(a) (1) DHIN shall by rule or regulation ensure that patient specific health information is disclosed only with the patient's consent or best interest to those having a need to know.
(2) A disclosure that is made in the patient's “best interest to those having a need to know” includes any of the following:
a. Disclosure for treatment, payment and operations purposes, and required disclosures to public health authorities, as “treatment”, “payment”, “operations”, and “public health authorities” are defined under the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) and associated regulations.
b. Disclosure for other purposes permitted under Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) and other federal law and regulations addressing the privacy of protected health information.
(b) Health information and data held by DHIN is not subject to the Freedom of Information Act, Chapter 100 of Title 29, or to subpoena by a court. The health information and data may be disclosed only by consent of the patient or under DHIN's rules, regulations, or orders.
(c) DHIN shall by rule or regulation provide a Delaware resident with access to the resident's own health information that is in DHIN's possession, if and to the extent that access is permitted by Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) and DHIN's contract with a relevant data-sending organization.
(d) DHIN shall by rule or regulation provide a Delaware resident with the ability to direct DHIN to disclose the resident's own health information to a third party that the resident approves, if and to the extent that the disclosure is permitted by Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) and DHIN's contract with a relevant data-sending organization.
(e) In addition to the disclosures permitted by subsection (a) of this section, DHIN shall by rule or regulation provide a health-care payer, provider, purchaser, or researcher with access to clinical data in DHIN's possession, if and to the extent that the access is permitted by Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) and DHIN's contract with the relevant data-sending organizations.
(1) The reasons for which access to clinical data is permissible under this subsection include any of the following:
a. The facilitation of data-driven, evidence-based improvements in access to and quality of health care.
b. The improvement of the health of Delawareans generally.
c. Lowering the growth in per capita health-care costs.
d. Providing an enhanced provider experience that promotes patient engagement.
(2) DHIN may not provide patient-specific data to a person under this subsection without first obtaining written consent from the patient authorizing the disclosure.
(3) Clinical data may be provided to a requesting person under this subsection only when a majority of the DHIN Board of Directors, or of a subcommittee established under DHIN's bylaws for purposes of reviewing data requests, determines that the clinical data should be provided to the requesting person to facilitate the purposes of this subsection.
a. If the DHIN Board of Directors or appropriate subcommittee of the Board so determines, DHIN may release fully de-identified data or the analytic evaluation thereof to third parties or the public without obtaining full Board or subcommittee review, for purposes consistent with this subsection.
b. A request for limited data sets or identifiable data must go through Board or subcommittee review.
c. The Board's or subcommittee's determination under this subsection is final and not subject to appeal. A requesting person, data-sending organization, or other party has no private right of action to enforce a requirement under this subsection or otherwise challenge the Board's or subcommittee's determination.
(4) a. DHIN shall promulgate regulations to notify a data-sending organization when clinical data consisting of a limited data set or identifiable data submitted by the data-sending organization may be released for a purpose permitted under this subsection.
b. If DHIN notifies a data-sending organization under paragraph (e)(4)a. of this section, DHIN shall provide the data-sending organization with an opportunity to comment on the data release request prior to releasing the data. DHIN shall review, consider, and respond to the data-sending organization's comments.
(5) a. DHIN shall provide clinical data provided to a requesting person under this subsection under DHIN's existing confidentiality and data security protocols and in compliance with all applicable state and federal laws relating to the privacy and security of protected health information.
b. A person that receives individually-identifiable patient health information under this subsection shall maintain the information by complying with all applicable state and federal laws relating to the confidentiality and security of protected health information, including related regulations promulgated under this chapter.
(f) DHIN may enter a contract under § 10303(a)(11) of this title with a person that requests data or analytic services from DHIN.
(g) A state agency is not required to comply with the State's procurement law under Chapter 69 of Title 29 to procure services from DHIN.
(h) A violation of DHIN's rules or regulations regarding access or misuse of health information or data held by DHIN must be reported to the office of the Attorney General, and is subject to prosecution and penalties under the Delaware Criminal Code or federal law.
Structure Delaware Code
Chapter 103. DELAWARE HEALTH INFORMATION NETWORK
§ 10302. Delaware Health Information Network Board of Directors.
§ 10304. Immunity from suit; limitation of liability.
§ 10306. Regulations; resolution of disputes.
§ 10307. Privacy; protection and use of information.
§ 10308. No pledge of state credit; no assumption of liability by State.