Privacy Program


The Center for Health Information and Analysis (CHIA) is committed to performing its role as a data hub while upholding high data privacy and information security standards and respecting and protecting individual privacy.  CHIA has initiated a comprehensive data privacy and information security program, which has included implementing a new data release regulation that provides government agencies, payers, providers, and researchers with access to health care data within the limits of federal and state privacy and data security laws.

Complementing the new data release regulations are new procedures that ensure that each request for use of potentially sensitive data is carefully reviewed by an internal Data Privacy Committee (“DPC”). The committee, made up of information security specialists, works with all applicants seeking data to facilitate access while clarifying privacy and security requirements and ensuring that such requirements are met.

Certain requests for health care data also receive legal and technical review from the agency’s Data Release Committee (“DRC”), an external review committee made up of representatives from payers, providers, consumers, researchers, and advocacy groups. The final decision for release is made by CHIA’s Executive Director based on the recommendations of these committees. Before receiving the data, applicants are required to sign CHIA’s Data Use Agreement to help ensure that recipients of CHIA data maintain data security and protect patient privacy.

In addition to these initiatives, CHIA has conducted agency-wide trainings on data privacy and security for all CHIA employees and will continue to do so. CHIA has named a Chief Privacy Officer and a Chief Information Security Officer, who are responsible for the day-to-day management of the agency's privacy and data security initiatives, and for updating agency policies, practices, and procedures to keep pace with rapid changes in technology and privacy law. CHIA has also invested in IT security characterized by technological approaches such as data access services and network security and the agency uses technical safeguards such as masking, encryption, filters, and other tools to ensure patient privacy to the maximum extent practicable. Paired with effective policies and procedures, these safeguards will help to maintain the privacy and security of patient information in the Commonwealth.