Md. Code Regs. 10.25.05.09

Current through Register Vol. 51, No. 12, June 14, 2024

Section 10.25.05.09 - Data Release Advisory Committee Review

A. The following data requests are not subject to review by the DRAC:

(1) Those categories of data requests and data release described in Regulation .01D(1)"(5) of this chapter;

(2) Requests for data submitted by a governmental entity that the Executive Director determines warrants an expedited review under Regulation .05 of this chapter; and

(3) Requests for aggregate, summarized data as described in Regulation .03C(3)(b) of this chapter.

B. In reviewing an application, the DRAC shall consider the criteria for approval and reasons for disapproval of an application in §§C and D of this regulation and all public comment received under Regulation .07 of this chapter before preparing a written report and recommendation.

C. The DRAC shall determine whether an application has met the following criteria for approval:

(1) An applicant has provided documentation of relevant education, training, and experience that demonstrates the applicant is capable of undertaking and accomplishing the objective of the proposed use of the data and being a responsible steward of the requested data.

(2) The data elements requested by an applicant are the minimum amount necessary to achieve the intended purpose for which the data is requested.

(3) The proposed use of the data complies with applicable State and federal laws, including those laws relating to the privacy and security of protected health information (PHI).

(4) The applicant has provided a written data management plan that demonstrates appropriate privacy and security controls for access and storage of the data and for safeguarding individual privacy and preventing unauthorized access and use of the data.

(5) The requirement of obtaining written authorization from each individual who is the subject of requested identifiable data can be waived in accordance with 45 CFR § 164.512.

(6) If the applicant has proposed linkage of the requested data to other data source(s), the applicant has provided:

(a) Sufficient written justification of the need to link the requested data to the other data source(s) named in the application to accomplish the objective and achieve the results of the proposed use of the data; and

(b) Written proof that an additional level of data privacy and security controls will be in place to protect the privacy and identification of the individuals who are the subject of the requested data and the other data source(s) to which the requested data is to be linked.

(7) An applicant who proposes to develop and sell a product that contains de-identified data has provided satisfactory written justification of how the proposed sale of the product using the deidentified data will serve the public interest.

(8) The proposed use of the data is in the public interest. Examples of uses of data that serve the public interest include:

(a) Health care cost and utilization analysis to guide and develop public policy;

(b) Studies that promote improvement in public health, health care quality, and health care access;

(c) Health planning and resource allocation studies;

(d) Making information on cost and quality accessible to the public; and

(e) Studies directly tied to evaluation and improvement of federal and State government initiatives.

D. The DRAC shall determine whether an application has met any of the following criteria for disapproval:

(1) The proposed use of the data violates State or federal law.

(2) The proposed use of the data is not in the public interest.

(3) The proposed use of the data is designed so that the stated objective of the project cannot be met.

(4) False information or documentation on, or related to, an application was provided to Commission staff, the DRAC, the Executive Director, or the Commission.

(5) An applicant provided incomplete information upon which to base a decision on the application.

(6) An applicant or any person or entity that is an officer, owner, operator, or part of management of an applicant's organization who will have access and use of the requested data is currently, or has been within 10 years prior to the date of the application, a subject of or a party to a state or federal regulatory agency action or civil or criminal action involving a data breach, HIPAA violation, or other matter involving unauthorized access, use, and disclosure of data regardless of whether there has been a finding or admission of guilt, including being:

(a) Convicted of a felony or pleading guilty, nolo contendere, entering a best interest plea of guilty, or receiving a diversionary disposition regarding a felony;

(b) A subject of an investigation conducted by, or a pending complaint, charges, or indictment issued by a local, state, or federal governmental regulatory agency or other state or federal law enforcement agency; or

(c) A party to a final dispositive action in a state or federal governmental agency regulatory action or a civil action that resulted in entry into a settlement agreement, consent agreement, decree or order, corporate integrity agreement, corrective action agreement, or other similar agreement or other disposition in a civil action regardless of whether there has been an admission or finding of guilt or liability.

(7) Violation of a previous data use agreement.

(8) The data management plan does not demonstrate privacy and security controls for safeguarding individual privacy and preventing unauthorized access to or use of the data.

(9) The proposed use of the data is for an impermissible purpose, which includes but is not limited to:

(a) Using the requested data to identify an individual using a particular product or drug in order to develop a marketing campaign and directly contact an individual;

(b) Using the requested data to contact an individual for fund-raising purposes directly; and

(c) Using the requested data to contact an individual who is the subject of the data for any reason.

(10) An applicant who proposes to develop and sell a product that contains requested de-identified data has not provided satisfactory written justification of how the proposed sale of the product using the de-identified data will serve the public interest.

E. A member of the DRAC who has an affiliation with an applicant, or with any entity sponsoring, participating, or otherwise affiliated with an applicant's proposed use of the requested data or any other conflict of interest or appearance of impropriety, shall recuse from consideration of that applicant's application and may not participate in any discussions with other DRAC members or vote on the application.

F. The DRAC may request that the Executive Director authorize the DRAC to invite an individual with expertise and competence in certain areas to assist the DRAC in the review of complex issues that require expertise beyond, or in addition to, that available among the membership of the DRAC. An individual invited pursuant to this section may not:

(1) Have an affiliation with an applicant, or with any entity sponsoring, participating in, or otherwise affiliated with an applicant's proposed use of the requested data or any other conflict of interest or appearance of impropriety; and

(2) Vote on an application.

G. The DRAC may require an applicant to obtain Institutional Review Board review prior to deciding on a recommendation for an application.

H. The DRAC may request that Commission staff obtain additional information and documentation from an applicant if needed to determine whether the criteria for approval in §C of this regulation have been met or the reasons for disapproval in §D of this regulation exist. If an applicant does not provide the additional information within the time limit specified by the DRAC, the DRAC may refer the application to Commission staff with a request that the application submitted by the applicant be administratively closed per Regulation .06B(7) of this chapter.

I. The DRAC, at its discretion, may require that an applicant meet with the DRAC to provide additional information, answer questions, or provide clarification on information provided in an application, the proposed use of the data requested, or the capability of an applicant to accomplish the objective of the proposed use of requested data.

J. The DRAC shall review and consider all public comment received regarding an application under Regulation .07 of this chapter before making a recommendation to the Executive Director.

K. The DRAC, with the administrative support of Commission staff, shall prepare a written report and recommendation for the Executive Director on each application reviewed, which shall address:

(1) Each of the approval criteria in §C of this regulation;

(2) Each of the disapproval criteria in §D of this regulation;

(3) Any public comment received; and

(4) The DRAC's recommendation on whether an application should be approved, approved with conditions, or disapproved.

L. After an application is approved pursuant to Regulation .10 of this chapter, Commission staff may:

(1) Seek the advice and expertise of the DRAC on any issues regarding the applicant's receipt of data or compliance with the terms and conditions of a data use agreement entered into under Regulation .13 of this chapter; and

(2) Request that the DRAC prepare a written report and recommendation to the Executive Director regarding whether any compliance and enforcement actions may be warranted under Regulation .14 of this chapter.

M. A DRAC recommendation on an application or on other issues related to an applicant's receipt of data or compliance with the terms and conditions of a data use agreement entered into under Regulation .13 of this chapter is advisory and not binding on the Executive Director's decision on an application or on whether to pursue an enforcement action under Regulation .14 of this chapter for noncompliance with a data use agreement.

Md. Code Regs. 10.25.05.09

Regulation .09 adopted effective 48:25 Md. R.1071-1098, eff. 12/13/2021