Data Access and Data Release Request Procedures
PHI will not be accessed or released to either a Participant or non-Participant when the data requested was contributed by an ICC Participant that has notified the ICC it is subject to 42 CFR Part 2 (“Part 2”) or the Family Educational Rights and Privacy Act (“FERPA”) (20 U.S.C. § 1232g; 34 CFR Part 99). Such data will only be released after the ICC is directed, in writing, by the Participant to do so and then, only if the Participant warrants that it has a legally compliant Authorization on file or the PHI to be released is not subject to Part 2 or FERPA, respectively. The ICC Participation and Business Associate Agreements, and this Data Release Policy address the required procedures for access and release of PHI. The following sections of this policy summarizes the specific cases where data access or release is a) permitted without additional requirements, b) the cases which are not permitted, and c) the cases that are permitted but have additional requirements and/or approvals required. Appendix A summarizes the cases described below and Appendix B summarizes the fees associated with each request.
Covered Entity Participant
Permitted
Participating Covered Entities access to data through the ICC ICare portal is permitted for Treatment, Payment, and Healthcare Operations (TPO) in situations where the Requestor has an established relationship with the patient. Access is also permitted for Treatment and Payment in emergency situations when no previous patient relationship exists and in accordance with ICC’s Break the Glass Policy. Finally, batch data release of identifiable data for Treatment and Payment where a patient relationship exists, and de-identified or aggregate data for Public Health purposes is also permitted.
Not Permitted
Data access (ICare) for Healthcare Operations when no patient relationship exists is not permitted. Data batch release for TPO when no patient relationship exists is also not permitted. Finally, data release of de-identified or Limited Data Sets for Treatment and Payment is also not permitted or applicable in these cases. In no circumstance access or release of data is permitted for marketing purposes.
Permitted with Additional Requirements and/or Approvals
Data releases for permitted cases (Care Coordination and Case Management where a patient relationship exists) of identifiable batch, de-identified/aggregated or limited data set for Healthcare Operations where facility is identified requires an approval from all identified facilities. A DUA is required for all limited data set release requests. Data release for Public Health purposes requires a review and authorization by ICC’s legal counsel. And data release for Research requires patients’ HIPAA compliant Authorization or approved IRB and patients’ consent or IRB waiver of consent, a Data Use Agreement with ICC, and if a facility is identified, the approval of the identified facilities except in the cases of de-identified on aggregate data releases.
Non-Participants
No access through ICare is permitted to non-participants. Data release requests from non-participants are considered on a case-by-case basis by the ICC legal counsel and personnel.
Procedures
The following procedures govern access to and release of data:
Access to Data
A. Complete the ICC User Access Request and Confidentiality Agreement posted on the Data Request > Forms and Resources folder at: https://icc-centex.org/data-release/ and email it to: info@icc-centex.org.
B. Once the new user’s identity and authorization from his/her employer is verified the user will receive a welcome email with a username and password to access the ICC system.
C. Accounts not accessed for more than 90 days will be disabled and the user is required to email info@icc-centex.org to re-enable its account access.
Release of Data
A. All Participants must inform ICC of a designated individual (“Designee”) who is an employee of the Participant to be responsible for approving the release of data to a Requestor. The list of Designees will be maintained as Appendix C of this policy.
B. All data release requests must be formally submitted by completing the Data Release Request Form (DRRF) available on the Data Request > Forms and Resources folder at: https://icc-centex.org/data-release/. Once the form is completed, please email it with any questions to: info@icc-centex.org. The Requestor is responsible for providing detailed criteria for each request (e.g., which ICD9 codes to use for a particular condition) and for clarifying any questions the ICC may have related to the request.
C. Healthcare Operations and Research (HCO&R) requests must also submit a completed ResearchVsQI Questionary available on the Data Request > Forms and Resources folder at: https://icc-centex.org/data-release/.
D. HCO&R requests that identify a facility or facility location must also submit a Data Release Request Project Summary (DRRPS) and be approved by the Designee of the relevant ICC Participant (i.e., the Participant whose data is being requested). A template DRRPS can also be found on the Data Request > Forms and Resources folder at: https://icc-centex.org/data-release/. The ICC will send a copy of the DRRF, ResearchVsQI Questionnaire, and DRRPS to the Participant’s Designee via email following the timelines and additional requirements below depending on the sensitivity of the data requested:
a. De-identified, aggregated: No approval needed if the facility is identified.
b. De-identified, patient level: ICC will remind the Designee by email to provide an approval or denial within 7 business days. If no response is received within 7 business days, the ICC will call the designee directly and if no approval is received the request will be deemed Approved.
c. Limited Dataset, patient level: ICC will reach out to the Designee and schedule a meeting to review the request. Once any adjustments are made to the request the ICC will email the Designee requesting an approval or denial within 14 business days. If no response is received within 14 business days, the ICC will call the Designee directly and if no approval is received the request will be deemed denied. The requestor may resubmit the request one more time to receive an approval if any additional adjustments are made.
d. Identifiable, patient level: ICC will reach out to the Designee and schedule a meeting to review the request. Once any adjustments are made to the request the ICC will email the Designee requesting an approval or denial within 20 days. If no response is received within 20 days, the ICC will call the designee directly and if no approval is received the request will be deemed denied. The requestor may resubmit the request one more time to receive an approval if additional adjustments are made.
e. Requests that will result in periodic or regular releases containing identical data elements do not require multiple approvals. The Participant will be asked to agree to all subsequent releases up front.
E. Facility Masking: HCO&R requests where the facility or facility location is masked does not require approval by Designees. However, all other requirements under this policy apply to these types of requests.
a. The ICC will generate a separate data set for every request where the facility will be masked so that no correlation exists between different requests that could lead to re-identification of a facility. ICC will use PostgreSQL Anonymizer to generate the masked information.
b. All data elements of all facilities that identify a facility will be masked including:
i. Point of Care Location
ii. Facility Location
iii. Zip Code
iv. Encounter Types
v. Encounter ID
vi. Community ID
vii. Medical Record Number
c. The masked data set will not contain any identified facility even if approved by a specific facility Designee to eliminate the possibility of re-identification of other facilities.
d. The ICC will create a look-up table that “cross walks” the masked facilities to their real facility names and retain the look-up table private to the ICC for audit purposes.
e. All other regulations described in this policy still apply for masked data sets (e.g., if a batch identifiable request where a patient relationship exist and the ICC has a patient HIPAA Authorization
Summary of Permitted Data Access or Release Cases
Access or Release Format | Patient Relationship1 | Treatment & Payment | Healthcare Operations* | Public Health2 | Research6 |
---|---|---|---|---|---|
iCare Portal | Existent | Yes | Yes | Yes | Yes4,5 |
Non-existent | Yes3 | No | Yes | Yes4,5 | |
Identifiable Batch | Existent | Yes | Yes6 | Yes | Yes4,5 |
Non-existent | No | No | Yes | Yes4,5 | |
De-identified/ Aggregated | Existent | No, N/A | Yes6 | Yes | Yes |
Non-existent | No, N/A | Yes6 | Yes | Yes | |
Limited Dataset | Existent | No | Yes5,6 | Yes | Yes5 |
Non-existent | No | Yes5,6 | Yes | Yes4,5 |
* Healthcare Operations includes QI/QA, program evaluation, improvement activities, case management and care coordination
Non-Covered Entity Participant
Access or Release Format | Patient Relationship1 | Treatment & Payment | Healthcare Operations* | Public Health2 | Research6 |
---|---|---|---|---|---|
iCare Portal | Existent | No | No | Yes | Yes4,5 |
Non-existent | No | No | Yes | Yes4,5 | |
Identifiable Batch | Existent | No | Yes6 | Yes | Yes4,5 |
Non-existent | No | No | Yes | Yes4,5 | |
De-identified/ Aggregated | Existent | No, N/A | Yes6 | Yes | Yes |
Non-existent | No, N/A | Yes6 | Yes | Yes | |
Limited Dataset | Existent | No | No | Yes5,6 | Yes5 |
Non-existent | No | No | Yes5 | Yes4,5 |
* Case management and care coordination only
Legend
1 ICC Participant has an established relationship with the patient at the time of the data access or release.
2 Data release for Public Health purposes requires consultation with ICC’s general counsel. Please review ICC Public Health Data Release Guidance document.
3 In an emergency and in compliance with ICC’s Break the Glass Policy.
4 Requires patients’ HIPAA compliant Authorization or approved IRB and patients’ consent or IRB waiver of consent.
5 Requires a Data Use Agreement with ICC. 6 If facility identity is requested, participating facility authorization is required.