Code of Massachusetts Regulations
957 CMR - CENTER FOR HEALTH INFORMATION AND ANALYSIS
Title 957 CMR 5.00 - HEALTH CARE CLAIMS, CASE MIX AND CHARGE DATA RELEASE PROCEDURES
Section 5.05 - Requests from Payers, Providers and Provider Organizations for Data with Direct Patient Identifiers for Treatment and Coordination of Care
Current through Register 1531, September 27, 2024
(1) Payer, Provider and Provider Organization requests for Data with Direct Patient Identifiers shall be made in writing by filing an application with CHIA in a form specified by CHIA as provided on its Website.
(2) CHIA shall fulfill Payer, Provider and Provider Organization requests for Direct Patient Identifiers for Treatment and Coordination of Care to the extent permissible under state and federal laws protecting patient privacy and data security. Payers, Providers and Provider Organizations may be required to establish to CHIA's satisfaction that Data Subjects have consented to the release of the Data for the specific use described in the Payer, Provider or Provider Organization's request.
(3) Payer, Provider and Provider Organization requests for Protected Health Information for uses other than requests for Direct Patient Identifiers for Treatment and Coordination of Care shall be reviewed under 957 CMR 5.06.
(4) Payers, Providers and Provider Organizations requesting Protected Health Information of Medicaid recipients will be required to demonstrate compliance with 42 U.S.C. § 1396a(a)(7) to the satisfaction of both CHIA and the Executive Office of Health and Human Services.
(5) Payers, Providers and Provider Organizations requesting Medicare Data will be required to demonstrate compliance with CMS requirements regarding access to and use of such Data.
(6) Payers, Providers and Provider Organizations shall enter into a Data Use Agreement with CHIA prior to the receipt of data with Direct Patient Identifiers. The Data Use Agreement will strictly limit the use of such Data for Treatment and Coordination of Care and will specify the security measures taken to protect the Data from further disclosure. The Data Use Agreement shall also, at a minimum: