Section 350.3 - APD Data Release

Section 350.3 APD data release.

(a) The Department shall implement quality control and validation processes to provide reasonable assurance that APD data released to the public is complete, accurate, and valid. The Department shall adhere to applicable State and federal laws, regulations, and policies on release of Medicare and Medicaid data.

(b) Upon reasonable assurance that subdivision (a) has been satisfied, the Department may release data in the following manner:

(1) De-identified and/or aggregated APD data of a public use nature may be posted to a consumer-facing website.

(2) APD data, including data with identifying data elements, may be released to a New York State agency or the federal government in a manner that appropriately safeguards the privacy, confidentiality, and security of the data.

(3) APD data, including data with identifying data elements, may be released to other data users that have met the Department’s requirements for maintaining security, privacy, and confidentiality and have approved data use agreements with the Department.

(c) Data users shall adhere to security, confidentiality, and privacy guidelines established by the Department to prevent breaches or unauthorized disclosures of personal information resulting from any data analysis or re-disclosure. Data users bear full responsibility for breaches or unauthorized disclosures of personal information resulting from use of APD data.

(d)(1) Where the Department grants data users access to APD data that does not include identifying data elements, such access shall be subject to terms and conditions established by the Department.

(2) Data users who wish to request APD data that includes identifying data elements shall submit an application for a proposed project in a form established by the Department, which shall include an explicit plan for preventing breaches or unauthorized disclosures of identifying data elements of any individual who is a subject of the information. The Department’s review of the proposed project shall include, but not be limited to: (i) use of the specific identifying data elements; (ii) adherence to the Department’s guidance on the appropriate and controlled release of data; and (iii) assurance on whether the release of identifying data elements reflects overall goals of confidentiality, privacy, security, and benefits to public and population health.

(e) Any data user that violates this section or any data use agreement executed under this section shall be liable pursuant to the provisions of the Public Health Law, including, but not limited to, sections 12 and 12‑d of the Public Health Law.

(f) The Department may charge reasonable fees for access to APD data, which shall be based upon estimated costs incurred and recurring for data processing, operation of the platform/data center, and software. The Department shall establish a policy describing any APD data that shall be available at no charge, the fees for access to APD data subject to charge, the process for fee payment, and under what circumstances fees may be reduced or waived.

Effective Date: 
Wednesday, September 13, 2017
Statutory Authority: 
Public Health Law, Sections 206(18-a)(d) and 2816