Section 5.05 - Requests from Payers, Providers and Provider Organizations for Data with Direct Patient Identifiers for Treatment and Coordination of Care(1) Payer, Provider and Provider Organization requests for Data with Direct Patient Identifiers shall be made in writing by filing an application with CHIA in a form specified by CHIA as provided on its Website.(2) CHIA shall fulfill Payer, Provider and Provider Organization requests for Direct Patient Identifiers for Treatment and Coordination of Care to the extent permissible under state and federal laws protecting patient privacy and data security. Payers, Providers and Provider Organizations may be required to establish to CHIA's satisfaction that Data Subjects have consented to the release of the Data for the specific use described in the Payer, Provider or Provider Organization's request.(3) Payer, Provider and Provider Organization requests for Protected Health Information for uses other than requests for Direct Patient Identifiers for Treatment and Coordination of Care shall be reviewed under 957 CMR 5.06.(4) Payers, Providers and Provider Organizations requesting Protected Health Information of Medicaid recipients will be required to demonstrate compliance with 42 U.S.C. § 1396a(a)(7) to the satisfaction of both CHIA and the Executive Office of Health and Human Services.(5) Payers, Providers and Provider Organizations requesting Medicare Data will be required to demonstrate compliance with CMS requirements regarding access to and use of such Data.(6) Payers, Providers and Provider Organizations shall enter into a Data Use Agreement with CHIA prior to the receipt of data with Direct Patient Identifiers. The Data Use Agreement will strictly limit the use of such Data for Treatment and Coordination of Care and will specify the security measures taken to protect the Data from further disclosure. The Data Use Agreement shall also, at a minimum: (a) commit the Data Recipient to return or destroy the Data received from CHIA upon completion of the project for which the use of the Data was approved. All Data destruction must comport with M.G.L. c. 93I and any other applicable state or federal law;(b) require the Data Recipient to adhere to processes and procedures aimed at preventing unauthorized access, disclosure or use of the Data;(c) require the Data Recipient to notify CHIA of any unauthorized use or disclosure of the Data; and(d) permit CHIA, at its discretion, to audit the Data Recipient's compliance with the provisions of the Data Use Agreement.Amended by Mass Register Issue 1355, eff. 12/29/2017.