216-RICR-10-10-5
A. Wherever used in this Part, the following terms shall be construed as follows:
7. “Direct personal identifier” means any information, as to a Member, other than case or code numbers used to create anonymous or encrypted data, that plainly discloses the identity of an individual, including:
Unless specifically exempted pursuant to § 5.3.2 of this Part, this Part applies to all Insurers, as defined in § 5.2(A)(16) of this Part.
A. The requirements of this Part shall not apply to:
2. Insurance coverage providing benefits for:
i. Other limited benefit policies, including but not limited to those exempt from the application of R.I. Gen. Laws § 27-50-3 pursuant to subsection (t)(2) through (4) of that statute.
A. A covered Insurer must permit enrolled or covered Members to “opt out” of having any information or health care claims relating to them submitted to the RIAPCD.
A. Health Care Claims Data Sets and any other information submitted pursuant to this Part, by and between Insurers, the RIAPCD, the Data Aggregator, and the Encrypted Unique Identifier Vendor:
2. Shall be transmitted in accordance with the Rules adopted in HIPAA (45 C.F.R. Parts 160 through 164), Confidentiality of Health Care Communications and Information Act (R.I. Gen. Laws Chapter 5-37.3) and other applicable law(s).
All Health Care Claims Data Sets submitted to the Department or Data Aggregator pursuant to § 5.5 of this Part shall be protected by the removal or Hashing of all Direct Personal Identifiers. The Department or Data Aggregator shall not collect any data containing Direct Personal Identifiers.
A. As part of the Health Care Claims Data Set, Insurers shall submit a Member Eligibility File, as specified in the RIAPCD Technical Specification Manual, for each of its Members to the Encrypted Unique Identifier Vendor to effectuate this requirement in accordance with the timeline outlined in § 5.6.2 of this Part. Under no circumstances shall the Insurer submit any Personal Health Information to the Encrypted Unique Identifier Vendor at any time or for any reason. Only Member demographic information, devoid of all Personal Health Information of any kind, shall be submitted to the Encrypted Unique Identifier Vendor.
5. Data which is required to be sent to the Encrypted Unique Identifier Vendor by the Insurers shall not be considered data collected by the Department, the Director, the Data Aggregator or the RIAPCD.
A. The Encrypted Unique Identifier vendor shall provide the Encrypted Unique Identifier assigned to a Member to the Insurer of record for that Member. Prior to sending data sets to the Data Aggregator, the Insurer shall attach the assigned Encrypted Unique Identifier to each record. Prior to transmitting the data sets and Encrypted Unique Identifier to the Data Aggregator, all Direct Personal Identifiers shall be removed and/or hashed.
A. Except as specifically exempted pursuant to § 5.3.2 of this Part, each Insurer shall submit to the Director a Health Care Claims Data Set pursuant to § 5.5.3 of this Part and an APM File, pursuant to § 5.5.4 of this Part. The Health Care Claims Data Set shall include claims-line detail for all health care services provided to a Member, whether or not the health care was provided within Rhode Island. Such data shall include, but shall not be limited to, fully-insured and self-funded accounts, all commercial medical products for all individuals and all group sizes and Medicare or Medicaid health plans. Such data shall not include Direct Personal Identifiers. The APM File shall include all payments for Members under contracts sitused in Rhode Island. For contracts issued at the group level, the contract is considered sitused in the State where the contract is sold. For contracts that are issued at the individual level, the contract is considered sitused in the State where the individual resides.
B. The Health Care Claims Data Sets and APM File shall be submitted to the Data Aggregator in the format required in the RIAPCD Technical Specification Manual.
C. Insurers shall transmit the required Health Care Claims Data Sets and APM File by means of a secure file transfer system to the Data Aggregator in a manner that is fully compliant with HIPAA and applicable Rhode Island statutes and Regulations.
B. It shall be the responsibility of the Insurer to resubmit or amend the form whenever modifications occur relative to the health care claims data set files, type(s) of business conducted, or contact information.
E. Provider File: Insurers shall submit files consistent with the definition contained in § 5.2(A)(24) of this Part. As detailed in the RIAPCD Technical Specification Manual, payers shall report information that will uniquely identify Health Care Providers and allow retrieval of related information from Eligibility, Medical, and Pharmacy Claims Files.
1. Tax ID numbers shall be submitted as part of the dataset except in the case that a provider uses their personal Social Security number as their tax ID number in which case the tax ID number need not be submitted.
Only code sources and file specifications specified in this Part and/or the RIAPCD Technical Specification Manual shall be utilized in submission of the Health Care Claims Data Sets required pursuant to § 5.5 of this Part.
A. Insurers shall submit information to the RIAPCD and the Encrypted Unique Identifier Vendor in the specified format in accordance with the following schedule:
1. Test Data Submissions
2. Health Care Claims Data Set Historical Data Submissions
b. The Encrypted Unique Identifier Vendor shall return the historical Member Eligibility File to the Insurer with an assigned Encrypted Unique Identifier within thirty (30) days of a submission of historical files by an Insurer. Within three hundred thirty (330) days of notification by the Department, or other date mutually agreed upon by the Department and Insurer, Insurers shall submit Member Eligibility Files, Medical Claims Files, Pharmacy Files, Dental Files, and Provider Files as specified in the RIAPCD Technical Specification Manual, to the Data Aggregator.
3. Health Care Claims Data Set Regular Data Submissions
a. Upon completion of Historical Data Submissions as required by § 5.6.2(A)(2) of this Part, Insurers shall commence Regular Data Submissions.
b. Insurers shall submit a Member Eligibility File for each of its Members, as specified in the RIAPCD Technical Specification Manual, to the Encrypted Unique Identifier Vendor.
d. Effective upon ten (10) business days after the receipt of the Member Eligibility File from the Encrypted Unique Identifier Vendor, Insurers shall submit Member Eligibility Files, Medical Claims Files, Pharmacy Claims Files, Dental Claims Files, and Provider Files, as specified in the RIAPCD Technical Specification Manual, to the Data Aggregator.
5. Alternative Payment Model Historical Data Submissions
a. Within three hundred thirty (330) days of notification by the Department, or other date mutually agreed upon by the Department and Insurer, Insurers shall submit three (3) calendar years of representative APM Files as specified in the RIAPCD Technical Specification Manual to the Data Aggregator.
6. Alternative Payment Model Regular Data Submission
a. Upon completion of Historical Data Submissions, Insurers shall commence Regular Annual Data Submissions.
A. The Data Aggregator shall evaluate each Member Eligibility File, Provider File, Medical Claims File, Pharmacy Claims File, and Dental File in accordance with the following standards:
4. Files submitted to the Data Aggregator shall not contain Direct Personal Identifiers.
Upon completion of this evaluation, the Director or his or her designee will notify each Insurer whose data submissions do not satisfy the standards for any reporting period. This notification will identify the specific file and the data elements that are determined to be unsatisfactory.
A. Each Insurer notified under § 5.7.2 of this Part shall resubmit within ten (10) business days of the date of notification with the required changes.
1. The Director shall have the discretion to require a response as required by this subsection in a reasonable time commensurate with the level of difficulty for the level of correction required to a data submission.
A. General Provisions
3. All Users of RIAPCD data, including Rhode Island State Agencies, shall adhere to the following privacy guidelines:
c. All Users shall adhere to RIAPCD data display and reporting requirements when disclosing RIAPCD data or data outputs to the public or any person who has not been authorized as a User by the Department, as follows, and as specified in the Data Use Agreement entered into by the User and the Department:
C. Requests for RIAPCD Data
2. The Director or his or her designee may approve requests for access to the RIAPCD by Rhode Island State Agencies under the Executive Office of Health and Human Services, the Office of the Health Insurance Commissioner (OHIC), and the Health Benefits Exchange (also known as HealthSource RI or HSRI), or from persons or organizations performing work on behalf of these agencies, subject to the terms of a Data Use Agreement.
a. All other requests for RIAPCD data shall require a written application that:
3. A Data Release Review Board or “Board” shall review requests for RIAPCD data and advise the Director on whether the final products of the proposed project present minimal risk of identification of Members.
a. The Board shall have a Chairperson and Members appointed by the Director. Board Members shall have demonstrated expertise in a diverse range of health care areas including, but not limited to, State and Federal privacy law and data security. The Board shall be comprised of eleven (11) to fifteen (15) Members and shall include but not be limited to:
c. The Board and Director, as part of their review, shall consider:
4. The fees for RIAPCD data sets that have been approved for release by the Department include the costs for programming and report generation, duplicating charges and other costs associated with the production and transmission of data sets.
c. The fees may be reduced or waived for the following entities at the discretion of the Department:
A. The Director may pursue any combination of the following administrative and judicial enforcement actions, depending upon the circumstances and gravity of each case: