Section 12: Collection, storage and maintenance of data collected under Secs. 8 to 10A; payer and provider claims database; access to data; reasons for access; disclosure of identifiable information for research; disclosure of de-identified information; prohibited uses of health information; compliance with chapter 66A; violations
Section 12. (a) The center shall be the sole repository for health care data collected under sections 8 to 10A, inclusive. The center shall collect, store and maintain such data in a payer and provider claims database. The center shall acquire, retain and oversee all information technology, infrastructure, hardware, components, servers and employees necessary to carry out this section. All other agencies, authorities, councils, boards and commissions of the commonwealth seeking health care data that is collected under this section shall, whenever feasible, utilize the data before requesting data directly from health care providers and payers. In order to ensure patient data confidentiality, the center shall not contract or transfer the operation of the database or its functions to a third-party entity, nonprofit organization or governmental entity; provided, however, that the center may enter into interagency services agreements for transfer and use of the data.
The center shall, to the extent feasible, make data in the payer and provider claims database available to payers and providers in real-time; provided, however, that all data-sharing complies with applicable state and federal privacy laws The center may charge a fee for access to the data.
To the maximum extent feasible, the center shall also make data available to health care consumers, on a timely basis and in an easily readable and understandable format, data on health care services they have personally received.
[ Subsection (b) effective until November 5, 2025. For text effective November 5, 2025, see below.]
(b) The center shall permit providers, provider organizations, public and private health care payers, government agencies and authorities and researchers access to de-identified data collected by the center for the purposes of lowering total medical expenses, coordinating care, benchmarking, quality analysis and other research, administrative or planning purposes, provided, however, that the data shall not include information that would allow the identification of the health information of an individual patient, except to the extent necessary for a government agency or authority to accomplish the public purposes for which access was given. The center shall also permit providers, provider organizations, and public and private health care payers access to data with patient identifiers solely for the purpose of carrying out treatment and coordinating care among providers. Access to data authorized under this section shall be deemed to comply with the requirements of chapter 66A. The center shall charge user fees sufficient to defray the center's cost of providing such access to non-governmental entities.
[ Subsection (b) as amended by 2025, 16, Sec. 3 effective November 5, 2025. For text effective until August 5, 2025, see above.]
(b) The center shall permit a government agency or authority to access identifiable health information of an individual only to the extent necessary for such government agency or authority to accomplish the public purposes for which access was given, subject to subsection (f). Except as required by federal law, the center shall not provide access to any data, including de-identified data or any other data that would allow the identification of a patient or provider in response to an out-of-state or federal inquiry or investigation into services constituting legally-protected health care activity, as defined in section 11I1/2 of chapter 12.
[ Subsections (c) to (h) added by 2025, 16, Sec. 3 effective November 5, 2025.]
(c) The center shall permit providers, provider organizations and public and private health care payers access to identifiable health information of an individual solely for the purposes of carrying out treatment, payment or health care operations.
(d) The center may disclose identifiable health information of an individual for research, regardless of the source of funding of the research; provided, however, that: (i) the center obtains documentation of authorization from the individual patient; or (ii) waiver of individual authorization has been approved by either an institutional review board or privacy board.
(e) The center may disclose de-identified health information of an individual for the purposes of lowering total medical expenses, coordinating care, benchmarking, quality analysis, research, administrative or planning purposes, informing consumer health care decisions or other purposes that aim to improve healthcare or public health outcomes for commonwealth residents that are consistent with the goals of this chapter. A recipient of de-identified health information of an individual shall not use such information or data to identify any person for any purpose.
(f) A recipient of de-identified or identifiable health information of an individual patient shall not use such information to: (i) conduct a criminal, civil or administrative investigation into any individual patient; or (ii) impose criminal, civil or administrative liability on any individual patient.
(g) Access to identifiable health information of an individual, including personal data as defined in section 1 of chapter 66A, authorized under this section shall be deemed to comply with the requirements of chapter 66A.
(h) The center may charge an application fee or other fees sufficient to process and provide such access to non-governmental entities.
(i) A violation of subsection (f), or any rule or regulation issued thereunder, shall constitute a violation of chapter 93A.