The original instrument and the following digest, which constitutes no part of the
legislative instrument, were prepared by Christopher D. Adams.
DIGEST
Johns (SB 259)
Present law provides for the health care consumers' right to know.
Proposed law adds to the legislative findings to find that as a result of the rapidly expanding
availability and access to patient sensitive health care data, the citizens of Louisiana deserve
protection of their patient encounter data to the greatest extent possible relative to health care
data reporting and dissemination of protected health information datasets for use in research
projects intended to improve the population health of Louisiana's citizens.
Proposed law amends present law to include to that the Department of Health and Hospitals (the
department), in consultation with the Health Data Panel, shall maintain the computerized
database of consumer's personal health information in a secure environment in compliance with
federal laws ensuring the security of the system containing such data. Further, in the event of a
data breach or suspected data breach, the department shall within 30 days notify any resident of
the state whose personal information was, or is reasonably believed to have been, acquired by an
unauthorized person.
Present law provides the department shall create the Health Data Panel, and the purpose of the
Health Data Panel shall be to make recommendations to the secretary of the department for the
implementation of the requirements of present law. Present law provides the Health Data Panel
shall consider the provisions set forth in present law.
Proposed law amends present law and removes the provision that provides the Health Data Panel
shall consider the provisions set forth in present law.
Present law provides members of the Health Data Panel shall be appointed by the secretary and
shall represent all interests involved in the collection and publication of provider and health plan
specific cost, quality, and performance data elements. Further, members shall include but not be
limited to health care purchasers, hospitals and other service providers, consumer and patient
advocacy groups, quality improvement and health information technology groups, physicians,
and any other individuals or groups as deemed necessary by the secretary.
Proposed law provides the Health Data Panel shall consider the provisions set forth in present
law. Further provides that changes to the mandatory health care data elements or the
methodology by which data shall be reported by health care providers and health plans to the
department shall be approved by a majority vote of the members of the Health Data Panel and
promulgated by a rule in accordance with the Administrative Procedure Act by the department.
Present law provides the secretary or his designee shall serve as the chairman of the meetings of the Health Data Panel. Further, the secretary may use the recommendations of the Health Data
Panel to fulfill the department's responsibilities as set forth in present law.
Proposed law provides the secretary or his designee shall serve as the chairman of the meetings
of the Health Data Panel. The secretary shall convene meetings of the Health Data Panel on an
annual basis and as needed to fulfill the provisions of present law. Further, the secretary shall use
the recommendations of the Health Data Panel to fulfill the department's responsibilities as set
forth in present law.
Proposed law provides data collected pursuant to present law may be disclosed for research
purposes but only under the following circumstances:
(1)The requesting entity is recognized as a health care research organization, focused on the
improvement of healthcare outcomes through education and community engagement.
(2)The data sought to be used for research qualifies a de-identified personal health
information as defined in 45 CFR 164.514.
Proposed law provides all requests for data shall be submitted to the department, then reviewed
and approved by a majority vote of the Health Data Panel.
Proposed law provides the data request shall include:
(1)A description of the requesting entity, including its ownership structure.
(2)Rationale for the study or data use.
(3)A summary of the project or study plan, including a project timeline, definition of project
scope, and justification for the particular fields and records necessary for the project or
study.
(4)Signed data use agreement pursuant to present law by the requesting entity and any
subcontractors.
(5)Affirmation that the data requesting entity shall destroy all data in its entirety upon
completion of the research project.
Proposed law provides the department shall enter into a data use agreement outlining the
permitted uses and disclosures of the de-identified personal health information. The agreement
shall include at a minimum the following:
(1)A description of the requesting entity, including its ownership structure.
(2)Rationale for the study or data use.
(3)A summary of the project or study plan, including a project timeline, definition of project scope, and justification for the particular fields and records necessary for the project or
study.
(4)Identify all parties who may use or receive the information and prohibit any recipient
from using or further disclosing the data, except as permitted by the agreement.
(5)Include an affirmation that data shall be used only for the stated purpose, and that no
attempts shall be made to combine data provided for in the request with other data to
identify confidential information.
(6)Require the recipient to use and demonstrate that appropriate safeguards are in place to
prevent the use or disclosure of data that is not permitted by the agreement.
(7)Require the recipient to report to the department any unauthorized use or disclosure of
data.
(8)Require the recipient to ensure that any agents, including subcontractors to whom it
provides the information, agree to the data use restrictions.
(9)Detail the method by which the data will be destroyed after the qualifying research project
is completed.
(10)Signed by the requesting health care research entity and any subcontractors. Any future
subcontractors shall be disclosed and approved by the department.
(11)Prohibit the recipient from identifying the information or contacting the individuals.
Effective August 1, 2014.
(Amends R.S. 40:1300.111-1300.114; adds R.S. 40:1300.115 and 1300.116)