(a) General. So long as it meets the other requirements of this subpart, and subject to the limits in paragraphs (b) and (c) of this section, the qualified entity may use the combined data to create non-public analyses in addition to performance measures and provide or sell these non-public analyses to authorized users (including any contractors or business associates described in the definition of authorized user).

Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

(b) Limitations on a qualified entity. In addition to meeting the other requirements of this subpart, a qualified entity must comply with the following limitations as a pre-condition of dissemination or selling non-public analyses to an authorized user:

(1) A qualified entity may only provide or sell a non-public analysis to a health insurance issuer as defined in § 401.703(l), after the health insurance issuer or a business associate of that health insurance issuer has provided the qualified entity with claims data that represents a majority of the health insurance issuer’s covered lives, using one of the four methods of calculating covered lives established at 26 CFR 46.4375-1(c)(2), for the time period and geographic region covered by the issuer-requested non-public analyses. A qualified entity may not provide or sell a non-public analysis to a health insurance issuer if the issuer does not have any covered lives in the geographic region covered by the issuer-requested non-public analysis.

(2) Analyses that contain information that individually identifies one or more beneficiaries may only be disclosed to a provider or supplier (as defined at § 401.703(b) and (c)) when both of the following conditions are met:

(i) The analyses only contain identifiable information on beneficiaries with whom the provider or supplier have a patient relationship as defined at § 401.703(r).

(ii) A QE DUA as defined at § 401.713(d) is executed between the qualified entity and the provider or supplier prior to making any individually identifiable beneficiary information available to the provider or supplier.

(3) Except as specified under paragraph (b)(2) of this section, all analyses must be limited to beneficiary de-identified data. Regardless of the HIPAA covered entity or business associate status of the qualified entity and/or the authorized user, de-identification must be determined based on the standards for HIPAA covered entities found at 45 CFR 164.514(b).

(4) Analyses that contain information that individually identifies a provider or supplier (regardless of the level of the provider or supplier, that is, individual clinician, group of clinicians, or integrated delivery system) may not be disclosed unless one of the following three conditions apply:

(i) The analysis only individually identifies the provider or supplier that is being supplied the analysis.

(ii) Every provider or supplier individually identified in the analysis has been afforded the opportunity to appeal or correct errors using the process at § 401.717(f).

(iii) Every provider or supplier individually identified in the analysis has notified the qualified entity, in writing, that analyses can be disclosed to the authorized user without first going through the appeal and error correction process at § 401.717(f).

(c) Non-public analyses agreement between a qualified entity and an authorized user for beneficiary de-identified non-public analyses disclosures. In addition to the other requirements of this subpart, a qualified entity must enter a contractually binding non-public analyses agreement with the authorized user (including any contractors or business associates described in the definition of authorized user) as a pre-condition to providing or selling de-identified analyses. Such non-public analyses agreement must contain the following provisions:

(1) The authorized user may not use the analyses or derivative data for the following purposes:

(i) Marketing, as defined at § 401.703(s).

(ii) Harming or seeking to harm patients or other individuals both within and outside the healthcare system regardless of whether their data are included in the analyses.

(iii) Effectuating or seeking opportunities to effectuate fraud and/or abuse in the healthcare system.

(2) If the authorized user is an employer as defined in § 401.703(k), the authorized user may only use the analyses or derivative data for purposes of providing health insurance to employees, retirees, or dependents of employees or retirees of that employer.

(3)(i) At the qualified entity’s discretion, it may permit an authorized user that is a provider as defined in § 401.703(b) or a supplier as defined in § 401.703(c), to re-disclose the de-identified analyses or derivative data, as a covered entity will be permitted under 45 CFR 164.506(c)(4)(i), or under 45 CFR 164.502(e)(1).

(ii) All other uses and disclosures of such data and/or such non-public analyses is forbidden except to the extent a disclosure qualifies as a “required by law” disclosure.

(4) If the authorized user is not a provider or supplier, the authorized user may not re-disclose or make public any non-public analyses or derivative data except as required by law.

(5) The authorized user may not link the de-identified analyses to any other identifiable source of information and may not in any other way attempt to identify any individual whose de-identified data is included in the analyses.

(6) The authorized user must notify the qualified entity of any DUA violations, and it must fully cooperate with the qualified entity’s efforts to mitigate any harm that may result from such violations.

[81 FR 44480, July 7, 2016]