Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Code website reflects the Pennsylvania Code changes effective through 54 Pa.B. 5598 (August 31, 2024).

Pennsylvania Code



CHAPTER 915. DATA ACCESS CRITERIA AND PROCEDURE

GENERAL PROVISIONS

Sec.


915.1.    Purpose.
915.2.    Principles governing data access.
915.3.    Definitions.
915.4.    Entities with access.

CONFIDENTIALITY PROTECTIONS


915.21.    Classes of data collected by the Council.
915.22.    Release of nondisclosable data.
915.23.    Release of protected data.
915.24.    Release of nonprotected data.
915.25.    Unauthorized use of or access to Council data.

PROCEDURES FOR ACCESSING COUNCIL DATA


915.31.    Procedure for requesting access to Council data.
915.32.    Approval of request for Council data.
915.33.    Appeal of denial of request for Council data.

PROCEDURES FOR OBTAINING SPECIAL REPORTS


915.41.    Procedure for requesting special reports to be prepared by Council.
915.42.    Approval of request for a special report.

MISCELLANEOUS PROVISIONS


915.51.    Procedure for access to Council data by data sources.
915.52.    Fees charged for Council data and special reports.

Authority

   The provisions of this Chapter 915 issued under section 5 of the Health Care Cost Containment Act (35 P. S. §  449.5), unless otherwise noted.

Source

   The provisions of this Chapter 915 adopted June 2, 1989, effective June 3, 1989, 19 Pa.B. 2354, unless otherwise noted.

GENERAL PROVISIONS


§ 915.1. Purpose.

 This chapter establishes criteria and procedures for access to Council data under sections 4, 5, 7 and 10 of the act (35 P. S. § §  449.4, 449.5, 449.7 and 449.10).

§ 915.2. Principles governing data access.

 (a)  Confidentiality principle. The Council, under the mandates of and authority provided in the act will assure the confidentiality of information received as a result of the enactment and implementation of the act. This chapter establishes policies and procedures to protect and maintain the confidentiality of individual patient information which is submitted to the Council. These policies and procedures assure that information and data will not be released or be accessible if the release of the information or data could reasonably be expected to reveal the identity of an individual patient. If conflicts between patient confidentiality and release of data arise, patient confidentiality will take priority.

 (b)  Other principles.

   (1)  The Council will facilitate the continuing provision of quality, cost-effective health services throughout this Commonwealth by providing data and information to the purchasers and consumers of health care on the cost and quality of health care services.

   (2)  The Council will assure that information and data received by the Council will be utilized by the Council for the benefit of the public.

   (3)  The Council will assure that data will not be released or be accessible that does not simultaneously disclose charge or payment as well as provider quality and provider service effectiveness.

   (4)  The Council will assure that data will not be released or be accessible which could reasonably be expected to reveal the identity of a purchaser, other than a purchaser requesting data on its own group or an entity entitled to the purchaser’s data under the act.

   (5)  The Council will assure that data will not be released or be accessible which relates to actual payments to an identified provider made by a purchaser, except that this does not apply to a purchaser requesting data on the group for which it purchases or otherwise provides covered services or access to that same data by an entity entitled to the purchaser’s data under the act.

   (6)  The Council will assure that data which discloses discounts or differentials between payments accepted by providers for services and their billed charges obtained by identified payors from identified providers will not be released or accessible unless comparable data on other payors is also released and the Council determines that the release of the information is not prejudicial or inequitable to an individual payor or provider or group thereof.

   (7)  The Council will assure that access to data, as defined in this chapter, by a party, including, but not limited to, purchasers, collective bargaining representatives, general public and Council members, will be in accordance with the procedures contained in this chapter.

   (8)  The Council is required to uphold the act and to prohibit the unauthorized use of Council data as set forth in the act.

   (9)  The Council will be very restrictive with regard to the release of data. Requests for data will be reviewed in accordance with the confidentiality protections, as enumerated in § §  915.21—915.25 (relating to confidentiality protections). If the Council determines that the request violates the Council’s confidentiality protections, the Council may seek to amend cell sizes, propose alternative ways to examine data, propose alternative ways to look at specific issues and otherwise amend the scope of the report or deny the request.

§ 915.3. Definitions.

 The following words and terms, when used in this chapter, have the following meanings, unless the context clearly indicates otherwise:

   Act—The Health Care Cost Containment Act (35 P. S. § §  449.1—449.19).

   Category—A specifically defined, mutually exclusive division in a classification system.

   Cell—The smallest unit or compartment of a statistical table or tabulation.

   Council—The Health Care Cost Containment Council.

   Data or raw data—Data collected by the Council or the Council’s data vendor under section 6 of the act (35 P. S. §  449.6).

   Data source—The term includes, but is not limited to, the following:

     (i)   A hospital.

     (ii)   An ambulatory service facility.

     (iii)   A physician.

     (iv)   A health maintenance organization as the term is defined in the Health Maintenance Organization Act (40 P. S. § §  1551—1567).

     (v)   A hospital, medical or health service plan with a certificate of authority issued by the Insurance Department, including, but not limited to, hospital plan corporations as defined in 40 Pa.C.S. Chapter 61 (relating to hospital plan corporations) and professional health service plan corporations as defined in 40 Pa.C.S. Chapter 63 (relating to professional health services plan corporations).

     (vi)   A commercial insurer with a certificate of authority issued by the Insurance Department providing health or accident insurance.

     (vii)   A self-insured employer providing health or accident coverage or benefits for employes employed in this Commonwealth.

     (viii)   An administrator of a self-insured or partially self-insured health or accident plan providing covered services in this Commonwealth.

     (ix)   A health and welfare fund that provides health or accident benefits or insurance pertaining to covered services in this Commonwealth.

     (x)   The Department of Public Welfare for those covered services it purchases or provides through the Medical Assistance program under the Public Welfare Code (62 P. S. § §  101—1411).

     (xi)   Other payors for covered services in this Commonwealth, other than an individual.

   Executive Director—The Executive Director of the Council.

   Nondisclosable data—Data pertaining to an individual’s health care service encounter that, if disclosed, violate the provisions concerning release of and access to Council data contained in the act. These data are set forth in Appendix A.

   Nonprotected data—Data pertaining to an individual’s health care service encounter that may be released by the Council without violating provisions concerning release of and access to Council data contained in the act. These data are set forth in Appendix C.

   Other parties—Entities other than purchasers to which the Council may release data under the act.

   Protected data—Data pertaining to an individual’s health care service encounter that may only be released by the Council under the act in specific circumstances based on criteria developed by the Council. These data are set forth in Appendix B.

   Proxy patient identifier—A unique number assigned by the Council to an individual patient which will not breech patient confidentiality provisions contained in the act or in this chapter.

   Purchaser—A corporation, labor organization or other entity that purchases benefits which provide covered services for employes or members, either through a health care insurer or by means of a self-funded program of benefits, and a certified bargaining representative that represents groups of employes for whom employers purchase a program of benefits which provide covered services. The term does not include entities defined in the act as ‘‘health care insurers.’’

§ 915.4. Entities with access.

 Data will be available from the Council, in accordance with this chapter, to purchasers and other parties.

CONFIDENTIALITY PROTECTIONS


§ 915.21. Classes of data collected by the Council.

 For purposes of this chapter, the data collected by the Council have been classified into three categories:

   (1)  Nondisclosable data which includes the data set forth in Appendix A.

   (2)  Protected data which includes the data set forth in Appendix B.

   (3)  Nonprotected data which includes the data as set forth in Appendix C.

Cross References

   This section cited in 28 Pa. Code §  915.2 (relating to principles governing data access).

§ 915.22. Release of nondisclosable data.

 Nondisclosable data, as set forth in Appendix A, will not be released by the Council to a party, except to the original data source as provided for under §  915.51(b) (relating to procedures for access to Council data by data sources).

Cross References

   This section cited in 28 Pa. Code §  915.2 (relating to principles governing data access).

§ 915.23. Release of protected data.

 Protected data, as set forth in Appendix B, will only be released upon approval by the Council and if the release is in accordance with the following criteria and under the following conditions:

   (1)  Data will be released only if there are a minimum of ten cases in a cell, except for data which is a monetary figure. Cells with less than ten cases will be suppressed.

   (2)  If there are less than ten cases in a cell, the Council may create categories or may aggregate data to provide some detail on the data element to the data requester.

   (3)  The following data may be released only to a purchaser and only for those individuals for whom the purchaser provided covered health care services:

     (i)   Estimated responsibility.

     (ii)   Prior payments—payor and patient.

     (iii)   Estimated amount due.

     (iv)   Payor group number.

     (v)   Employer name.

     (vi)   Primary payor payments.

     (vii)   Other payments.

   (4)  A data requester may request, and the Council may approve, a different aggregation or categorization of the protected data. There shall be at least ten cases in a cell for data to be released. A requester shall state the reasons for requesting a variation of the standard aggregation process.

   (5)  The council may, based on a determination of an individual request, release proxy patient identifiers which will preserve patient confidentiality.

   (6)  Year of birth/age will be released in 5-year categories, beginning with age category 0-4 up to a maximum age category of age 85 and above. If there are less than ten cases in a category, the category will be expanded by grouping it with the next higher or lower categories until there are a minimum of ten cases in the combined category.

   (7)  Five digit patient zip codes will not be available for geographic places that have fewer than 100,000 people. Small area analyses for geographic places of less than 100,000 people will be prepared by Council staff as a special request. For access to that information, a requester shall submit a request for a special report under §  915.41 (relating to procedure for requesting special reports to be prepared by Council).

   (8)  If the cell size is less than ten for a code, the Council will develop categories, such as, but not limited to:

     (i)   Patient is insured.

     (ii)   Relative of insured.

     (iii)   Employe of insured.

     (iv)   Other.

     (v)   Unknown.

   (9)  The Council will monitor combinations of certain data elements as follows:

     (i)   Combinations of certain data elements may enable the identification of an individual patient. Data elements with this potential include, but are not limited to: year of birth/age, patient sex, zip code, race and patient relationship to insured. Before data are released by the Council which include two or more of these data elements, the Council will examine the cell sizes resulting from the combination of these data elements. Data will only be released when the resulting cell size is at least ten cases.

     (ii)   If there are less than ten cases in the cells as a result of a combination of these data elements, the Council will suppress the zip code first. If the combination of the remaining data elements does not result in cell sizes of at least ten, race will be suppressed, then patient sex will be suppressed, then patient relationship to insured will be suppressed as the final element.

Cross References

   This section cited in 28 Pa. Code §  915.2 (relating to principles governing data access); and 28 Pa. Code §  915.51 (relating to procedures for access to Council data by data sources).

§ 915.24. Release of nonprotected data.

 (a)  Nonprotected data, as set forth in Appendix C, will be released upon request and approval by the Council except as provided for in subsection (b).

 (b)  The Council may prohibit the release of disaggregated data on sensitive medical conditions, procedures and diagnoses such as, but not limited to, substance abuse, mental diseases and disorders, acquired immunodeficiency syndrome and related conditions and pregnancy terminations, to ensure that the patient confidentiality safeguards contained in the act and this chapter are not violated.

Cross References

   This section cited in 28 Pa. Code §  915.2 (relating to principles governing data access).

§ 915.25. Unauthorized use of or access to Council data.

 (a)  If a person inadvertently or by Council error gains access to data that violates the safeguards in section 10 of the act (35 P. S. §  449.10), the data shall be returned, without duplication, to the Council with proper notice. If the data have been duplicated, duplications shall also be returned to the Council.

 (b)  A person who knowingly releases Council data violating the patient confidentiality, actual payments, discount data or raw data safeguards in section 10 of the act to an unauthorized person commits a misdemeanor of the first degree and shall, upon conviction, be sentenced to pay a fine of $10,000 or to imprisonment of not more than 5 years, or both. An unauthorized person who knowingly receives or possesses the data commits a misdemeanor of the first degree.

 (c)  Sale by a recipient or exchange or publication by a recipient, other than a purchaser, of raw Council data to other parties without the express written consent of, and under terms approved by, the Council shall be unauthorized use of Council data. Unauthorized use of Council data constitutes a misdemeanor of the first degree and, upon conviction, that person shall be sentenced to pay a fine of $10,000 or to imprisonment for not more than 5 years, or both. This restriction does not apply to data published by the Council in reports.

Cross References

   This section cited in 28 Pa. Code §  915.2 (relating to principles governing data access).

PROCEDURES FOR ACCESSING COUNCIL DATA


§ 915.31. Procedure for requesting access to Council data.

 (a)  A request for access to data, including computer-to-computer access, shall be made in writing to the Executive Director of the Council on a form prescribed by the Council. This form will require:

   (1)  The name of the party requesting the data.

   (2)  The name, title, address and telephone number of the contact person for the request.

   (3)  A description of the information to which access is requested, including a description of the desired tape format and list of data elements.

   (4)  Information on the purpose or intended use of the data.

 (b)  The request form will contain a statement prohibiting the recipient of the data, other than a recipient who is a purchaser, from selling, exchanging or publishing the data without the express written consent of and under the terms and conditions developed and approved by the Council. The statement will also prohibit the recipient of the data from using the data to attempt to identify an individual or to use the data for purposes of disciplining, discharging or penalizing an employe of the recipient. In addition, the statement will indicate that a recipient is prohibited from further releasing data which:

   (1)  Could reasonably be expected to reveal the identity of an individual patient.

   (2)  Does not simultaneously disclose payment, as well as provider quality and provider service effectiveness.

   (3)  Could reasonably be expected to reveal the identity of a purchaser, except if the recipient is a purchaser receiving data on its own group and then that purchaser may reveal his own identity.

   (4)  Relates to actual payments to an identified provider made by a purchaser.

   (5)  Discloses discounts or differentials between payments accepted by providers for their billed charges obtained by identified payors from identified providers.

 (c)  Requesters of data will be required to sign the form to indicate that they have read and understood the prohibitions contained in subsection (b). In addition, a requester who is a purchaser will be required to provide notice to employes that information has been requested on the health care services which they, or dependents who are covered under the purchaser’s health care insurance, have received. This notice shall be required to be posted in prominent location where other similar employe notices are posted.

§ 915.32. Approval of request for Council data.

 (a)  Upon receipt of a completed form requesting access to Council data, including computer-to-computer access, the Executive Director will forward the request to the Council which will make a determination to grant or deny the request.

 (b)  In making the determination to grant the request, the Council is to be satisfied that:

     (i)   The limitations on data access contained in the act will not be compromised.

     (ii)   This chapter’s provisions regarding confidentiality will not be compromised.

     (iii)   The data will be used for the legal and statutory purposes as specified in the act.

     (iv)   Other criteria for the release of the data are met.

 (c)  The Council may choose to delegate the responsibility for reviewing requests for and granting or denying access to Council data to the Executive Director.

§ 915.33. Appeal of denial of request for data.

 (a)  If a request for data is denied by the Council, a notice detailing the reasons for the denial will be forwarded to the requester.

 (b)  If the Council delegates the approval or denial of a request for access to Council data to the Executive Director and the Executive Director denies a request for data, the Executive Director will forward notice of the denial and the reasons for the denial to the requester. Upon request by the party denied access, the Executive Director will forward the request to the members of the Council for their consideration. If the Council subsequently denies the request for data, the Council will forward notice of the denial and the reasons for the denial to the requester.

PROCEDURES FOR OBTAINING SPECIAL REPORTS


§ 915.41. Procedure for requesting special reports to be prepared by Council.

 (a)  A request for special reports shall be made in writing to the Executive Director of the Council on a form prescribed by the Council. This form will require:

   (1)  The name of party requesting the data.

   (2)  The name, title, address and telephone number of the contact person for the request.

   (3)  A description of the information to be contained in the special report, including the time period, a description of desired tables, charts, analysis and report format, as applicable.

   (4)  The purpose or intended use of the report.

   (5)  The date when the report is to be completed.

 (b)  The form will also contain a statement prohibiting the recipient of the report, other than a recipient who is a purchaser, from selling, exchanging or publishing the report without the express written consent of and under the terms and conditions developed and approved by the Council. The statement will also prohibit the recipient of the special report from using the information in the special report to attempt to identify an individual or to use the data for purposes of disciplining, discharging or penalizing an employe of the recipient. The statement will indicate that a recipient is prohibited from further releasing information which:

   (1)  Could reasonably be expected to reveal the identity of an individual patient.

   (2)  Does not simultaneously disclose payment, as well as provider quality and provider service effectiveness.

   (3)  Could reasonably be expected to reveal the identity of a purchaser, except where the recipient is a purchaser receiving data on its own group and then that purchaser may reveal his own identity.

   (4)  Relates to actual payments to an identified provider made by a purchaser.

   (5)  Discloses discounts or differentials between payments accepted by providers for their billed charges obtained by identified payors from identified providers.

 (c)  Requesters of special reports will be required to sign the form to indicate that they have read and understood the prohibitions in subsection (b).

Cross References

   This section cited in 28 Pa. Code §  915.23 (relating to release of protected data).

§ 915.42. Approval of request for a special report.

 Upon receipt of a completed form requesting a special report, the Council will review the request and determine whether the report can be provided by the Council. In making the determination, the Council will consider the utility of the report, the staff resources necessary to complete the report, the purpose of the report with respect to the mandates contained in the act, the time frame in which the report is requested to be produced and other criteria developed by the Council.

MISCELLANEOUS PROVISIONS


§ 915.51. Procedures for access to Council data by data sources.

 (a)  Hospitals, health care facilities, third-party payors and other data sources shall have access to Council data following the same procedures for access and under the same conditions of confidentiality protections as other requesters.

 (b)  Notwithstanding the provisions of §  915.23(3) (relating to release of protected data), a data source that has submitted data elements to the Council has the right to access data elements which have been submitted to the Council under Chapters 912 and 913 (relating to data reporting requirements; and payor data reporting requirements).

§ 915.52. Fees charged for Council data and special reports.

 (a)  The Council will charge requesters an amount sufficient to cover the costs associated with providing access to Council data, including computer-to-computer access, including, but not limited to, computer time, cost of materials and staff time. Subsequent requests for the same information will require a fee sufficient to cover only the costs of duplicating the original access. Fee quotes will be provided to requesters in advance of the special request being processed. Special requests will be completed only upon an agreement by the requester to pay the quoted fee.

 (b)  The Council will charge requesters an amount sufficient to cover preparation and provision of special reports, including, but not limited to, computer time, staff time, cost of materials, and the like. Subsequent requests for the same information will pay a fee only to cover the provision of the report. The Council may waive the fee if the Council determines that the special report is of great public interest. The Council will not charge a fee for reports to be provided under the act.

APPENDIX A
NONDISCLOSABLE DATA




Field NumberData Element Name
FRMPRM
13Uniform Patient I. D.
24Patient Birthdate (MDY of MY)
4Patient Zip Code (6 through 9 digits)
56Date of Admission (MDY)
67Date of Discharge (MDY)
8a, b8Principle Procedure Date
9a1-9c2Secondary Procedure Date
2317Patient Control Number
29a-c20Certificate/Social Security Number/Health Insurance Claim/I. D. Number

 FRM—Facility Reporting Manual

 PRM—Payor Reporting Manual

Cross References

   This appendix cited in 28 Pa. Code §  915.3 (relating to definitions); 28 Pa. Code §  915.21 (relating to classes of data collected by the Council); and 28 Pa. Code §  915.22 (relating to release of nondisclosable data).

APPENDIX B
PROTECTED DATA




Field NumberData Element Name
FRMPRM
(2*)(4*)Year of Birth/Age
35Patient Sex
4Patient Zip Code (first 5 digits)
14e 1-4Estimated Responsibility
14f 1-4Prior Payments—Payor and Patient
14g 1-4Estimated Amount Due
1916Payor Group Number
21e21Reserve Field
28a-c19Patients’ Relationship to Insured
32Employer Name
35Patient Race
14Primary Payor Payments
15Other Payments
**Proxy Patient Identifier

 * constructed data element using submitted data elements

 FRM—Facility Reporting Manual

 PRM—Payor Reporting Manual

Cross References

   This appendix cited in 28 Pa. Code §  915.3 (relating to definitions); 28 Pa. Code §  915.21 (relating to classes of data collected by the Council); and 28 Pa. Code §  915.23 (relating to release of protected data).

APPENDIX C
NONPROTECTED DATA




Field NumberData Element Name
FRMPRM
(5/6*)Length of Stay
(5/6*)Day of Week, Admit
(5/6*)Day of Week, Dchg.
7aPrincipal Diagnosis Code
7b-eSecondary Diagnosis Codes
(8*)Day of Week of Procedure
(8*)Pre-operative LOS
8a, b8Principal Procedure Code
9a1-9c2Secondary Procedure Code
109Uniform Identifier for Health Care Facility
1110Attending Physician ID
1210Operating Physician ID
13a1-13w1Revenue Description
13a2-13w2Revenue Code
13a3-13w312Units of Service
13a4-13w413Total Charges (by Revenue Code Category)
13a5-13w5Noncovered Charges (by Revenue Category)
14b1-3Payor Identification
14c1-3Deductible Amount
14d1-3Co-Insurance Amount
17Uniform Identifier of Primary Payor
18Zip code of Facility
20Patient Discharge Status
21aPatient Severity upon Admission
21bPatient Morbidity
21cUnusual Occurrence— Nosocomial Infections
21dUnusual Occurrence— Readmission
22Type of Bill
24Diagnosis Related Group
2518Procedure Coding Method Used
26Type of Admission
27Source of Admission
30Principal and other Diagnoses Descriptions
31Principal and other Procedure Descriptions
33a, bEmployment Information
34a, bEmployment Status Code
2Place of Service
11Type of Professional Service

 * constructed data element using submitted data elements

 FRM—Facility Reporting Manual

 PRM—Payor Reporting Manual

Cross References

   This appendix cited in 28 Pa. Code §  915.3 (relating to definitions); 28 Pa. Code §  915.21 (relating to classes of data collected by the Council); and 28 Pa. Code §  915.24 (relating to release of nonprotected data).



No part of the information on this site may be reproduced for profit or sold for profit.


This material has been drawn directly from the official Pennsylvania Code full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.