(a) General. Subject to the other requirements in this subpart, the requirements in paragraphs (b) and (c) of this section and any other applicable laws or contractual agreements, a qualified entity may provide or sell combined data or provide Medicare data at no cost to authorized users defined at § 401.703(b), (c), (m), and (n).
(b) Data—(1) De-identification. Except as specified in paragraph (b)(2) of this section, any data provided or sold by a qualified entity to an authorized user must be limited to beneficiary de-identified data. De-identification must be determined based on the de-identification standards for HIPAA covered entities found at 45 CFR 164.514(b).
(2) Exception. If such disclosure will be consistent with all applicable laws, data that individually identifies a beneficiary may only be disclosed to a provider or supplier (as defined at § 401.703(b) and (c)) with whom the identifiable individuals in such data have a current patient relationship as defined at § 401.703(r).
(c) Data use agreement between a qualified entity and an authorized user. A qualified entity must contractually require an authorized user to comply with the requirements in § 401.713(d) prior to providing or selling data to an authorized user under § 401.718.
[81 FR 44481, July 7, 2016]