Current through Register Vol. XLI, No. 38, September 20, 2024
4.1.
Permitted Uses and Disclosures. The ODCP may disclose data for
legitimate purposes relating to public health to participants. The ODCP shall
have the sole discretion to determine what constitutes a legitimate purpose
relating to public health.
4.2.
Participants may use and disclose data and information in furtherance of the
purposes and goals of participants relevant to the development and
implementation of best practices and evidence-based substance use disorder
prevention, cessation, treatment and recovery programs, and youth tobacco
access, smoking cessation and prevention when necessary for their proper
management, administration, or execution of their legal responsibilities and
privileges established herein. The participants agree not to use or further
disclose data and information other than as authorized by law.
4.3. Data and information maintained by the
ODCP may not be disclosed for commercial purposes.
4.4. Overdose Information Maintained by
Participants.
4.4.1.
Participants will provide overdose information in electronic format as
maintained on each participant's system. The specific data elements that will
be exchanged are the demographic and health information being requested from
the originating participant's system. The participants are not responsible for
the absence of overdose information in a participant's records and are only
obligated to provide such information as they currently possess. The
participants acknowledge that the overdose information provided is drawn from
numerous sources and the overdose information provided may not include an
entire record.
4.4.2. Participants
shall provide overdose information to the ODCP in a timely manner.
4.4.3. Participants will reasonably determine
that information disclosed is accurate and complete. If a participant becomes
aware of any material inaccuracies in its own overdose information or system,
it agrees to communicate such inaccuracy to the ODCP as soon as reasonably
possible.
4.5.
Access to Data and Information by Participants.
4.5.1. All data requests for data and
information housed and maintained by the ODCP shall be submitted to the
director in a form and manner as the director may prescribe, including
electronic submission.
4.5.2.
Functions of the Director. The director is responsible for
overseeing the process from receipt of a data request to the release of the
data to the requestor. Specific responsibilities include:
4.5.2.a. Reviewing each data request and
identifying the information being requested;
4.5.2.b. Coordinating with the department's
privacy officer to determine whether a request is valid and the information may
be released under applicable law;
4.5.2.c. Routing the request to the
appropriate person or data analyst for completion, and following up as
necessary to ensure accurate and timely completion of the request;
4.5.2.d. Communicating with the requestor as
necessary; and
4.5.2.e. Maintaining
accurate records of the requests.
4.5.3. Prior to receiving any data, the
director may require participants to execute a data use agreement, in the form
and manner as the director may prescribe.
4.6.
Ownership. Disclosure
of data under this rule does not change the ownership of such information under
state and federal law. This rule does not grant to a participant any rights in
the system or any of the technology used to create, operate, enhance, or
maintain the system of another participant.
4.7. Privacy and Security
Safeguards.
4.7.1. If the
data to be provided constitutes or includes PII or PHI, then only the minimum
amount of PII or PHI necessary to accomplish the purposes for which the data is
requested may be used or disclosed.
4.7.2. Participants shall establish
procedures to prevent the disclosure of data that may contain indirectly
identifying information.
4.7.3.
Participants will use administrative, technical, and physical safeguards to
protect the confidentiality, integrity, and availability of data it receives
and to prevent the use or disclosure of any data received other than as
permitted or required by federal or state law and by this rule. To that end,
participants shall:
4.7.3.a. Provide for
identification and authentication of authorized users;
4.7.3.b. Provide access
authorization;
4.7.3.c. Guard
against unauthorized access to data; and
4.7.3.d. Provide security audit controls and
documentation.
4.7.4. A
participant shall apply sanctions against any person, subject to the
participant's policies and procedures, who fails to comply with such policies
and procedures. The type and severity of sanctions applied shall be in
accordance with the participant's policies and procedures. Participants shall
make employees, agents, and contractors aware that certain violations may
result in notification by a participant to law enforcement officials as well as
regulatory, accreditation, and licensure organizations, if
applicable.
4.7.5. A participant
may, at its discretion, deny access to any person it has reason to believe
accessed, used, or disclosed data, other than as permitted under this
rule.
4.7.6. Participants are also
required to comply with the privacy and security provisions established by the
state of West Virginia and are not required to adhere to the law or rules of or
applicable to any other participant.
4.8. Breach of Privacy and Security
Safeguards.
4.8.1. Breach of a material
provision of the privacy and security safeguards contained in this section by a
participant may be grounds for the director to discontinue the participant's
access to data and information. Upon becoming aware of such a material breach,
the director may do one or more of the following:
4.8.1.a. Provide an opportunity for the
participant who has committed a material breach of the privacy and security
safeguard contained in this section to cure the violation within 30 days, and
if the participant does not cure or end the violation within the time specified
by the director, terminate the authority of the participant to access data and
information;
4.8.1.b. Demand
assurances from the participant that remedial actions will be taken to remedy
the circumstances that gave rise to the violation within a time frame set by,
or approved by, the director; and
4.8.1.c. Terminate the authority to access
data and information.
4.8.2. A participant who is the subject of
sanctions contained in subdivision 4.8.a. may request a hearing.
4.8.2.a. A request for a hearing must be made
within 90 days of the date of the director's notification of a sanction
contained in subdivision 4.8.a.;
4.8.2.b. The request for hearing must be made
in writing and must clearly state the reasons for the request;
4.8.2.c. Hearings will be conducted pursuant
to W.Va. Code R. §§
64-1-1
et seq.
