Protecting health information is the highest priority for the Colorado All Payer Claims Database (CO APCD). Colorado statute CRS 25.5-1-204 requires the CO APCD to “[p]rotect patient privacy in compliance with state and federal medical privacy laws while preserving the ability to analyze data and share with providers and payers to ensure accuracy prior to the public release of information[.]” This ensures that all aspects of CO APCD data collection, processing, storage, analysis and release of data complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and all other federal privacy and security requirements.
What is HIPAA?: HIPAA is a federal law that required the creation of national standards to protect patient health information from being disclosed without the patient’s consent or knowledge. Two main components of HIPAA are known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule standards address the use and disclosure of individuals’ protected health information (PHI) by “covered entities.” Covered entities include:
- Health care providers
- Health plans
- Health care clearinghouses
- Business associates
CIVHC has an important role in protecting PHI in the CO APCD and is considered a covered entity or business associate in three different ways:
- CIVHC falls under the plain language definition of a HIPAA covered entity as a health care data clearinghouse because we process non-standard data and transactions received from payers into data elements.
- As the state Medicaid agency, the Department of Health Care Policy and Financing (HCPF) is also a covered entity and has a business associate agreement in place with CIVHC. This allows CIVHC to receive and process mandated data submissions on behalf of another covered entity, Medicaid.
- HB 10-1330, the enabling statute for the CO APCD requires CIVHC to act as a covered entity even if the first two of these situations did not apply. This means that, even if there was no other requirement to abide by HIPAA privacy standards, CIVHC, as the CO APCD administrator, and the CO APCD itself are required to adhere to all federal medical privacy laws.
The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. The Privacy Rule aims to ensure that individuals’ health information is adequately protected while “allowing the flow of health information needed to provide and promote high-quality health care and protect the public’s health and well-being.”
The Security Rule protects a subset of information covered by the Privacy Rule, defined as individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. The Security Rule does not apply to PHI transmitted orally or in writing. All covered entities must do the following:
- ensure the confidentiality, integrity, and availability of all electronic protected health information,
- detect and safeguard against anticipated threats to the security of the information,
- protect against anticipated, impermissible uses or disclosures, and certify compliance by their workforce.
How does CIVHC safeguard PHI in the CO APCD?
CIVHC and its data warehouse manager partner Human Services Resource Institute (HSRI) take a number of important steps to ensure PHI is protected.
De-identification: Protected data elements such as name, street address, and Social Security Number are removed as part of initial processing and replaced with a unique member identification number. Depending on the type of data requested, birth date is replaced with age or age range, and zip code data is aggregated to the first three digits. Data suppression rules are in place to prevent the release of any information that may make it possible to identify any individual represented in the CO APCD database. An example of how data is de-identified is available below.
Controls on how the database is used for analysis and research: The enabling CO APCD legislation (10 CCR 2505-5-1.200.5) requires the CO APCD Administrator (CIVHC) to establish the Data Release Review Committee (DRRC) to advise the administrator regarding requests for data release. The DRRC was established in September 2012 and meets on a monthly basis. It reviews applications and advises CIVHC whether release of the data is consistent with the statutory purpose of the CO APCD, contributes to efforts to improve health care for Colorado residents, and complies with the requirements of HIPAA and other federal privacy laws. The DRRC began reviewing the first written requests for access to CO APCD data in April 2013.
An entity interested in obtaining non-public data from the CO APCD is required to submit a written application that describes the purpose of the project, methodology, qualifications of the organization and the project staff, capacity to maintain data confidentiality and security, and experience with similar data sets or reports. CIVHC will only provide the minimum CO APCD data elements necessary to accomplish a particular research goal or project purpose, and only if the intended use of the data supports reaching the vision of better health, better care and lower costs for Colorado. The application must include justification for each data element that is needed for the project. More information is available to help understand the data release criteria, policies and procedures, and legal overview documents established by the DRRC and CIVHC for consideration and evaluation of data release requests.
All reports generated based on CO APCD data are subject to review and prior approval by CIVHC and must adhere to minimum cell size and complimentary cell suppression policies established by CMS (also known as the “cell suppression rules”) to prevent identification of individuals by inference.
The table below details the 18 HIPAA-defined protected health information (PHI) data elements. The CO APCD collects only eight of these. De-identified data and the Limited Data Set files make use of only two of the 18 collected data elements: zip code and date fields. Neither the De-identified data nor a Limited Data Set will include a patient’s name, street address, Social Security Number or any other direct patient identifier.
For more information, visit our CO APCD Privacy, Security, and Data Release Fact Guide or contact us at ColoradoAPCD@civhc.org.