LAWS OF DELAWARE
VOLUME 83
CHAPTER 138
151st GENERAL ASSEMBLY
FORMERLY
SENATE BILL NO. 88
AN ACT TO AMEND TITLE 16 OF THE DELAWARE CODE RELATING TO THE DELAWARE HEALTH INFORMATION NETWORK AND THE PROTECTION AND USE OF INFORMATION.
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE:
Section 1. Amend § 10307, Title 16 of the Delaware Code by making deletions as shown by strike through and insertions as shown by underline as follows:
§ 10307. Privacy; protection and use of information.
(a)(1) The DHIN shall by rule or regulation ensure that patient specific health information be is disclosed only in accordance with the patient’s consent or best interest to those having a need to know.
(2) A disclosure that is made in the patient’s “best interest to those having a need to know” includes any of the following:
a. Disclosure for treatment, payment and operations purposes, and required disclosures to public health authorities, as “treatment”, “payment”, “operations”, and “public health authorities” are defined under the Health Insurance Portability and Accountability Act of 1996 [P.L. 104-191] and associated regulations.
b. Disclosure for other purposes permitted under Health Insurance Portability and Accountability Act of 1996 [P.L. 104-191] and other federal law and regulations addressing the privacy of protected health information.
(b) The health information and data of the DHIN shall not be subject to the Freedom of Information Act, Chapter 100 of Title 29, nor to subpoena by any court. Such information may only be disclosed may be disclosed by consent of the patient or in accordance with the DHIN’s rules, regulations or orders.
(b) Health information and data held by DHIN is not subject to the Freedom of Information Act, Chapter 100 of Title 29, or to subpoena by a court. The health information and data may be disclosed only by consent of the patient or under DHIN’s rules, regulations, or orders.
(c) DHIN shall by rule or regulation provide a Delaware resident with access to the resident’s own health information that is in DHIN’s possession, if and to the extent that access is permitted by Health Insurance Portability and Accountability Act of 1996 [P.L. 104-191] and DHIN’s contract with a relevant data-sending organization.
(d) DHIN shall by rule or regulation provide a Delaware resident with the ability to direct DHIN to disclose the resident’s own health information to a third party that the resident approves, if and to the extent that the disclosure is permitted by Health Insurance Portability and Accountability Act of 1996 [P.L. 104-191] and DHIN’s contract with a relevant data sending organization.
(e) In addition to the disclosures permitted by subsection (a) of this section, DHIN shall by rule or regulation provide a health-care payer, provider, purchaser, or researcher with access to clinical data in DHIN’s possession, if and to the extent that the access is permitted by Health Insurance Portability and Accountability Act of 1996 [P.L. 104-191] and DHIN’s contract with the relevant data sending organizations.
(1) The reasons for which access to clinical data is permissible under this subsection (e) include any of the following:
a. The facilitation of data-driven, evidence-based improvements in access to and quality of health care.
b. The improvement of the health of Delawareans generally.
c. Lowering the growth in per capita health care costs.
d. Providing an enhanced provider experience that promotes patient engagement.
(2) DHIN may not provide patient-specific data to a person under this subsection without first obtaining written consent from the patient authorizing the disclosure.
(3) Clinical data may be provided to a requesting person under this subsection only when a majority of the DHIN Board of Directors, or of a subcommittee established under DHIN’s bylaws for purposes of reviewing data requests, determines that the clinical data should be provided to the requesting person to facilitate the purposes of this subsection.
a. If the DHIN Board of Directors or appropriate subcommittee of the Board so determines, DHIN may release fully deidentified data or the analytic evaluation thereof to third parties or the public without obtaining full Board or subcommittee review, for purposes consistent with this subsection.
b. A request for limited data sets or identifiable data must go through Board or subcommittee review.
c. The Board’s or subcommittee’s determination under this subsection is final and not subject to appeal. A requesting person, data sending organization, or other party has no private right of action to enforce a requirement under this subsection or otherwise challenge the Board’s or subcommittee’s determination.
(4)a. DHIN shall promulgate regulations to notify a data sending organization when clinical data consisting of a limited data set or identifiable data submitted by the data sending organization may be released for a purpose permitted under this subsection.
b. If DHIN notifies a data sending organization under paragraph (e)(4)a. of this section, DHIN shall provide the data sending organization with an opportunity to comment on the data release request prior to releasing the data. DHIN shall review, consider, and respond to the data sending organization’s comments.
(5)a. DHIN shall provide clinical data provided to a requesting person under this subsection (e) under DHIN’s existing confidentiality and data security protocols and in compliance with all applicable state and federal laws relating to the privacy and security of protected health information.
b. A person that receives individually-identifiable patient health information under this subsection (e) shall maintain the information by complying with all applicable state and federal laws relating to the confidentiality and security of protected health information, including related regulations promulgated under this chapter.
(f) DHIN may enter a contract under § 10303(a)(11) of this title with a person that requests data or analytic services from DHIN.
(g) A state agency is not required to comply with the state’s procurement law under Chapter 69 of Title 29 to procure services from DHIN.
(c) Any (h) A violation of the DHIN’s rules or regulations regarding access or misuse of the DHIN health information or data shall health information or data held by DHIN must be reported to the office of the Attorney General, and is subject to prosecution and penalties under the Delaware Criminal Code or federal law.
Approved September 10, 2021