(a) As used in this section:

(1) “Patient-identifiable data” means any information that identifies or may reasonably be used as a basis to identify an individual patient; and

(2) “De-identified patient data” means any information that meets the requirements for de-identification of protected health information as set forth in 45 C.F.R. § 164.514.

(b) Each short-term acute care general or children’s hospital shall submit patient-identifiable inpatient discharge data and emergency department data to the Health Systems Planning Unit of the Office of Health Strategy to fulfill the responsibilities of the unit. Such data shall include data taken from patient medical record abstracts and bills. The unit shall specify the timing and format of such submissions. Data submitted pursuant to this section may be submitted through a contractual arrangement with an intermediary and such contractual arrangement shall (1) comply with the provisions of the Health Insurance Portability and Accountability Act of 1996 P.L. 104-191 (HIPAA), and (2) ensure that such submission of data is timely and accurate. The unit may conduct an audit of the data submitted through such intermediary in order to verify its accuracy.

(c) An outpatient surgical facility, as defined in § 19a-493b, a short-term acute care general or children’s hospital, or a facility that provides outpatient surgical services as part of the outpatient surgery department of a short-term acute care hospital shall submit to the unit the data identified in subsection (c) of § 19a-634. The unit shall convene a working group consisting of representatives of outpatient surgical facilities, hospitals and other individuals necessary to develop recommendations that address current obstacles to, and proposed requirements for, patient-identifiable data reporting in the outpatient setting. On or before February 1, 2012, the working group shall report, in accordance with the provisions of § 11-4a, on its findings and recommendations to the joint standing committees of the General Assembly having cognizance of matters relating to public health and insurance and real estate. Additional reporting of outpatient data as the unit deems necessary shall begin not later than July 1, 2015. On or before July 1, 2018, and annually thereafter, the Connecticut Association of Ambulatory Surgery Centers shall provide a progress report to the Office of Health Strategy, until such time as all ambulatory surgery centers are in full compliance with the implementation of systems that allow for the reporting of outpatient data as required by the executive director. Until such additional reporting requirements take effect on July 1, 2015, the department may work with the Connecticut Association of Ambulatory Surgery Centers and the Connecticut Hospital Association on specific data reporting initiatives provided that no penalties shall be assessed under this chapter or any other provision of law with respect to the failure to submit such data.

(d) Except as provided in this subsection, patient-identifiable data received by the unit shall be kept confidential and shall not be considered public records or files subject to disclosure under the Freedom of Information Act, as defined in § 1-200. The unit may release de-identified patient data or aggregate patient data to the public in a manner consistent with the provisions of 45 C.F.R. § 164.514. Any de-identified patient data released by the unit shall exclude provider, physician and payer organization names or codes and shall be kept confidential by the recipient. The unit may release patient-identifiable data (1) for medical and scientific research as provided for in § 19a-25-3 of the regulations of Connecticut state agencies, and (2) to (A) a state agency for the purpose of improving health care service delivery, (B) a federal agency or the office of the Attorney General for the purpose of investigating hospital mergers and acquisitions, (C) another state’s health data collection agency with which the unit has entered into a reciprocal data-sharing agreement for the purpose of certificate of need review or evaluation of health care services, upon receipt of a request from such agency, provided, prior to the release of such patient-identifiable data, such agency enters into a written agreement with the unit pursuant to which such agency agrees to protect the confidentiality of such patient-identifiable data and not to use such patient-identifiable data as a basis for any decision concerning a patient, or (D) a consultant or independent professional contracted by the Office of Health Strategy pursuant to § 19a-614 to carry out the functions of the unit, including collecting, managing or organizing such patient-identifiable data. No individual or entity receiving patient-identifiable data may release such data in any manner that may result in an individual patient, physician, provider or payer being identified. The unit shall impose a reasonable, cost-based fee for any patient data provided to a nongovernmental entity.

(e) Not later than October 1, 2018, the Health Systems Planning Unit shall enter into a memorandum of understanding with the Comptroller that shall permit the Comptroller to access the data set forth in subsections (b) and (c) of this section, provided the Comptroller agrees, in writing, to keep individual patient and provider data identified by proper name or personal identification code and submitted pursuant to this section confidential.

(f) The executive director of the Office of Health Strategy shall adopt regulations, in accordance with the provisions of chapter 54, to carry out the provisions of this section.

(g) The duties assigned to the Office of Health Strategy under the provisions of this section shall be implemented within available appropriations.