation .13 of this chapter is advisory and not
binding on the Executive Director's decision on an application or on whether to
pursue an enforcement action under Regulation .14 of this chapter for
noncompliance with a data use agreement.
