OAR 409-025-0160
Data Access and Release


The Authority shall comply with all relevant state and federal data privacy, security, and antitrust regulations, including The Health Insurance Portability and Accountability Act (HIPAA), when sharing APAC data.
(2) The Authority may collect payment to recoup costs when APAC data requests are fulfilled.
(3) The Authority shall provide a public use data set, which shall include de-identified health information, in compliance with applicable Authority policies and state and federal rules, regulations, and statutes.
(a) The Authority shall maintain a list of data elements that may be included in APAC public use data sets.
(b) Requestors seeking access to an APAC public use data set shall complete a Pre-Application for APAC Data Files (APAC-2) and submit full payment as follows:
(A) $1,000 per data year for Episodes of Care;
(B) $500 per data year for Medical Claims; and
(C) $500 per data year for Pharmacy Claims.
(c) The Authority may approve or deny the completed request and provide written notification to the requestor within 30 calendar days of receipt of the request.
(d) The Authority shall deny the completed request for reasons which include, but are not limited to:
(A) Requestor or any person who will have access to the data has previously violated a data use agreement with the Authority.
(B) The Authority finds that the specific details of the request do not sufficiently explain the proposed use.
(C) The Authority finds that the specific details of the request violate any state or federal rule, regulation, or statute.
(D) Full payment is not included with the application.
(e) If the Authority denies the Pre-Application for APAC Data Files (APAC-2):
(A) The Authority shall provide written notification stating the reason for the denial and process return of payment; and
(B) The requestor may appeal the denial by requesting a contested case hearing. The appeal must be filed within 30 business days of the denial. The appeal process is conducted pursuant to ORS chapter 183 and the Attorney General’s Uniform and Model Rules of Procedure, OAR 137-003-0501 (Rules for Office of Administrative Hearings) to 137-003-0700 (Stay Proceeding and Order). The requestor shall have the burden to prove that the Authority unreasonably denied the application.
(f) The public use data sets may not be used to identify any individual, including but not limited to patients, physicians, and other health care providers. The requestor may not use outside information to attempt to ascertain the identity of individuals who are the subject of public use data sets.
(4) The Authority shall provide limited data sets, in compliance with applicable Authority policies and state and federal rules, regulations, and statutes. Limited data sets may include protected health information.
(a) The Authority shall maintain a list of data elements that may be included in APAC limited data sets.
(b) APAC limited data sets may be disclosed for purposes allowed by state and federal regulations, including research, public health, and health care operations.
(c) Requestors seeking access to APAC limited data sets shall complete the Pre-Application for APAC Data Files (APAC-2). The Authority may require requestors to provide additional information by completing the Application for APAC Data Files (APAC-3).
(d) Requestors must identify each data element requested and explain the use of the data element within the description of activity in the application. The Authority will determine which data elements will be released after review under HIPAA and other applicable laws, regulations, and rules.
(e) The Authority shall determine the hours required to complete the data request and inform the requestor of the cost of the resulting data set.
(5) Requests for public use data set or limited data sets must be made using the form and manner prescribed by the Authority that is available on the agency’s website. The form shall collect sufficient information to evaluate any request for APAC data.
(6) Requestors who receive a limited data set must maintain Institutional Review Board (IRB) approval, if required for the data use agreement, throughout the span of authorized use of the data and until the data is destroyed. Requestors must submit updated documentation authorizing continued activity prior to the expiration of the previous authorization.
(7) Requesters who receive a limited data set must submit an amendment to the Authority when there is a change in the proposed use of the data within the scope of the original data request.
(a) Requestors shall file such an amendment when any of the following is anticipated:
(A) A change in persons accessing the data;
(B) Additional data elements are requested;
(C) Additional years of data are requested;
(D) Any change in the use of the data including linking or the addition of research questions; or
(E) Any change in research protocol, regardless of approval by an IRB.
(b) Changes or additions that are outside of the scope of the original data request will not be approved.
(c) Requestors may not implement any change related to access or use of data prior to receiving approval from the Authority.
(d) Changes in data elements, data use or research protocol must be reviewed by the Data Review Committee (DRC) described in OAR 409-025-0190 (Data Review Committee). In addition, a recommendation by the DRC may be sought for additional years of data or new project staff for limited data sets the Authority determines to include vulnerable populations.
(e) The Authority shall review for completeness all applications and provide requestors written notification of completeness within 30 calendar days of receipt of the request. If the Authority determines that the application is incomplete, the requestor shall have 30 calendar days from notification of incompleteness to complete the application. Incomplete applications that are not completed shall be discarded without further notification to the requestor.
[ED. NOTE: Forms and lists referenced are available on the agency’s website.]

Source: Rule 409-025-0160 — Data Access and Release, https://secure.­sos.­state.­or.­us/oard/view.­action?ruleNumber=409-025-0160.

Last Updated

Jun. 8, 2021

Rule 409-025-0160’s source at or​.us