216.2927 Types of data not to be published, released, or subject to inspection -- Public-use data agreements and privacy rules -- Confidentiality of raw data -- Penalty for violation.

Download pdf

Loading PDF...


Page 1 of 2 216.2927 Types of data not to be published, released, or subject to inspection -- Public-use data agreements and privacy rules -- Confidentiality of raw data -- <br>Penalty for violation. (1) The following types of data shall be deemed as relating to personal privacy and, except by court order, shall not be published or otherwise released by the cabinet or <br>its staff and shall not be subject to inspection under KRS 61.870 to 61.884: <br>(a) Any data, summary of data, correspondence, or notes that identify or could be used to identify any individual patient or member of the general public, unless <br>the identified individual gives written permission to release the data or <br>correspondence; (b) Any correspondence or related notes from or to any employee or employees of a provider if the correspondence or notes identify or could be used to identify <br>any individual employee of a provider, unless the corresponding persons grant <br>permission to release the correspondence; and (c) Data considered by the cabinet to be incomplete, preliminary, substantially in error, or not representative, the release of which could produce misleading <br>information. (2) Health-care providers submitting required data to the cabinet shall not be required to obtain individual permission to release the data, except as specified in subsection <br>(1) of this section, and, if submission of the data to the cabinet complies with <br>pertinent administrative regulations promulgated pursuant to KRS Chapter 13A, <br>shall not be deemed as having violated any statute or administrative regulation <br>protecting individual privacy. (3) (a) No less than sixty (60) days after the annual report or reports are published and except as otherwise provided, the cabinet shall make all aggregate data <br>which does not allow disclosure of the identity of any individual patient, and <br>which was obtained for the annual period covered by the reports, available to <br>the public. (b) Persons or organizations requesting use of the data shall agree to abide by a public-use data agreement and by HIPPA privacy rules referenced in 45 <br>C.F.R. Part 164. The public-use data agreement shall include, at a minimum, a <br>prohibition against the sale or further release of data, and guidelines for the <br>use and analysis of the data released to the public related to provider quality, <br>outcomes, or charges. (c) Single copies of the printed data shall be made available to individuals at no cost. The cabinet may impose a fee for providing electronic or multiple <br>printed copies of the data. At least one (1) printed and one (1) electronic copy <br>of the aggregate data shall be provided without charge to the Legislative <br>Research Commission. (d) The Health Services Data Advisory Committee shall review at least annually current protocols related to the release of data under this subsection and shall <br>make recommendations to the cabinet advisory committee established under <br>KRS 216.2923. Page 2 of 2 (4) Collection of data about individual patients shall be in a nonidentifying numeric form and shall not include a patient's name or Social Security number. Any person <br>who receives information identifying a patient through error or any other means <br>shall return all copies of the information immediately. (5) All data and information collected shall be kept in a secure location and under lock and key when specifically responsible personnel are absent. (6) Only designated cabinet staff shall have access to raw data and information. The designated staff shall be made aware of their responsibilities to maintain <br>confidentiality. Staff with access to raw data and information shall sign a statement <br>indicating that the staff person accepts responsibility to hold that data or identifying <br>information in confidence and is aware of penalties under state or federal law for <br>breach of confidentiality. Data which, because of small sample size, breaches the <br>confidence of individual patients, shall not be released. (7) Any employee of the cabinet who violates any provision of this section shall be fined not more than five hundred dollars (&#36;500) for each violation or be confined in <br>the county jail for not more than six (6) months, or both, and shall be removed and <br>disqualified from office or employment. Effective: July 15, 2008 <br>History: Amended 2008 Ky. Acts ch. 71, sec. 3, effective July 15, 2008. -- Amended 1996 Ky. Acts ch. 371, sec. 28, effective July 15, 1996. -- Created 1994 Ky. Acts <br>ch. 512, Pt. 2, sec. 9, effective July 15, 1994. Legislative Research Commission Note (7/15/2008). The internal numbering of subsection (3) of this section has been altered by the Reviser of Statutes from the <br>numbering in 2008 Ky. Acts ch. 71, sec. 3, under the authority of KRS 7.136.