42 C.F.R. § 401.718

Current through September 30, 2024
Section 401.718 - Dissemination of data
(a)General. Subject to the other requirements in this subpart, the requirements in paragraphs (b) and (c) of this section and any other applicable laws or contractual agreements, a qualified entity may provide or sell combined data or provide Medicare data at no cost to authorized users defined at § 401.703(b), (c), (m), and (n) .
(b)Data -
(1)De-identification. Except as specified in paragraph (b)(2) of this section, any data provided or sold by a qualified entity to an authorized user must be limited to beneficiary de-identified data. De-identification must be determined based on the de-identification standards for HIPAA covered entities found at 45 CFR 164.514(b) .
(2)Exception. If such disclosure will be consistent with all applicable laws, data that individually identifies a beneficiary may only be disclosed to a provider or supplier (as defined at § 401.703(b) and (c) ) with whom the identifiable individuals in such data have a current patient relationship as defined at § 401.703(r) .
(c)Data use agreement between a qualified entity and an authorized user. A qualified entity must contractually require an authorized user to comply with the requirements in § 401.713(d) prior to providing or selling data to an authorized user under § 401.718 .

42 C.F.R. §401.718

81 FR 44481, July 7, 2016
81 FR 44481, 7/7/2016; 81 FR 44481, 9/6/2016