The West Virginia Health Care Authority (Authority) is the state agency responsible for coordinating and overseeing the health data collection of state agencies and leading state agencies efforts to make the best use of emerging technology to facilitate the expedient and appropriate exchange of health care data. W.Va. Code § 16-29B-6(a). Further, the Authority collects uniform billing data from acute care hospitals in this state pursuant to W.Va. C.S.R. 13-4.3.2. In addition to collecting data rom other state agencies and West Virginia hospitals, the Authority collects data from surrounding states and will obtain other data to conduct various analyses to support Certificate of Need and Rate Review functions that it administers. In some instances, the Authority collects data directly from the sources and it may also hire a vendor to perform these services.
All of the data collected is stored in a data warehouse under the control of the Authority. Since this data may, in some instances, contain data that may, when linked with other sources or standing alone, lead to the identity of an individual being determined, the Authority determined that it would take steps to protect this data, including developing an Information Security Policy to limit use of this data and to restrict disclosure of this data. The Information Security Policy and this Data Disclosure Policy represent the Authority’s determination of the best privacy practices for managing the type of data collected by balancing the public’s right to disclosure against protecting private data.
Pursuant to this policy, the Authority reserves the right not to provide any or all of the data requested in its sole discretion. In addition, the Authority reserves the right not to provide any or all data requested by parties that have previously violated the terms of a data use agreement or otherwise misused any of the Authority’s data.
Internet
Generally, data published on the Internet will be de-identified to the extent noted below and will contain a cell size of at least thirty. In certain limited circumstances, in an effort to facilitate Certificate of Need and Rate Review applications, the Authority will approve standard reports for general release. These reports, as required by law, may contain cell sizes of less than thirty and may be broken down in geographic county units or by zip code.
In order to de-identify data the following variables must be omitted:
- Names;
- All geographic subdivisions smaller than a State, including street address, city, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if according to the current publicly available data from the Bureau of Census: the initial geographic unit formed by combining all zip codes with the same three initial contains more than 20,000 and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer is changed to 000;
- All elements of dates (except year) for dates directly related to an individual, including birth date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of 90 or older;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code.
Uniform Billing Data
If a party requests more than a de-identified data set or a de-identified data set with a cell size of less than thirty, then the party must submit a complete application for its request to be considered. Once this application is received the analyst will determine if the data request has value and utility, whether the data is available from other sources, if the minimum data necessary to accomplish the research project has been requested and whether an IRB with Federal Wide Assurance has approved the request. A hospital submitting UB data may obtain the full set of UB data that it has submitted without restriction. The Authority may exchange data available in a limited data set with a public health oversight agency. Last, if a state agency needs UB to perform an essential function of that agency, the data may be produced if a data use agreement is obtained and the minimum necessary data is provided. If an internal source requests data for use before a state agency, the Legislature or any other public body, the Director of Data and Analysis must determine if the data requested has a public mission, value and utility and supports the greater good of the community. If a government agency requests data for an articulated public health surveillance purpose and the government agency certifies that its request complies with the minimum necessary, the data can be produced without a data use agreement and as requested by the government agency once the Director of Data and Analysis approves this disclosure. See the attached chart for a procedural overview of the procedures supporting this policy.
If the request is approved and a data use agreement signed, then a limited data set may be provided. In no event may any limited data set include the following:
- Names;
- Postal address information, other than town or city, state and zip codes;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- VIN and serial numbers, including license plates;
- Device identifiers and serial numbers;
- Web universal resource locators (URL);
- Internet protocols (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
Other Data
With respect to data residing in the Authority’s data warehouse that has been obtained by other state agencies, private organizations, or any other source not referenced above and not including data received pursuant to W.Va. Code § 16-5F-1 or W.Va. C.S.R. 65-13, the Authority will evaluate requests for this data on a case by case basis and will only disclose such data in a limited data set when a compelling state interest is set forth to justify such a disclosure or by consent of the data owner. In addition, the Authority’s right to disclose this data may be restricted by contractual terms and the Authority may be unable to provide requested data. In the event that the Authority determines that the data can be provided, a limited data set may be provided. In no event may any limited data set include the following:
- Names;
- Postal address information, other than town or city, state and zip codes;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- VIN and serial numbers, including license plates;
- Device identifiers and serial numbers;
- Web universal resource locators (URL);
- Internet protocols (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
All requests for Uniform Billing data or other data as described above from members of the press must be submitted directly to the privacy officer and requests for data from data vendors who are going to re-sale the data must be referred to HCUP or directed to the de-identified data on the web or the facility. A health oversight agency is a state or federal agency with statutory oversight of health care activities.
Certificate of Need
All data submitted as part of the Certificate of Need application or other portions of the file are considered public information. This data may be disclosed upon request. From time to time, the Authority will request additional information to verify the accuracy of data on file or previously submitted by an applicant, this information is also considered part of the public file and may be disclosed upon request. To the extent that an applicant submits personally identifiable data above and beyond what has been requested, the Authority will make every attempt to protect the privacy of the individual. However, an applicant is encouraged not to submit this type of data into the public file or to submit a consent for the disclosure of such data.
Rate Review
All data submitted as part of the rate application or other portions of the file are considered public information. This data may be disclosed upon request. From time to time, the Authority will request additional information to verify the accuracy of data on file or previously submitted by an applicant, this information is also considered part of the public file and may be disclosed upon request. To the extent that an applicant submits personally identifiable data above and beyond what has been requested, the Authority will make every attempt to protect the privacy of the individual. However, an applicant is encouraged not to submit this type of data into the public file or to submit a consent for the disclosure of such data.
Revised 8/06