To effectuate the provisions of this article, the MOU parties may propose joint rules for legislative approval in accordance with the provisions of article three, chapter twenty-nine-a of this code as necessary to implement this article. No actions to collect data or assess fees pursuant to this article may be undertaken until rules promulgated hereunder are made effective. Such rules may include, but are not limited to, the following:

(a) Procedures for the collection, retention, use and disclosure of data from the APCD, including procedures and safeguards to protect the privacy, integrity, confidentiality and availability of any data;

(b) Penalties against health care payers for violation of rules governing the submission of data, including a schedule of fines for failure to file data or to pay assessments;

(c) Fees payable by users of the data and the process for a waiver or reduction of user fees. Any such fees shall be established at a level that, when considered together with other available funding sources, is deemed necessary to sustain the operation of the APCD;

(d) A proposed time frame for the creation of the database;

(e) Criteria for determining whether data collected, beyond the listed personal identifiers, is confidential clinical data, confidential financial data or privileged medical information, and procedures to give affected providers and health care payers notice and opportunity to comment in response to requests for information that may be considered confidential or privileged;

(f) Penalties, including fines and other administrative sanctions, that may be imposed by the commissioner for a health care payer's failure to comply with requirements of this article and rules adopted hereunder; and

(g) Establishment of advisory boards to provide advice to the MOU parties with respect to the various functions of the APCD.