25mar03... 0870h

05/22/03 1647s

05/22/03 1749s

24jun03... 2228CofC

30jun03... 2306eba

2003 SESSION

03-0637

01/09

HOUSE BILL 670-FN

COMMITTEE: Executive Departments and Administration

AMENDED ANALYSIS

This bill establishes a procedure for the release by a state agency of statistical information for research purposes. Under this bill, a requestor of such information shall sign a data use agreement specifying certain limitations for the use of the information.

This bill also requires the department of health and human services and the insurance department to collect encrypted health insurance claims data and to collaboratively develop a comprehensive health care information system.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

25mar03... 0870h

05/22/03 1647s

05/22/03 1749s

24jun03... 2228CofC

30jun03... 2306eba

03-0637

01/09

STATE OF NEW HAMPSHIRE

In the Year of Our Lord Two Thousand Three

Be it Enacted by the Senate and House of Representatives in General Court convened:

292:1 Statement of Purpose.

I. The general court recognizes that:

(a) Preserving the confidentiality of individually identifiable information in the possession of the state is of great importance to our citizens;

(b) Openness in the conduct of public business is essential to a democratic society;

(c) Information and data collected or maintained with public funds is held for the collective benefit of the citizenry;

(d) Public policy can be improved and program administration can be made more efficient and effective through analysis of information and data; and

(e) The collection and maintenance of reliable and comprehensive health care data is necessary to promote informed decision-making, increase accountability in the health care system, and improve health care planning.

II. Therefore, the general court hereby determines that there is a need to collect encrypted insurance claims data and to clarify the conditions under which limited data sets and health care data and information that may relate to individual citizens may be released.

292:2 New Subdivision; Procedure for Release of Personal Information for Research Purposes. Amend RSA 91-A by inserting after section 9 the following new subdivision:

Procedure for Release of Personal Information for Research Purposes

91-A:10 Release of Statistical Tables and Limited Data Sets for Research.

I. In this subdivision:

(a) "Agency" means each state board, commission, department, institution, officer or other state official or group.

(b) "Agency head" means the head of any governmental agency which is responsible for the collection and use of any data on persons or summary data.

(c) "Cell size" means the count of individuals that share a set of characteristics contained in a statistical table.

(d) "Data set" means a collection of personal information on one or more individuals, whether in electronic or manual files.

(e) "Direct identifiers" means:

(1) Names.

(2) Postal address information other than town or city, state, and zip code.

(3) Telephone and fax numbers.

(4) Electronic mail addresses.

(5) Social security numbers.

(6) Certificate and license numbers.

(7) Vehicle identifiers and serial numbers, including license plate numbers.

(8) Personal Internet IP addresses and URLs.

(9) Biometric identifiers, including finger and voice prints.

(10) Personal photographic images.

(f) "Individual" means a human being, alive or dead, who is the subject of personal information and includes the individual's legal or other authorized representative.

(g) "Limited data set" means a data set from which all direct identifiers have been removed or blanked.

(h) "Personal information" means information relating to an individual that is reported to the state or is derived from any interaction between the state and an individual and which:

(1) Contains direct identifiers.

(2) Is under the control of the state.

(i) "Provided by law" means use and disclosure as permitted or required by New Hampshire state law governing programs or activities undertaken by the state or its agencies, or required by federal law.

(j) "Public record" means records available to any person without restriction.

(k) "State" means the state of New Hampshire, its agencies or instrumentalities.

(l) "Statistical table" means single or multi-variate counts based on the personal information contained in a data set and which does not include any direct identifiers.

II. Except as otherwise provided by law, upon request an agency shall release limited data sets and statistical tables with any cell size more than 0 and less than 5 contained in agency files to requestors for the purposes of research under the following conditions:

(a) The requestor submits a written application that contains:

(1) The following information about the principal investigator in charge of the research:

(A) name, address, and phone number;

(B) organizational affiliation;

(C) professional qualification; and

(D) name and phone number of principal investigator's contact person, if any.

(2) The names and qualifications of additional research staff, if any, who will have access to the data.

(3) A research protocol which shall contain:

(A) a summary of background, purposes, and origin of the research;

(B) a statement of the general problem or issue to be addressed by the research;

(C) the research design and methodology including either the topics of exploratory research or the specific research hypotheses to be tested;

(D) the procedures that will be followed to maintain the confidentiality of any data or copies of records provided to the investigator; and

(E) the intended research completion date.

(4) The following information about the data or statistical tables being requested:

(A) general types of information;

(B) time period of the data or statistical tables;

(C) specific data items or fields of information required, if applicable;

(D) medium in which the data or statistical tables are to be supplied; and

(E) any special format or layout of data requested by the principal investigator.

(b) The requestor signs a "Data Use Agreement" signed by the principal investigator that contains the following:

(1) Agreement not to use or further disclose the information to any person or organization other than as described in the application and as permitted by the Data Use Agreement without the written consent of the agency.

(2) Agreement not to use or further disclose the information as otherwise required by law.

(3) Agreement not to seek to ascertain the identity of individuals revealed in the limited data set and/or statistical tables.

(4) Agreement not to publish or make public the content of cells in statistical tables in which the cell size is more than 0 and less than 5 unless:

(A) otherwise provided by law; or

(B) the information is a public record.

(5) Agreement to report to the agency any use or disclosure of the information contrary to the agreement of which the principal investigator becomes aware.

(6) A date on which the data set and/or statistical tables will be returned to the agency and/or all copies in the possession of the requestor will be destroyed.

III. The agency head shall release limited data sets and statistical tables and sign the Data Use Agreement on behalf of the state when:

(a) The application submitted is complete.

(b) Adequate measures to ensure the confidentiality of any person are documented.

(c) The investigator and research staff are qualified as indicated by:

(1) Documentation of training and previous research, including prior publications; and

(2) Affiliation with a university, private research organization, medical center, state agency, or other institution which will provide sufficient research resources.

(d) There is no other state law, federal law, or federal regulation prohibiting release of the requested information.

IV. Within 10 days of a receipt of written application, the agency head, or designee, shall respond to the request. Whenever the agency head denies release of requested information, the agency head shall send the requestor a letter identifying the specific criteria which are the basis of the denial. Should release be denied due to other law, the letter shall identify the specific state law, federal law, or federal regulation prohibiting the release. Otherwise the agency head shall provide the requested data or set a date on which the data shall be provided.

V. Any person violating any provision of a signed Data Use Agreement shall be guilty of a violation.

VI. Nothing in this section shall exempt any requestor from paying fees otherwise established by law for obtaining copies of limited data sets or statistical tables. Such fees shall be based on the cost of providing the copy in the format requested. The agency head shall provide the requestor with a written description of the basis for the fee.

292:3 Disclosure. RSA 420-G:11, II is repealed and reenacted to read as follows:

II.(a) All health carriers shall electronically provide:

(1) Their encrypted claims data to the department and to the department of health and human services in accordance with rules approved by the commissioner of health and human services and adopted by the insurance commissioner under RSA 420-G:14.

(2) To the department of health and human services, cross-matched claims data on requested policyholders, and subscriber information necessary for third party liability for benefits provided under RSA 167, filed in accordance with rules adopted under RSA 167:3-c.

(b) Notwithstanding RSA 91-A:10, the collection, storage and release of health care data and statistical information that is subject to the federal requirements of the Health Information Privacy and Accountability Act (HIPAA) shall be governed exclusively by the rules adopted thereunder in 45 CFR Parts 160 and 164.

292:4 New Paragraph; Disclosure. Amend RSA 420-G:11 by inserting after paragraph II the following new paragraph:

II-a. All health carriers and other health plans that collect the Health Employer Data and Information Set (HEDIS) shall annually submit the HEDIS information to the department.

292:5 Rulemaking. Amend RSA 420-G:14 to read as follows:

420-G:14 Rulemaking Authority.

I. The commissioner may adopt rules, under RSA 541-A, necessary to the proper administration of this chapter.

II. The commissioner, with the approval of the commissioner of the department of health and human services, shall adopt rules, under RSA 541-A, defining the content, format, and schedule for the filing of encrypted claims data and HEDIS information under RSA 420-G:11.

292:6 New Section; Health Care Information System. Amend RSA 420-G by inserting after section 11 the following new section:

420-G:11-a Development of a Comprehensive Health Care Information System. The department and the department of health and human services shall enter into a memorandum of understanding for collaboration in the development of a comprehensive health care information system. The memorandum of understanding shall include a description of the data sets that will be included in the comprehensive health care information system, the criteria and procedures for the development of limited use data sets, the criteria and procedures to ensure that Health Information Privacy and Accountability Act (HIPAA) compliant limited use data sets are accessible, and a proposed time frame for the creation of a comprehensive health care information system. To the extent allowed by HIPAA, the data shall be available as a resource for insurers, employers, providers, purchasers of health care, and state agencies to continuously review health care utilization, expenditures, and performance in New Hampshire and to enhance the ability of New Hampshire consumers and employers to make informed and cost-effective health care choices. In presenting data for public access, comparative considerations shall be made regarding geography, demographics, general economic factors, and institutional size. Notwithstanding HIPAA or any other provision of law, the comprehensive health care information system shall not include or disclose any data that contains direct personal identifiers. For the purposes of this section, "direct personal identifiers" include information relating to an individual that contains primary or obvious identifiers, such as the individual's name, street address, e-mail address, telephone number, and social security number.

292:7 Information Disclosure to Child Support Enforcement Services. RSA 420-G:11, II is repealed and reenacted to read as follows:

II.(a) All health carriers shall electronically provide:

(1) Their encrypted claims data to the department and to the department of health and human services in accordance with rules approved by the commissioner of health and human services and adopted by the insurance commissioner under RSA 420-G:14.

(2) To the department of health and human services, cross-matched claims data on requested policyholders, and subscriber information necessary for third party liability for benefits provided under RSA 167, filed in accordance with rules adopted under RSA 167:3-c.

(b) Notwithstanding RSA 91-A:10, the collection, storage and release of health care data and statistical information that is subject to the federal requirements of the Health Information Privacy and Accountability Act (HIPAA) shall be governed exclusively by the rules adopted thereunder in 45 CFR Parts 160 and 164.

(c) To the department of health and human services, cross-matched claims data on requested policyholders, and subscriber information necessary to enforce medical child support orders administered by the office of child support enforcement services under RSA 161-C:3-b and RSA 161-C:3-e.

292:8 Effective Date.

I. Section 7 of this act shall take effect August 16, 2003 at 12:01 a.m.

II. The remainder of this act shall take effect upon its passage.

(Approved: July 18, 2003)

(Effective Date: I. Section 7 shall take effect August 16, 2003 at 12:01 a.m.