42 CFR 401.718 – Dissemination of data
(a) General. Subject to the other requirements in this subpart, the requirements in paragraphs (b) and (c) of this section and any other applicable laws or contractual agreements, a qualified entity may provide or sell combined data or provide Medicare data at no cost to authorized users defined at § 401.703(b), (c), (m), and (n).
(b) Data—(1) De-identification. Except as specified in paragraph (b)(2) of this section, any data provided or sold by a qualified entity to an authorized user must be limited to beneficiary de-identified data. De-identification must be determined based on the de-identification standards for HIPAA covered entities found at 45 CFR 164.514(b).
(2) Exception. If such disclosure will be consistent with all applicable laws, data that individually identifies a beneficiary may only be disclosed to a provider or supplier (as defined at § 401.703(b) and (c)) with whom the identifiable individuals in such data have a current patient relationship as defined at § 401.703(r).
(c) Data use agreement between a qualified entity and an authorized user. A qualified entity must contractually require an authorized user to comply with the requirements in § 401.713(d) prior to providing or selling data to an authorized user under § 401.718.