Draft - Proposal for Discussion Only

DRAFT - PROPOSAL FOR DISCUSSION ONLY

Policy for Including Provider Identifiers in a Data Set

Background

●For both claims and encounter data, OHCS data systems often identify health care service providers by name or ID number. This includes a wide variety of provider types including facilities, physicians, pharmacies, transportation companies, and many others.

●OHCS currently publishes reports and compilations that include provider names as guided by statute.

●OHCS has been releasing hospital identifiers under a long-standing policy (of well over 20 years) with no incidents.

Guiding Principles

●There are many legitimate uses of data that include provider identifiers for research and statistical purposes.

●There are requirements on the publication of reports and compilations comparing providers, namely that providers must have an opportunity to correct erroneous data and must also be given time to prepare a response before the report or compilation is published.

●A data user should not be able to create comparison reports or compilations for public distribution without following these requirements.

●Data users should have limited contact with providers, unless they have an existing business relationship. As an exception, data users must contact providers to allow them to correct data or prepare responses as required in statute.

●Data users should never use the contact information in OHCS datasets to facilitate contacting a provider for other purposes (as stated in the Data Use Agreement).

●Information about payment to specific providers is sensitive and should be subjected to extra protection and additional review.

Definitions and Distinctions

●A “provider” is any entity that either submits a claim for payment that is included in the APCD or is a licensed facility required to submit encounter data.

○For the purpose of this document, we make a distinction between a provider that is a natural person (such as a physician, pharmacist, or therapist) and a provider that is a corporate entity (such as a clinic, facility, or laboratory).

●A “data set” is a collection of “data” as defined in the Data Access Policy and includes information at the claims, encounter or person level.

●A “provider control number” is a proxy identifier created by OHCS that preserves the ability to aggregate by provider but does not allow direct identification of the provider to an external user.

●A “provider identifier” is any data field, such as name, address, NPI, etc., that would allow a data user to easily discover the provider’s identity.

●Provider identifiers are not considered “identified health data” and are not protected in the same way as patient identifiers.

●The inclusion of provider identifiers does not change the category (public-use vs. research) of the data.

●This policy does not relate to OHCS’ publication of reports or compilations. It only applies to cases where a data user requests provider identifiers be included in an OHCS data extract.

Policies and Procedures Relating to Provider Identifiers

●Wherever possible, a provider control number should be used instead of a provider identifier.

●Wherever possible, providers that are natural persons should be grouped into clinics or other corporate entities.

●Provider control numbers for any type of provider may be included in both public-use data sets and research data sets as defined in the Data Access Policy.

●Provider identifiers may only be included in a public use data set (including limited use data sets treated as public use data sets) for providers that are corporate entities, and not providers that are natural persons.

●A request to include provider identifiers in a data set may be approved as long as:

○The user includes a specific justification showing why the provider identifiers are necessary for the requested use.

○The user agrees to terms and conditions as outlined in the Data Access Policy.

○The user specifically agrees to not contact providers except as permitted or required by this policy.

●Requests for data that include provider identifiers will follow the standard Data Access Policy.

●Requests for provider identifiers in combination with a request for payment information must also include the following elements:

○An assurance that the user will not attempt to discover any information related to contracts between payers and providers.

○An assurance that the user will not publish any results that disclose how much a provider was reimbursed for a specific individual claim or event. Statistical analysis (counts, ranges, averages, etc.) is not expressly prohibited and may be allowed in certain cases.

●Any request to use provider identifiers in a study that includes research on cost variation across providers must include a statistical power analysis and must propose statistical thresholds necessary to suppress cells.