September 13, 1994
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-1. Definitions. For purposes of the regulations in this article, the following words, terms and phrases are hereby defined as follows:
(a) "Aggregate data" means data which is obtained by combining like data in a manner which precludes specific identification of an individual.
(b) "Board" means the health care data governing board.
(c) "CHES" means the center for health and environmental statistics.
(d) "Compilation" means the arrangement of data collected by and furnished to the secretary acting under agreement with the secretary for release and dissemination to the public.
(e) "Fee fund" means the health care database fee fund created by K.S.A. 65-6804 and amendments thereto.
(f) "Health care data" means any data relating to health care, health status, including environmental factors, the health care system, costs and outcomes.
(g) "Health care information" means any health data that has been transformed from its raw form into a more general, less-technical form.
(h) "Health care provider" means any person, organization or entity that renders health care services as described in K.S.A. 65-6805 and amendments thereto.
(i) "Individual" means a single human being.
(j) "Patient or client" means an individual who receives any health care service.
(k) "Person" means any individual, association, partnership, corporation or other entity.
(l) "Primary data collection" means data that were previously unavailable for distribution to the public and are initially collected pursuant to this act.
(m) "Public domain data" means data that were previously collected and available to the public by another source.
(n) "Public health data" means data including epidemiological, health status and community health assessment data.
(o) "Public use data" means data that are available to the general public. This includes data available in electronic or any other form.
(p) "Record identifier" means a unique code generated and assigned to an individual record and used to identify that individual record among databases.
(q) "Secretary" means the secretary of the Kansas department of health and environment.
(r) "State agency" means any regents institution or department under the direction of a cabinet secretary, an elected official or regulatory board.
(s) "Third party payer" means any public or private payer of health care services and includes accident and sickness insurers, health maintenance organizations, health plans and alliances, nonprofit medical and hospital service organizations, and fiscal intermediaries for government-funded programs. (Authorized by and implementing K.S.A. 65-6804, as amended by L. 1994, Ch. 90, sec. 3; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-2. Health care database; information collected. Information regarding various health factors shall be obtained. The health factors shall include, but not be limited to:
(a) mortality and natality, including accidental causes of death;
(b) morbidity;
(c) health behavior;
(d) disability;
(e) health care costs and financing;
(f) health care human resources;
(g) health service utilization and availability;
(h) environmental contaminants;
(i) demographics;
(j) familial social and economic conditions affecting health status; and
(k) population-based health care outcomes. (Authorized by and implementing K.S.A. 65-6801, as amended by L. 1994, Ch. 90, sec. 2; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-3. Health care data collection and submission. (a) Data shall be:
(1) collected and submitted under uniform parameters established by the secretary and approved by the board;
(2) obtained from existing data sources in the public and private sector, where available to minimize the imposition and cost of new reporting requirements;
(3) submitted by licensing boards and agencies, credentialing and registering agencies and health care providers on a schedule defined by the secretary and approved by the board;
(4) submitted by third party payers, on a calendar year basis, annually by July 1 of the following calendar year and shall:
(A) be derived from standard billing or data collection documents or their replacements; and
(B) include only information for services rendered in the calendar year; and adjustments made for 180 days after the close of the calendar year; and
(5) submitted in a manner that does not identify individuals except through the use of a record identifier established by the secretary and approved by the board; except for public domain data, where data may be submitted that includes identification of individuals.
(b) Special data collections.
(1) Special primary data collection and extrapolations may be used as an alternative to or to supplement collection of existing health data from health care providers. The use of primary data collection shall be approved by the board to the extent it can be shown that the information being requested is consistent with the act and will meet validity and quality standards established by the secretary and approved by the board.
(2) Data may also be collected by the secretary from third party payers and health care providers for the purposes of population-based health outcomes comparisons.
(c) The secretary may be delegated by the board the authority to carry out any of the responsibilities granted to the board under these regulations. (Authorized by and implementing K.S.A. 65-6805, as amended by L. 1994, Ch. 90, sec. 4; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-4. Health care data release and rerelease. (a) Data and information received by the secretary and maintained in the health care database shall be used for:
(1) health policy decisions;
(2) health research;
(3) consumer information; and
(4) epidemiological and other public health functions necessary to protect and promote the health of the state.
(b) Public use data.
(1) Public use data shall be developed and compilation of data shall be made available for general distribution which shall not include:
(A) record identifiers;
(B) social security numbers;
(C) patient or client health insurance identification numbers; or
(D) health care provider identifiers.
(2) The board shall review and approve the content and format of these public use data and compilation formats.
(3) The data and compilation shall be made public information and may be released on magnetic media or any other form.
(c) Special studies and analyses.
(1) Special studies and analyses may also be conducted by the secretary to:
(A) assist in health policy decision-making;
(B) fulfill statutory mandates for health policy or public health purposes; or
(C) minimize the duplicate collection of similar data elements.
(2) Prior to the release of any special studies or analyses conducted by the secretary, the board shall review all products generated and approve those not mandated by statute.
(d) Persons or state agencies making requests for data or information from the database other than those from standard reports shall be required to respond to a set of questions developed by the secretary and approved by the board that defines the information needed, description of the project and the intentions for rerelease of the information. Any request which includes record identifiers, social security numbers, patient or client health insurance identification numbers or health care provider identifiers shall be specifically approved by the board. If the request indicates an appropriate use of the data according to the specifications in K.A.R. 28-67-4 (a), the data shall be provided to the person making the request. The request shall be denied by the secretary if the request is not consistent with those specifications in K.A.R. 28-67-4 (a). A written explanation for the denial shall be filed with the person making the request.
(e) Subject to K.S.A. 65-6804 (d), when compilation and special studies are generated by the secretary which identify health care providers, the health care providers shall be provided a copy of the data referencing them and given the opportunity to submit written comments to the secretary. When comments are received by the secretary within 30 days of the postmark on the notification from the secretary, such comments received shall be released with the data.
(f) Data other than those provided in compilation, public domain and public use data, that includes record or health care provider identifiers may be released to persons or state agencies for research purposes.
Any request for these data shall comply with K.A.R. 28-67-4 (d) and be approved by the board. These data with record or health care provider identifiers shall not be rereleased by the person or state agency in any form with these identifiers that does not comply with K.A.R. 28-67-6 and approval of the board.
(g) Any person or state agency may apply to the secretary for data to be used in a research study. A research protocol shall be submitted which shall include, but not be limited to:
(1) a description of the proposed study;
(2) the purpose of the study;
(3) a description of the data elements needed for the study;
(4) a description of the information medium or format requested;
(5) where applicable, a statement indicating whether the study protocol has been reviewed and approved by a human subjects review board;
(6) a description of data security procedures, including who shall have access to the data; and
(7) a description of the proposed use and release of the data.
(h) Any person or state agency requesting the data shall agree to the release, confidentiality, and security of data requirements in K.A.R. 28-67-4, K.A.R. 28-67-6 and K.A.R. 28-67-8.
(i) Prior to the release of a subset of data or compilation, a statement instructing the user or reader about the meaning and significance of the data and the restrictions about redisclosure of the information shall be included.
(j) A data provider may obtain data it has submitted to the database as well as aggregate data. A data provider shall not obtain data submitted by another data provider without approval from that provider. Agreement to grant access to data submitted by another provider shall be filed in writing with the secretary.
(k) Unauthorized use of health care data obtained or collected under K.S.A. 65-6805 and amendments thereto by any person or state agency shall result in termination of system access and no further provision of data.
(l) The board may delegate the secretary the authority to carry out any of the responsibilities granted to the board under these regulations. (Authorized by and implementing K.S.A. 65-6804, as amended by L. 1994, Ch. 90, sec. 3; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-5. Electronic access to public use data. (a) Persons or state agencies may be granted electronic access to public use data. Definitions of allowable access for data submitted to the database shall be established by the secretary and approved by the board.
(b) All persons or state agencies requesting electronic access to public use data shall complete an application established by the secretary and approved by the board that describes the security procedures to be used to safeguard the data provided according to K.A.R. 28-67-6 and K.A.R. 28-67-8. (Authorized by and implementing K.S.A. 65-6804, as amended by L. 1994, Ch. 90, sec. 3; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-6. Confidentiality of the health care database. (a) Data or information that in any manner identifies an individual shall not be released. Researchers demonstrating the need for data containing record identifiers or names of health care providers shall be subject to the release, confidentiality and security requirements pursuant to K.A.R. 28-67-4, K.A.R. 28-67-6, and K.A.R. 28-67-8 and approval of the board.
(b) Any information generated from manipulations of data provided by the database shall be subject to release, confidentiality and security requirements pursuant to K.A.R. 28-67-4, K.A.R. 28-67-6 and K.A.R. 28-67-8.
(c) The individual forms, computer tapes or other forms of data collected by and furnished to the database shall not be available to the public. Special reports prepared for any data requester shall not be made public if the report identifies an individual.
(d) Public domain data obtained for the health care database may be made public through compilation and as public use data in a manner that identifies health care providers.
(e) Primary data collected which identify individuals shall be kept confidential and shall not be made public. Individual data associated with patient numbers, social security numbers and patient or client health care coverage identification numbers, or any other data that can identify individuals shall be kept confidential and shall not be made public. Any release of primary data shall be subject to K.A.R. 28-67-4.
(f) Primary data collected that identifies health care providers shall be kept confidential and shall not be made public except that public health data which identifies health care providers may be released. Release of these data shall be subject to K.A.R. 28-67-4.
(g) In this subsection, "small number" means any number that is not large enough to ensure that the identity of individuals and health care providers is protected. Any data element category which contains small numbers shall be aggregated using procedures established by the secretary. The procedures shall follow commonly accepted statistical methodology. (Authorized by and implementing K.S.A. 65-6804, as amended by L. 1994, Ch. 90, sec. 3; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-7. Fees established. (a) Routine compilations produced by the secretary shall be made available to state agencies, health care providers, purchasers, employers, consumers and other interested parties. A fee sufficient to recover the costs of production or duplication may be charged.
(b) Requests for non-routine compilation requiring special analyses shall be billed under contract between the requester and the secretary to include the hourly rate of the analyst or analysts plus all computer, printing and other costs. State agencies asking for data solely for the purposes of analysis may be exempt.
(c) Compilation or data made available on computer tape or other electronic media shall include the cost of the magnetic tape, diskette, or other electronic media.
(d) Providers of data, board members and interested parties shall receive one free copy of the secretary's routine annual and quarterly compilation.
(e) Persons and state agencies requesting electronic access to public use data may be charged a monthly fee for that access.
(f) Providers contributing data to the system may be charged reduced rates for special reports not to exceed seventy-five percent of the fees charged to the public.
(g) The secretary, on behalf of the health care database and as chairperson of the board, shall reserve the right to request a portion of revenues generated from use of data provided to any person that is above the cost of production of products.
(h) All fees collected pursuant to K.A.R. 28-67-7 shall be deposited in the health care database fee fund. (Authorized by and implementing K.S.A. 65-6804, as amended by L. 1994, Ch. 90, sec. 3; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-8. Record security. (a) All staff engaged in the collection, handling, and dissemination of health care data shall be informed of the responsibility to protect the data and the consequences of failure to do so. When employees are hired, each employee shall be instructed on the current procedures used to assure the security and confidentiality of the data. A copy of the confidentiality policy shall be provided to all personnel and a statement of responsibility for data confidentiality shall be explained as a condition of employment.
(b) Employees shall be held accountable for the appropriate use of individual data and for safeguarding the information in their possession. Confidential data may be used only for purposes reviewed and approved by the secretary. Any unauthorized use of health care data from the database shall be strictly prohibited and may subject an employee to termination.
(c) Access to the database shall be restricted to those who specifically require access in order to perform their assigned duties. Access policies and staff members needing to access the database shall be established by the secretary.
(d) Supervisors shall be responsible for maintaining the security for data in the area of their responsibility. Persons or state agencies engaged in the collection, handling, and dissemination of health care data shall develop procedures to govern the release of information. (Authorized by and implementing K.S.A. 65-6804, as amended by L. 1994, Ch. 90, sec. 3; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-9. System security. (a) All health care data shall be maintained on computer systems administered by CHES. A password system shall be used to limit access to computer files. Passwords shall be changed on a schedule determined by CHES staff, and an individual account shall be deleted whenever a staff member terminates employment or is no longer authorized access to the system.
(b) Only CHES staff shall be authorized to load data tapes and install software and file servers. All software shall be checked for computer viruses before being installed.
(c) General access to the central computer area shall be limited to normal work hours only. Access shall be restricted to CHES staff at all other times unless an individual obtains authorization to access the computer area.
(d) Network tape backups shall be stored on-site in a secure fire retardant location. Additional copies of software, documentation, and backups shall be stored at a secure, off-site location.
(e) Non-Kansas department of health and environment staff shall set up a CHES user account in order to access the health care information system. Passwords shall only be issued to non-Kansas department of health and environment users if they are under contract to Kansas department of health and environment or under the terms of a data sharing agreement. Unauthorized use of health care data by any other person or governmental subdivision granted access to the database shall result in termination of system access and no further provision of data.
(f) Network backups shall be done weekly and at the end of each month. Two copies of the monthly backup tape shall be produced. All network files shall be checked for computer viruses before backup. (Authorized by and implementing K.S.A. 65-6804, as amended by L. 1994, Ch. 90, sec. 3; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-10. Eligible contractors. (a) A contractor may be designated to provide data processing services for the collection of health care information. The contractor may be a public or private organization. Eligible contractors shall provide to the secretary assurances that there are no conflicts of interest.
(b) Persons who shall not be contractors include, but shall not be limited to:
(1) a major purchaser, payer or provider of health care services in Kansas;
(2) a subcontractor of an organization in K.A.R. 28-67-10 (b)(1), except those commissioned to perform only data processing functions;
(3) a subsidiary or affiliate of an organization in K.A.R. 28-67-10 (b)(1) in which a controlling interest is held and may be exercised by that organization either independently or in concert with any other organization in K.A.R. 28-67-10 (b)(1); or
(4) an association of major purchasers, payers or providers of health care services.
(c) State agencies are exempt from the requirement under subsection (b) of this regulation regarding eligibility to contract and may offer a bid if the secretary decides to bid the contract for services.
(d) The contractor may be granted the authority to examine confidential materials and perform other functions authorized by the secretary and approved by the board. The contractor shall comply with all confidentiality and record security requirements pursuant to K.A.R. 28-67-6 and K.A.R. 28-67-8. The release of confidential information by the contractor shall constitute grounds for the secretary to terminate any agreement between the contractor and the secretary. (Authorized by and implementing K.S.A. 65-6804, as amended by L. 1994, Ch. 90, sec. 3; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-11. Cooperative agreements. (a) Where the need for cooperative agreements and memoranda of understanding facilitate the cost-effectiveness of health care data collection, cooperative agreements and memoranda of understanding may be established by the secretary with organizations described in K.A.R. 28-67-10 (b).
(b) Organizations entering cooperative agreements and establishing memoranda of understanding shall provide the secretary assurances that the data will be collected and utilized for their intended purpose only.
(c) Organizations entering cooperative agreements and establishing memoranda of understanding shall be subject to the confidentiality and record security requirements in K.A.R. 28-67-6 and K.A.R. 28-67-8. (Authorized by and implementing K.S.A. 65-6804, as amended by L. 1994, Ch. 90, sec. 3; effective December 19, 1994.)
KANSAS DEPARTMENT OF HEALTH AND ENVIRONMENT
Proposed New Permanent Regulations
Article 67. Health Care Database
28-67-12. Data validation. (a) All data submitted to the health care database shall be evaluated for accuracy and standardization.
(b) Any inconsistencies and non-standard reporting of data submitted to the database shall be documented and reported to the providers of the data. Data providers shall be given 30 days to reconcile the inaccuracies or inconsistencies identified by the secretary.
(c) Comments provided to the secretary pursuant to K.A.R. 28-67-4 (e) may be used to reconcile any inaccuracies or inconsistencies identified by the data provider. (Authorized by and implementing K.S.A. 65-6804, as amended by L. 1994, Ch. 90, sec. 3; effective December 19, 1994.)
RETURN TO RULES AND REGULATIONS