Skip to Main Content

Breadcrumb

  1. HFS
  2. Public Involvement
  3. Care Coordination

FAQ Data Security 

Select the Frequently Asked Question to view answer.
  1. Why is a Data Use Agreement required? What identifying data is included in the data sets?
    The Data Use Agreement is required because the data sets include information that Health Insurance Portability and Accountability Act (HIPAA) regulations classify as Protected Health Information (PHI). Specifically, because Data Set I associates recipients with counties and because we are allowing potential partners to further select data by zip code, Data Set I is considered ‘potentially identifiable. Data sets containing potentially identifiable information are referred to under HIPAA as ‘limited data sets;’ limited data sets require a Data Use Agreement under current law.
  2. What security standards are appropriate for this data?
    First, consult the Data Use Agreement and your own counsel. In general, the data should be securely stored, it should only be used for the purpose of preparing a Care Coordination Innovations proposal, and you should not try to identify the data. Since the data is not ‘identified’ as per Health Insurance Portability and Accountability Act (HIPAA) standards, it does not require the same standard of care as clinical and other identified data. Applying clinical data standards is, however, acceptable.
  3. Does data have to be returned or destroyed after the Care Cordination Innovations Project (CCIP) proposal due dates have passed?
    Yes. Please see Section 4, Item g of the Data Use Agreement for more information.
  4. Is my organization allowed to use the data for projects other than a Care Cordination Innovations Project (CCIP) proposal?
    No. While we recognize that the data may provide valuable insight for any number of healthcare activities, our Data Use Agreement stipulates: ‘The Data User may use and disclose the Limited Data Set received from Covered Entity only in connection with the preparation of a Care Coordination Innovations Proposal on behalf of the Covered Entity.
  5. Can the recipient and provider tables be linked together?
    Data users cannot link the data. HFS delinked recipient data from provider data in order to comply with Health Insurance Portability and Accountability Act (HIPAA) regulations on Protected Health Information(PHI.) (Associating a recipient with a named provider, at least for some recipient and provider combinations, makes the data highly identifiable.)
  6. What security standards are appropriate for this data?
    First, consult the Data Use Agreement and your own counsel. In general, the data should be securely stored, it should only be used for the purpose of preparing a Care Coordination Innovations proposal, and you should not try to identify the data. Since the data is not ‘identified’ as per Health Insurance Portability and Accountability Act (HIPAA) standards, it does not require the same standard of care as clinical and other identified data. Applying clinical data standards is, however, acceptable.