5084-S AMS BECK S2545.2
SSB 5084 - S AMD 216
By Senators Becker, Frockt
ADOPTED 3/10/2015
Strike everything after the enacting clause and insert the following:
"Sec. 1.  RCW 43.371.010 and 2014 c 223 s 8 are each amended to read as follows:
The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
(1) "Authority" means the health care authority.
(2) "Carrier" and "health carrier" have the same meaning as in RCW 48.43.005.
(3) "Claims data" means the data required by RCW 43.371.030 to be submitted to the database, including billed, allowed and paid amounts, and such additional information as defined by the director in rule. (("Claims data" includes: (a) Claims data related to health care coverage and services funded, in whole or in part, in the omnibus appropriations act, including coverage and services funded by appropriated and nonappropriated state and federal moneys, for medicaid programs and the public employees benefits board program; and (b) claims data voluntarily provided by other data suppliers, including carriers and self-funded employers.))
(4) "Database" means the statewide all-payer health care claims database established in RCW 43.371.020.
(5) "Data vendor" means an entity contracted to perform data collection, processing, aggregation, extracts, analytics, and reporting.
(6) "Director" means the director of financial management.
(((6))) (7) "Lead organization" means the organization selected under RCW 43.371.020.
(((7))) (8) "Office" means the office of financial management.
(9) "Data supplier" means: (a) A carrier, third-party administrator, or a public program identified in RCW 43.371.030 that provides claims data; and (b) a carrier or any other entity that provides claims data to the database at the request of an employer-sponsored self-funded health plan or Taft-Hartley trust health plan pursuant to RCW 43.371.030(1).
(10) "Direct patient identifier" means a data variable that directly identifies an individual including, but not limited to, first name, last name, social security number, birth month, birth day, medical record numbers, individual health plan beneficiary numbers, biometric identifiers, full face photographic images and any comparable images, postal address, telephone numbers, fax numbers, electronic mail addresses, contact information, and any other data or records that can be directly connected to an individual.
(11) "Indirect patient identifier" means a data variable that can be associated with an individual when characteristics are considered in combination or when combined with other data sources. Indirect patient identifiers may include, but are not limited to, geographic identifiers smaller than a state, including city, zip code, or census tract, dates directly related to an individual, including birth date, admission date, discharge date, certain procedure dates, date of death, and ages over eighty-nine.
(12) "Proprietary financial information" means claims data or reports that disclose or would allow the determination of specific terms of contracts, discounts, or fixed reimbursement arrangements or other specific reimbursement arrangements between an individual health care facility or health care provider, as those terms are defined in RCW 48.43.005, and a specific payer, or internal fee schedule or other internal pricing mechanism of integrated delivery systems owned by a carrier.
(13) "Unique identifier" means an identifier assigned by a data vendor to individuals represented in the database, based on a probabilistic matching of numerous data elements to establish that record's uniqueness and to establish a basis for following an individual longitudinally throughout different payers and encounters in the data without revealing an individual's identity.
Sec. 2.  RCW 43.371.020 and 2014 c 223 s 10 are each amended to read as follows:
(1) The office shall establish a statewide all-payer health care claims database to support transparent public reporting of health care information. The database must improve transparency to: Assist patients, providers, and hospitals to make informed choices about care; enable providers, hospitals, and communities to improve by benchmarking their performance against that of others by focusing on best practices; enable purchasers to identify value, build expectations into their purchasing strategy, and reward improvements over time; and promote competition based on quality and cost. The database must systematically collect all medical claims and pharmacy claims from private and public payers, with data from all settings of care that permit the systematic analysis of health care delivery.
(2) The ((director shall select a lead organization)) office shall use a competitive procurement process, in accordance with chapter 39.26 RCW, to select a lead organization from among the best potential bidders to coordinate and manage the database.
(a) Due to the complexities of the all payer claims database and the unique privacy, quality, and financial objectives, the request for proposals must include the following criteria to be applied in the scoring evaluation: (i) Extra points must be awarded based upon the degree of experience in health care data collection, analysis, analytics, and security; (ii) extra points must be awarded to a lead organization that has experience in reviewing and setting up an all payer claims database in at least two other states; and (iii) extra points must be awarded to a lead organization that has a long-term self-sustainable financial model.
(b) The successful lead organization must be certified as a qualified entity pursuant to 42 C.F.R. Sec. 401.703(a) by the centers for medicare and medicaid services by December 31, 2017.
(3) As part of the competitive procurement process in subsection (2) of this section, the office shall enter into a separate contract with a data vendor. The data vendor is to work at the direction of the lead organization to perform data collection, processing, aggregation, extracts, and analytics. The data vendor must:
(a) Establish a secure data submission process with data suppliers;
(b) Review data submitters' files according to standards established by the office;
(c) Assess each record's alignment with established format, frequency, and consistency criteria;
(d) Maintain responsibility for quality assurance, including, but not limited to: (i) The accuracy and validity of data suppliers; (ii) accuracy of dates of service spans; (iii) maintaining consistency of record layout and counts; and (iv) identifying duplicate records;
(e) Assign unique identifiers, as defined in RCW 43.371.010(13), to individuals represented in the database;
(f) Ensure that direct patient identifiers, indirect patient identifiers, and proprietary financial information are released only in compliance with the terms of this act;
(g) Demonstrate internal controls and affiliations with separate organizations as appropriate to ensure safe data collection, security of the data with state of the art encryption methods, actuarial support, and data review for accuracy and quality assurance;
(h) Store data on secure servers that are compliant with the federal health insurance portability and accountability act and regulations, and access to the data must be strictly controlled and limited to staff with appropriate training, clearance, and background checks; and
(i) Have state of the art security standards for transferring data to approved data requestors.
(4) The lead organization and data vendor must submit detailed descriptions to the office of the chief information officer to ensure robust security methods are in place. The office of the chief information officer must report its findings to the office and the appropriate committees of the legislature.
(5) The lead organization is responsible for internal governance, management, funding, and operations of the database. At the direction of the office, the lead organization shall work with the data vendor to:
(a) Collect claims data from data suppliers as provided in RCW 43.371.030;
(b) Design data collection mechanisms with consideration for the time and cost ((involved)) incurred by data suppliers and others in submission, collection, and the benefits that measurement would achieve, with an eye toward ensuring the data submitted meets quality standards and is reviewed for quality assurance, and all patient-specific information is deidentified with an up-to-date industry standard encryption algorithm;
(c) Ensure protection of collected data and store and use any data with patient-specific or proprietary financial information in a manner that protects patient privacy and complies with this section;
(d) Consistent with the requirements of this chapter, make information from the database available as a resource for public and private entities, including carriers, employers, providers, hospitals, and purchasers of health care;
(e) Report performance on cost and quality pursuant to RCW 43.371.060 using, but not limited to, the performance measures developed under RCW 41.05.690;
(f) Develop protocols and policies, including prerelease peer review by data suppliers, to ensure the quality of data releases and reports;
(g) Develop a plan for the financial sustainability of the database as self-sustaining and charge fees ((not to exceed five thousand dollars unless otherwise negotiated)) for reports and data files as needed to fund the database. Any fees must be approved by the office and ((must)) should be comparable, accounting for relevant differences across data ((requesters and users)) requests and uses, and should not be applied to providers or data suppliers other than the fees directly related to requested reports; and
(h) Convene advisory committees with the approval and participation of the office, including: (i) A committee on data policy development; and (ii) a committee to establish a data release process consistent with the requirements of this chapter and to provide advice regarding formal data release requests. The advisory committees must include in-state representation from key provider, hospital, ((payer,)) public health, health maintenance organization, large and small private purchasers, ((and)) consumer organizations, and the two largest carriers supplying claims data to the database.
(((3))) (6) The lead organization governance structure and advisory committees for this database must include representation of the third-party administrator of the uniform medical plan. A payer, health maintenance organization, or third-party administrator must be a data supplier to the all-payer health care claims database to be represented on the lead organization governance structure or advisory committees.
Sec. 3.  RCW 43.371.030 and 2014 c 223 s 11 are each amended to read as follows:
(1) ((Data suppliers must)) The state medicaid program, public employees' benefits board programs, all health carriers operating in this state, all third-party administrators paying claims on behalf of health plans in this state, and the state labor and industries program must submit claims data to the database within the time frames established by the director in rule and in accordance with procedures established by the lead organization. The director may expand this requirement by rule to include any health plans or health benefit plans defined in RCW 48.43.005(26) (a) through (i) to accomplish the goals of this chapter set forth in RCW 43.371.020(1). Employer-sponsored self-funded health plans and Taft-Hartley trust health plans may voluntarily provide claims data to the database within the time frames and in accordance with procedures established by the lead organization.
(2) ((An entity that is not a data supplier but that chooses to participate in the database shall require any third-party administrator utilized by the entity's plan to release any claims data related to persons receiving health coverage from the plan.)) Any data supplier used by an entity that voluntarily participates in the database must provide claims data to the lead organization upon request of the entity.
(3) ((Each data supplier)) The lead organization shall submit an annual status report to the office regarding ((its)) compliance with this section. ((The report to the legislature required by section 2 of this act must include a summary of these status reports.))
Sec. 4.  RCW 43.371.040 and 2014 c 223 s 12 are each amended to read as follows:
(1) The claims data provided to the database, the database itself, including the data compilation, and any raw data received from the database are not public records and are exempt from public disclosure under chapter 42.56 RCW.
(2) Claims data obtained, distributed, or reported in the course of activities undertaken pursuant to or supported under this chapter are not subject to subpoena or similar compulsory process in any civil or criminal, judicial, or administrative proceeding, nor may any individual or organization with lawful access to data under this chapter be compelled to provide such information pursuant to subpoena or testify with regard to such data, except that data pertaining to a party in litigation may be subject to subpoena or similar compulsory process in an action brought by or on behalf of such individual to enforce any liability arising under this chapter.
Sec. 5.  RCW 43.371.050 and 2014 c 223 s 13 are each amended to read as follows:
(1) Except as otherwise required by law, claims or other data from the database shall only be available for retrieval in original or processed form to public and private requesters pursuant to this section and shall be made available within a reasonable time after the request. Each request for claims data must include, at a minimum, the following information:
(a) The identity of any entities that will analyze the data in connection with the request;
(b) The stated purpose of the request and an explanation of how the request supports the goals of this chapter set forth in RCW 43.371.020(1);
(c) A description of the proposed methodology;
(d) The specific variables requested and an explanation of how the data is necessary to achieve the stated purpose described pursuant to (b) of this subsection;
(e) How the requester will ensure all requested data is handled in accordance with the privacy and confidentiality protections required under this chapter and any other applicable law;
(f) The method by which the data will be stored, destroyed, or returned to the lead organization at the conclusion of the data use agreement;
(g) The protections that will be utilized to keep the data from being used for any purposes not authorized by the requester's approved application; and
(h) Consent to the penalties associated with the inappropriate disclosures or uses of direct patient identifiers and proprietary financial information outlined in RCW 43.371.070(1)(h).
(2) The lead organization may decline a request that does not include the information set forth in subsection (1) of this section, that does not meet the criteria established by the lead organization's data release advisory committee, or for reasons established by rule.
(3) Except as otherwise required by law, the office shall direct the lead organization and the data vendor to maintain the confidentiality of claims or other data it collects for the database that include ((direct and)) proprietary financial information, direct patient identifiers, indirect patient identifiers, or any combination thereof. Any ((agency, researcher, or other person)) entity that receives claims or other data ((under this section containing direct or indirect patient identifiers)) must also maintain confidentiality and may ((not)) only release such claims ((or other data except as consistent with this section. The office shall oversee the lead organization's release of data as follows)) data or any part of the claims data if:
(a) The claims data does not contain proprietary financial information, direct patient identifiers, indirect patient identifiers, or any combination thereof; and
(b) The release is described and approved as part of the request in subsection (1) of this section.
(4) The lead organization shall, in conjunction with the office and the data vendor, create and implement a process to govern levels of access to and use of data from the database consistent with the following:
(a) Claims or other data that include ((direct or)) proprietary financial information, direct patient identifiers, indirect patient identifiers, ((as specifically defined in rule,)) or any combination thereof may be released only to the extent such information is necessary to achieve the goals of this chapter set forth in RCW 43.371.020(1) to((:
(i) Federal, state, and local government agencies upon receipt of a signed data use agreement with the office and the lead organization; and
(ii))) researchers with approval of an institutional review board upon receipt of a signed data use and confidentiality agreement with ((the office and)) the lead organization. A researcher or research organization that obtains claims data pursuant to this subsection must agree in writing not to disclose such data or parts of the data set to any other party, including affiliated entities, and must consent to the penalties associated with the inappropriate disclosures or uses of direct patient identifiers and proprietary financial information outlined in RCW 43.371.070(1)(h).
(b) Claims or other data that do not contain proprietary financial information, direct patient identifiers, or any combination thereof, but that may contain indirect patient identifiers may be released to agencies, researchers, and other ((persons)) entities as approved by the lead organization upon receipt of a signed data use agreement with the lead organization.
(c) Claims or other data that do not contain direct ((or)) patient identifiers, indirect patient identifiers, proprietary financial information, or any combination thereof may be released upon request.
(((3))) (5) Reports utilizing data obtained under this section may not contain proprietary financial information, direct patient identifiers, indirect patient identifiers, or any combination thereof. Nothing in this subsection (5) may be construed to prohibit the use of aggregate zip codes, gender, and age in the generation of reports, so long as they cannot lead to the identification of an individual.
(6) Reports issued by the lead organization, in conjunction with the data vendor, at the request of providers, facilities, employers, health plans, and other entities as approved by the lead organization may utilize proprietary financial information to calculate aggregate cost data for display in such reports. The office will approve by rule a format for the calculation and display of aggregate cost data consistent with this act that will prevent the disclosure or determination of proprietary financial information. In developing the rule, the office shall solicit feedback from the stakeholders, including those listed in RCW 43.371.020(5)(h), and must consider, at a minimum, data presented as proportions, ranges, averages, and medians, as well as the differences in types of data gathered and submitted by data suppliers.
(7) Recipients of claims or other data under subsection (((2)(a) or (b))) (4) of this section must agree in a data use agreement or a confidentiality agreement to, at a minimum:
(a) Take steps to protect data containing direct and indirect patient ((identifying)) identifiers, proprietary financial information, or any combination thereof as described in the agreement; ((and))
(b) Not redisclose the claims data except ((as authorized in the agreement consistent with the purpose of the agreement or as otherwise required by law.
(4) Recipients of the claims or other data under subsection (2)(b) of this section must not attempt to determine the identity of persons whose information is included in the data set or use the claims or other data in any manner that identifies the individuals or their families.
(5) For purposes of this section, the following definitions apply unless the context clearly requires otherwise.
(a) "Direct patient identifier" means information that identifies a patient.
(b) "Indirect patient identifier" means information that may identify a patient when combined with other information)) pursuant to subsection (3) of this section;
(c) Not attempt to determine the identity of any person whose information is included in the data set or use the claims or other data in any manner that identifies any individual or their family or attempt to locate information associated with a specific individual;
(d) Destroy or return claims data to the lead organization at the conclusion of the data use agreement; and
(e) Consent to the penalties associated with the inappropriate disclosures or uses of direct patient identifiers and proprietary financial information outlined in RCW 43.371.070(1)(h).
Sec. 6.  RCW 43.371.060 and 2014 c 223 s 14 are each amended to read as follows:
(1)(a) Under the supervision of and through contract with the office, the lead organization shall, in conjunction with the data vendor, prepare health care data reports using the database and the statewide health performance and quality measure set((, including only those measures that can be completed with readily available claims data)). Prior to the lead organization releasing any health care data reports that use claims data, the lead organization must submit the reports to the office for review ((and approval)).
(b) By October 31st of each year, the lead organization shall submit to the director a list of reports it anticipates producing during the following calendar year. The director may establish a public comment period not to exceed thirty days, and shall submit the list and any comment to the appropriate committees of the legislature for review.
(2)(a) Health care data reports that use claims data prepared by the lead organization ((that use claims data must assist)), in conjunction with the data vendor, for the legislature and the public ((with)) should promote awareness and ((promotion of)) transparency in the health care market by reporting on:
(i) Whether providers and health systems deliver efficient, high quality care; and
(ii) Geographic and other variations in medical care and costs as demonstrated by data available to the lead organization.
(b) Measures in the health care data reports should be stratified by demography, income, language, health status, and geography when feasible with available data to identify disparities in care and successful efforts to reduce disparities.
(c) Comparisons of costs among providers and health care systems must account for differences in ((acuity)) the case mix and severity of illness of patients and populations, as appropriate and feasible, and must take into consideration the cost impact of subsidization for uninsured and ((governmental)) government-sponsored patients, as well as teaching expenses, when feasible with available data.
(3) The lead organization may not publish any data or health care data reports that:
(a) Directly or indirectly ((identify)) identifies individual patients;
(b) ((Disclose specific terms of contracts, discounts, or fixed reimbursement arrangements or other specific reimbursement arrangements between an individual provider and a specific payer)) Discloses a carrier's proprietary financial information; or
(c) Compares performance in a report generated for the general public that includes any provider in a practice with fewer than ((five)) four providers.
(4) The lead organization may not release a report that compares and identifies providers, hospitals, or data suppliers unless ((it)):
(a) It allows the data supplier, the hospital, or the provider to verify the accuracy of the information submitted to the lead organization, comment on the reasonableness of conclusions reached, and submit to the lead organization any corrections of errors with supporting evidence and comments within ((forty-five)) thirty days of receipt of the report; ((and))
(b) It corrects data found to be in error within a reasonable amount of time; and
(c) The report otherwise complies with this chapter.
(5) The office and the lead organization may use claims data to identify and make available information on payers, providers, and facilities, but may not use claims data to recommend or incentivize direct contracting between providers and employers.
(6)(a) The lead organization shall ((ensure that no individual data supplier comprises more than twenty-five percent of the claims data used in any report or other analysis generated from the database. For purposes of this subsection, a "data supplier" means a carrier and any self-insured employer that uses the carrier's provider contracts)) distinguish in advance to the office when it is operating in its capacity as the lead organization and when it is operating in its capacity as a private entity. Where the lead organization acts in its capacity as a private entity, it may only access data pursuant to RCW 43.371.050(4) (b) or (c).
(b) Claims or other data that contain direct patient identifiers or proprietary financial information are to remain exclusively in the custody of the data vendor and, consistent with the data release provisions of RCW 43.371.050(4)(a), may not be accessed by the lead organization.
Sec. 7.  RCW 43.371.070 and 2014 c 223 s 15 are each amended to read as follows:
(1) The director shall adopt any rules necessary to implement this chapter, including:
(a) Definitions of claim and data files that data suppliers must submit to the database, including: Files for covered medical services, pharmacy claims, and dental claims; member eligibility and enrollment data; and provider data with necessary identifiers;
(b) Deadlines for submission of claim files;
(c) Penalties for failure to submit claim files as required;
(d) Procedures for ensuring that all data received from data suppliers are securely collected and stored in compliance with state and federal law; ((and))
(e) Procedures for ensuring compliance with state and federal privacy laws;
(f) Procedures for establishing appropriate fees;
(g) Procedures for data release; and
(h) Penalties associated with the inappropriate disclosures or uses of direct patient identifiers and proprietary financial information.
(2) The director may not adopt rules, policies, or procedures beyond the authority granted in this chapter.
NEW SECTION.  Sec. 8.  A new section is added to chapter 43.371 RCW to read as follows:
(1) By December 1st of 2016 and 2017, the office shall report to the appropriate committees of the legislature regarding the development and implementation of the database, including but not limited to budget and cost detail, technical progress, and work plan metrics.
(2) Every two years commencing two years following the year in which the first report is issued or the first release of data is provided from the database, the office shall report to the appropriate committees of the legislature regarding the cost, performance, and effectiveness of the database and the performance of the lead organization under its contract with the office. Using independent economic expertise, subject to appropriation, the report must evaluate whether the database has advanced the goals set forth in RCW 43.371.020(1), as well as the performance of the lead organization. The report must also make recommendations regarding but not limited to how the database can be improved, whether the contract for the lead organization should be modified, renewed, or terminated, and the impact the database has had on competition between and among providers, purchasers, and payers.
(3) Beginning July 1, 2015, and every six months thereafter, the office shall report to the appropriate committees of the legislature regarding any additional grants received or extended.
NEW SECTION.  Sec. 9.  If any provision of this act or its application to any person or circumstance is held invalid, the remainder of the act or the application of the provision to other persons or circumstances is not affected."
SSB 5084 - S AMD 216
By Senators Becker, Frockt
ADOPTED 3/10/2015
On page 1, line 6 of the title, after "information;" strike the remainder of the title and insert "amending RCW 43.371.010, 43.371.020, 43.371.030, 43.371.040, 43.371.050, 43.371.060, and 43.371.070; and adding a new section to chapter 43.371 RCW."
EFFECT: (1) Adds a definition for data vendor as an entity contracted to perform data collection, processing, aggregation, extracts, analytics, and reports.
(2) Modifies the definition for direct patient identifier with examples.
(3) Modifies the definition of indirect patient identifiers with examples.
(4) Add a definition for a unique identifier assigned by the data vendor.
(5) The competitive RFP is modified. There must be extra points awarded for experience in health care data collections, analysis, analytics and security, points for experience in two other states instead of four, removed chief economist, points for a long-term self-sustainable financial model.
(6) OFM must contract separately with the data vendor to perform data collection, processing, aggregation, extracts, and analytics. The vendor must assign a unique identifier.
(7) The lead organization, instead of the database, must be certified by CMS as a qualified entity by December 31, 2017, instead of 2016.
(8) The data vendor must store data on a secure server that is HIPAA compliant.
(9) The lead organization and data vendor must submit detailed information for the Office of the Chief Information Officer to ensure robust security methods are in place. The Office of the Chief Information Officer must report findings to OFM and the appropriate committees of the Legislature.
(10) The lead organization must develop a plan for financial sustainability as self-sustaining.
(11) Each request for claims data must include consent to penalties associated with inappropriate disclosure or use of data.
(12) The lead organization and data vendor must maintain confidentiality of the data.
(13) The lead organization and data vendor must develop the process to govern the levels of access to and use of the data.
(14) Data that includes proprietary financial information or direct patient identifiers is available to researchers only, access for federal, state, and local agencies is removed and access for the lead organization is removed.
(15) Data that includes indirect patient information but no proprietary financial information or direct patient information may be provided to others with a data agreement.
(16) Reports may make use of zip code, gender, and age as long as they cannot lead to identification of an individual.
(17) Entities that receive data must destroy or return the data and may not store it.
(18) The lead organization, in conjunction with the data vendor, will prepare reports, but claims data with direct patient identifiers or proprietary financial information are to remain exclusively in the custody of the data vendor.
(19) OFM must draft rules to address penalties associated with inappropriate disclosure or use of the data.
--- END ---