Code of Massachusetts Regulations
957 CMR - CENTER FOR HEALTH INFORMATION AND ANALYSIS
Title 957 CMR 5.00 - HEALTH CARE CLAIMS, CASE MIX AND CHARGE DATA RELEASE PROCEDURES
Section 5.05 - Requests from Payers, Providers and Provider Organizations for Data with Direct Patient Identifiers for Treatment and Coordination of Care

Universal Citation: 957 MA Code of Regs 957.5

Current through Register 1531, September 27, 2024

(1) Payer, Provider and Provider Organization requests for Data with Direct Patient Identifiers shall be made in writing by filing an application with CHIA in a form specified by CHIA as provided on its Website.

(2) CHIA shall fulfill Payer, Provider and Provider Organization requests for Direct Patient Identifiers for Treatment and Coordination of Care to the extent permissible under state and federal laws protecting patient privacy and data security. Payers, Providers and Provider Organizations may be required to establish to CHIA's satisfaction that Data Subjects have consented to the release of the Data for the specific use described in the Payer, Provider or Provider Organization's request.

(3) Payer, Provider and Provider Organization requests for Protected Health Information for uses other than requests for Direct Patient Identifiers for Treatment and Coordination of Care shall be reviewed under 957 CMR 5.06.

(4) Payers, Providers and Provider Organizations requesting Protected Health Information of Medicaid recipients will be required to demonstrate compliance with 42 U.S.C. § 1396a(a)(7) to the satisfaction of both CHIA and the Executive Office of Health and Human Services.

(5) Payers, Providers and Provider Organizations requesting Medicare Data will be required to demonstrate compliance with CMS requirements regarding access to and use of such Data.

(6) Payers, Providers and Provider Organizations shall enter into a Data Use Agreement with CHIA prior to the receipt of data with Direct Patient Identifiers. The Data Use Agreement will strictly limit the use of such Data for Treatment and Coordination of Care and will specify the security measures taken to protect the Data from further disclosure. The Data Use Agreement shall also, at a minimum:

(a) commit the Data Recipient to return or destroy the Data received from CHIA upon completion of the project for which the use of the Data was approved. All Data destruction must comport with M.G.L. c. 93I and any other applicable state or federal law;

(b) require the Data Recipient to adhere to processes and procedures aimed at preventing unauthorized access, disclosure or use of the Data;

(c) require the Data Recipient to notify CHIA of any unauthorized use or disclosure of the Data; and

(d) permit CHIA, at its discretion, to audit the Data Recipient's compliance with the provisions of the Data Use Agreement.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.