Rhode Island Code of Regulations
Title 216 - Department of health
Chapter 10 - Public Health Administration
Subchapter 10 - Registries
Part 5 - Rhode Island All-Payer Claims Database
Section 216-RICR-10-10-5.8 - Procedures for the Approval and Release of Data
Universal Citation: 216 RI Code of Rules 10 10 5.8
Current through September 18, 2024
5.8.1 Release Policies and Procedures
A. General Provisions
1. The Department may release RIAPCD data to
a person or organization engaged in improving, evaluating, or otherwise
measuring health care provided to Members.
2. The Department may provide pre-determined
files at varying levels of detail to meet requests for RIAPCD data, per the
procedures established by the Department, pursuant to this Part.
3. All Users of RIAPCD data, including Rhode
Island State Agencies, shall adhere to the following privacy guidelines:
a. No User shall attempt to identify an
individual Member using RIAPCD data, or data outputs derived from RIAPCD
data.
b. RIAPCD data shall not be
linked with any other data source that could potentially re-identify a member
or patient.
c. All Users shall
adhere to RIAPCD data display and reporting requirements when disclosing RIAPCD
data or data outputs to the public or any person who has not been authorized as
a User by the Department, as follows, and as specified in the Data Use
Agreement entered into by the User and the Department:
(1) "Outputs" refers to any reports,
analyses, displays, products, tables, manuscripts, presentations, and other
data uses derived from APCD Data.
(2) All RIAPCD Data Outputs must adhere to
CMS cell size suppression requirements for CMS Research Identifiable
Files.
(3) Outputs must use
complementary cell suppression techniques to ensure that observations in
suppressed cells cannot be identified by manipulating data in the
Output.
(4) Member-level records
may not be disseminated or published in any form.
B. RIAPCD Public
Reports
The Department may issue reports with aggregated RIAPCD data that adhere to RIAPCD data display and reporting requirements on the Department or another State Agency's website.
C. Requests for RIAPCD Data
1. The Director or his or her designee may
approve requests for reports with aggregated RIAPCD data.
2. The Director or his or her designee may
approve requests for access to the RIAPCD by Rhode Island State Agencies under
the Executive Office of Health and Human Services, the Office of the Health
Insurance Commissioner (OHIC), and the Health Benefits Exchange (also known as
HealthSource RI or HSRI), or from persons or organizations performing work on
behalf of these agencies, subject to the terms of a Data Use Agreement.
a. All other requests for RIAPCD data shall
require a written application that:
(1)
Describes the intended purpose and justifies why de-identified data is
necessary for the project and, if applicable, why more sensitive
member-specific data elements such as service dates and member five (5) digit
zip codes are necessary.
(2)
Specifies the security and privacy measures that will be used to safeguard
Member privacy and prevent unauthorized access to or use of the data.
(3) Describes how the results of the
applicant's analysis will be published and follow RIAPCD data display and
reporting requirements, as specified in § 5.8.1(A)(3)(b) of this
Part.
(4) Describes the steps the
applicant will take to prevent reidentification of members if linking to other
data sets.
b. The
Department shall post all applications to the Department's website for a
minimum of ten (10) business days to invite written public comments on the
applications. The Department shall not post those portions of applications that
specify security measures or applications from law enforcement entities to the
extent that posting the application on the website may impede the investigatory
process. The Department shall have a mechanism for alerting interested parties
when a new application is posted.
3. A Data Release Review Board or "Board"
shall review requests for RIAPCD data and advise the Director on whether the
final products of the proposed project present minimal risk of identification
of Members.
a. The Board shall have a
Chairperson and Members appointed by the Director. Board Members shall have
demonstrated expertise in a diverse range of health care areas including, but
not limited to, State and Federal privacy law and data security. The Board
shall be comprised of eleven (11) to fifteen (15) Members and shall include but
not be limited to:
(1) At least two (2)
members representing Health Insurers;
(2) At least one (1) member representing
Health Care Facilities;
(3) At
least one (1) member representing Health Care Providers;
(4) At least one (1) member representing
health care consumers;
(5) At least
one (1) member representing a privacy protection advocacy organization;
(6) At least one (1) member
representing researchers;
(7) At
least one (1) member representing the Department;
(8) At least one (1) member representing
OHIC;
(9) At least one (1) member
representing EOHHS;
(10) At least
one (1) member representing HSRI.
b. The Board shall provide a non-binding
recommendation to the Director regarding requests for RIAPCD data.
c. The Board and Director, as part of their
review, shall consider:
(1) Whether access to
the requested data is necessary to achieve the proposed project's intended
goals;
(2) Whether the Applicant
will adhere to the RIAPCD data display and reporting requirements in any data
outputs;
(3) Whether the RIAPCD
data will or could be linked to other data sets that could be used to
re-identify an individual Member;
(4) Whether the appropriate privacy and
security controls are in place to protect Member privacy; and
(5) Whether the Applicant is qualified to
protect and responsibly handle the requested data.
d. The Director shall make a final decision
to approve or deny requests for RIAPCD data. The Director's decisions shall be
final except as provided for in Rhode Island statute.
e. Upon approval of the request, the
Applicant shall sign a Data Use Agreement specifying that the Applicant shall
adhere to RIAPCD privacy guidelines and shall fully execute the approved data
management plan, and that the Applicant shall not combine RIAPCD data with
other data sets unless explicitly approved by the Director or his or her
designee.
4. The fees
for RIAPCD data sets that have been approved for release by the Department
include the costs for programming and report generation, duplicating charges
and other costs associated with the production and transmission of data sets.
a. Fees shall be deposited into a restricted
receipt account to support costs of producing reports, program planning,
management operations and infrastructure;
b. The Department and other State Agencies
may issue reports that are available to the public at no charge;
c. The fees may be reduced or waived for the
following entities at the discretion of the Department:
(1) CMS;
(2) Rhode Island State Agencies;
(3) Submitting Insurers; and
(4) Other entities that have extenuating
circumstances that prevent them from paying the full fee.
d. The Department shall have a record of
payment in full prior to providing data to approved Applicants.
Disclaimer: These regulations may not be the most recent version. Rhode Island may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
