File No. 35868

This rule was published in the March 1, 2012, issue (Vol. 2012, No. 5) of the Utah State Bulletin.


Health, Center for Health Data, Health Care Statistics

Rule R428-2

Health Data Authority Standards for Health Data

Notice of Proposed Rule

(Amendment)

DAR File No.: 35868
Filed: 02/10/2012 02:15:21 PM

RULE ANALYSIS

Purpose of the rule or reason for the change:

Rule R428-2 changes are needed to reflect an update in office practice and to eliminate redundant text within the rule.

Summary of the rule or change:

Email has been added as a means of communication, when applicable, between the Office and data supplier. Minor technical changes have been made, including the deletion of one sentence that contains text already found in the rule.

State statutory or constitutional authorization for this rule:

  • Title 26, Chapter 33a

Anticipated cost or savings to:

the state budget:

The Utah Department of Health (UDOH) determines that these amendments will not create any cost or savings impact to the state budget or UDOH's budget, since the changes will not increase workload or resources and can be carried out with existing budget.

local governments:

This rule does not affect local governments and has therefore no fiscal impact on them.

small businesses:

Minor technical changes to the rule and allowing email as an acceptable method of communication between the office and supplier (which has been standard practice for many years), when applicable, will not create any cost or savings to small businesses.

persons other than small businesses, businesses, or local governmental entities:

Minor technical changes to the rule and allowing email as an acceptable method of communication between the office and supplier (which has been standard practice for many years), when applicable, will not create any cost or savings to other persons.

Compliance costs for affected persons:

UDOH determines there are no compliance costs for affected persons. Procedural changes in this rule were adopted into practice several years ago.

Comments by the department head on the fiscal impact the rule may have on businesses:

"Technical changes to these rules to conform them to current practice and to expressly allow data submission electronically is expected to benefit business."

David Patton, PhD, Executive Director

The full text of this rule may be inspected, during regular business hours, at the Division of Administrative Rules, or at:

Health
Center for Health Data, Health Care Statistics
CANNON HEALTH BLDG
288 N 1460 W
SALT LAKE CITY, UT 84116-3231

Direct questions regarding this rule to:

  • Mike Martin at the above address, by phone at 801-538-9205, by FAX at 801-538-9916, or by Internet E-mail at [email protected]
  • Keely Cofrin Allen at the above address, by phone at 801-538-6551, by FAX at 801-538-9916, or by Internet E-mail at [email protected]

Interested persons may present their views on this rule by submitting written comments to the address above no later than 5:00 p.m. on:

04/02/2012

This rule may become effective on:

04/09/2012

Authorized by:

David Patton, Executive Director

RULE TEXT

R428. Health, Center for Health Data, Health Care Statistics.

R428-2. Health Data Authority Standards for Health Data.

R428-2-1. Legal Authority.

This rule is promulgated under authority granted by Title 26, Chapter 33a.

 

R428-2-2. Purpose.

This rule establishes the reporting standards which apply to data suppliers, and the classification, control, use, and release of data received by the committee pursuant to Title 26, Chapter 33a.

 

R428-2-3. Definitions.

The following definitions apply to all of R428.

A. "Office" means the Office of Health Care Statistics within the Utah Department of Health, which serves as staff to the Utah Health Data Committee.

B. "Committee" means the Utah Health Data Committee created by Section 26-1-7.

C. "Data element" means the specific information collected and recorded for the purpose of health care and health service delivery. Data elements include information to identify the individual, [the] health care provider, [the] data supplier, [the] service provided, [the] charge for service, payer source, medical diagnosis, and medical treatment.

D. "Data release, disclosure, or disclose" means the disclosure or the communication of health care data to any individual or organization outside the committee, its staff, and contracting agencies.

E. "Data supplier" means a health care facility, health care provider, self-funded employer, third-party payer, health maintenance organization, or government department required to provide health data under rules adopted by the committee.

F. "Health Data Plan" means the plan developed and adopted by the Health Data Committee under Chapter 33a, Title 26, Section 104.

G. "Health care provider" means any person, partnership, association, corporation, or other facility or institution that renders or causes to be rendered health care or professional services as a physician, registered nurse, licensed practical nurse, nurse-midwife, dentist, dental hygienist, optometrist, clinical laboratory technologist, pharmacist, physical therapist, podiatrist, psychologist, chiropractic physician, naturopathic physician, osteopathic physician, osteopathic physician and surgeon, audiologist, speech pathologist, certified social worker, social service worker, social service aide, marriage and family counselor, or practitioner of obstetrics, and others rendering similar care and services relating to or arising out of the health needs of persons or groups of persons, and officers, employees, or agents of any of the above acting in the course and scope of their employment.

I. "Health data" means information relating to the health status of individuals, health services delivered, the availability of health manpower and facilities, and the use and costs of resources and services to the consumer.

H. "Identifiable health data" means any item, collection, or grouping of health data that makes the individual supplying or described in the health data identifiable.

J. "Individual" means a natural person.

K. "Order" means a committee action that determines the legal rights, duties, privileges, immunities, or other interests of one or more specific persons, but not a class of persons.

L. "Report" means a compilation, study or data release developed from resource documents to display information in a simplified manner and designed to meet the needs of specific audiences or nontechnical users.

M. "Resource document" means contemplated tabulation formats defined in the Health Data Plan to display information, documents, or records containing measures relating to health care. These documents are classified as standard, special, and electronic.

 

R428-2-4. Technical Assistance.

The Office may provide technical consultation to a data supplier upon request and resource availability. The consultation shall be to enable a data supplier to submit health data according to R428.

 

R428-2-5. Data Classification and Access Requirements.

A. The Utah Health Data Authority Act, Section 108, specifically classifies all data, information, reports, statements, memoranda, or other data received by the committee as "strictly confidential." [All data received under rules of the Utah Health Data Authority Act are strictly confidential.] This strict classification means the committee's data are not public, and as such are exempt from the Classification and Release Requirements specified in the Government Records Access And Management Act, Chapter 2, Title 63, Utah Code Annotated. The committee shall establish guidelines for the protection, use and release of the data.

B. Persons having access to data under control of the committee shall not:

1. take any action that might provide information to any unauthorized individual or agency;

2. scan, copy, remove, or review any information to which specific authorization has not been granted;

3. discuss information with unauthorized persons which could lead to identification of individuals;

4. give access to any information by sharing passwords or file access codes.

C. Any person having access to data under control of the committee shall:

1. maintain the data in a safe manner which restricts unauthorized access;

2. limit use of the data to the purposes for which access is authorized;

3. report immediately any unauthorized access.

D. A failure to report known violations by others of responsibilities specified in 3 and 4 above is subject to the same punishment as a personal violation.

E. The Office shall deny a person access to the facilities, services and data as a consequence of any violation of the responsibilities specified in R428-2-5(C) and R428-2-5(D) above.

F. The committee may, pursuant to Chapter 33a, Title 26, Section 110, subject the person to legal prosecution for any unauthorized use, disclosure, or publication of its data.

 

R428-2-6. Security.

The Office shall implement procedures protecting data confidentiality. These procedures shall [ensure]secure the committee's health data against unauthorized access.

 

R428-2-7. Editing and Validation.

A. The data supplier shall review each health data record prior to submission. The review shall consist of checks for accuracy, consistency, completeness, and conformity.

B. The Office may subject health data to edit checks. The Office may require the data supplier to correct health data failing an edit check. The data supplier may perform data validation before public disclosure.

1. The Office may, by first class U.S. mail or email, return to the submitting data supplier all health data failing an edit check. The submitting data supplier shall correct all returned health data and resubmit all corrected health data to the Office within 35 calendar days of the date the Office mails the records.

2. Data validation gives the data supplier the right to review, comment, and provide support for corrections of any information relating to its activities prior to public release. The data supplier shall return the validation document to the Office with comments and support for corrections within 35 calendar days of the date the Office mails the validation document. If the data supplier fails to return the information within the 35 day period, the committee may conclude that the information is correct and suitable for release.

3. The committee may note in its resource documents, reports, and publications that accurate appraisal of a certain category or entity cannot be presented because of a failure to comply with the committee's request for data, edit corrections, or data validation.

 

R428-2-8. Error Rates.

The committee may establish and order reporting quality standards based on non-reporting or edit failure rates.

 

R428-2-9. Data Disclosure.

A. The committee may release information, compilations, reports, statements, memoranda, or other data received or derived from its health data as specified in Chapter 33a, Title 26, Sections 107, 108, and 109. The Office may disclose the submitted data as resource documents or reports in either standard, special, or electronic format. The Office may prepare data for disclosure annually as standard or special resource documents specified in the health data plan. If the disclosure identifies a health care provider, the Office must adhere to the procedures specified in R428-2-9(B).

B. Prior to any release of a compilation, report, or resource document in which a health care provider is identified, the Office shall notify the data supplier and the health care provider by first class mail or email using the last known address. The data supplier and health care provider have the right to:

1. review the information to be disclosed and verify the accuracy of the information contained therein;

2. submit to the Office evidence of errors in the disclosure document;

3. develop written comments or alternate interpretations to the information reported for inclusion with the disclosure;

4. return the disclosure notice, evidence of errors, and comments within 35 calendar days of the date the Office mails the notice. The committee may interpret the failure to return the notice of disclosure within the designated time period as agreement that the reports are acceptable for release in any format outlined in the Health Data Plan.

5. the Office shall correct data it finds to be in error and provide data suppliers and health care providers notification of the corrections subject to the rights specified in R428-2-9(B).

C. The committee may allow exemptions to the notification procedures specified in R428-2-9(B):

1. The Office may release to the data supplier its data elements used to create compilations, reports, or resource documents without notification when a data supplier requests the data it supplied.

2. The Office may make additional disclosures to other requesters of compilations, reports, or resource documents previously reviewed under the procedures specified in R428-2-9(B).

D. The Office may, by its initiative, prepare and disclose special compilations, reports, studies or analyses relating to health care cost, quality, access, health promotion programs, or public health. These actions may be to meet legislative intent or upon request from individuals, government agencies, or private organizations.

E. The committee may make data available for disclosure in computer readable formats.

1. The public data set provides general health care data. The Director of the Office may approve written requests for the public data set without approval of the committee. Written requests must include the following:

a. the name, address, and telephone number of the requester;

b. a statement of the purpose for which the data will be used; and

c. the starting and ending dates for which data are requested.

2. The design of the research oriented data set is for bona fide research of health care cost, quality, access, health promotion programs, or public health issues. A research oriented data set is available by request to the committee. Requests for a research oriented data set must be accompanied by a completed request form as established by the committee. Request forms are included in Technical Manuals that are available from the Office. The committee requires documentation of the requester's:

a. need for the research oriented data set to conduct bona fide research;

b. intent to use the data to study, promote, or improve accessibility, quality, or cost-effective health care;

c. integrity and ability to safeguard the data from any breach of confidentiality;

d. competency to effectively use the data in the manner proposed;

e. affiliation with an institutional review board; and

f. guarantee that no further disclosure will occur without prior approval of the Office.

 

R428-2-10. Penalties.

Pursuant to Section 26-23-6, any person that violates any provision of this rule may be assessed an administrative civil money penalty not to exceed $3,000 upon an administrative finding of a first violation and up to $5,000 for a subsequent similar violation within two years. A person may also be subject to penalties imposed by a civil or criminal court, which may not exceed $5,000 or a class B misdemeanor for the first violation and a class A misdemeanor for any subsequent similar violation within two years.

 

KEY: health, health policy, health planning

Date of Enactment or Last Substantive Amendment: [August 14, 2002]2012

Notice of Continuation: November 30, 2011

Authorizing, and Implemented or Interpreted Law: 26-33a-104

 


Additional Information

The Portable Document Format (PDF) version of the Bulletin is the official version. The PDF version of this issue is available at https://rules.utah.gov/publicat/bull-pdf/2012/b20120301.pdf. The HTML edition of the Bulletin is a convenience copy. Any discrepancy between the PDF version and HTML version is resolved in favor of the PDF version.

Text to be deleted is struck through and surrounded by brackets (e.g., [example]). Text to be added is underlined (e.g., example).  Older browsers may not depict some or any of these attributes on the screen or when the document is printed.

For questions regarding the content or application of this rule, please contact Mike Martin at the above address, by phone at 801-538-9205, by FAX at 801-538-9916, or by Internet E-mail at [email protected]; Keely Cofrin Allen at the above address, by phone at 801-538-6551, by FAX at 801-538-9916, or by Internet E-mail at [email protected].