Kelsey Foland, Compliance Process Manager
Administered by the Center for Improving Value in Health Care (CIVHC), the Colorado All Payer Claims Database (CO APCD) is a vital tool for driving health care innovation. The CO APCD holds the potential to improve health care for everyone by providing cost and quality information that can help inform efforts to make treatment affordable. Compliance ensures the protection of sensitive health information, thereby maintaining the public’s trust and serving as the safety net that allows CIVHC to innovate securely and responsibly.
Protecting patient data and adhering to regulations are crucial for conducting advanced analyses, enhancing health care quality, and making informed policy decisions. Embracing compliance empowers CIVHC to continue leading in health care innovation, building a healthier future for all Coloradans. CIVHC takes pride in supporting those dedicated to creating a better health care system for everyone. Kelsey Foland, from CIVHC’s Compliance Department, took a moment to answer some questions about compliance:
What is compliance?
Compliance means following the rules. Whether you're talking about state or federal laws, regulations, or policies and guidelines your organization sets, compliance is all about doing what you are supposed to do legally and ethically.
Why is compliance important for an organization like CIVHC?
Health data organizations like CIVHC handle sensitive information and protected health information (PHI). Compliance helps establish robust data security and privacy measures to protect such information. This includes mechanisms for adherence to various health care laws, data protection regulations, and other industry-specific requirements. Compliance is vital to maintaining the organization's integrity, fostering trust with the community, and ensuring that the organization contributes positively to the health care ecosystem.
What are the main duties of the Compliance Department at CIVHC?
CIVHC’s Compliance Department oversees a broad spectrum of activities designed to ensure our organization adheres to data privacy laws and upholds compliance standards. However, our Compliance Department isn't confined to a silo. Interdepartmental collaboration is critical to our success in several areas:
- policies and procedures;
- continuous regulatory compliance;
- training and awareness;
- risk assessment and mitigation;
- data use evaluation;
- recordkeeping and documentation;
- monitoring and auditing; and
- keeping data handling practices aligned with legal standards and changing technological capabilities.
What obstacles, barriers, etc., do you have to consider for your work?
Keeping abreast of evolving regulations and adapting to changes to ensure CIVHC’s compliance can be challenging. One way we address this is through our Data Use Agreements and Data Management Plan guide. Compliance with privacy regulations like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is essential, and addressing privacy concerns involves a thorough compliance review of all data requests, review by CIVHC’s Data Release Review Committee (DRRC) as appropriate and managing data access and destruction appropriately. Ensuring that data analyses can be shared in a way that benefits the public while addressing concerns about data confidentiality and competitive interests is a delicate balance.
What are examples of not being compliant?
Organizations that manage or administer All Payer Claims Databases (APCDs) must adhere to strict privacy standards. Any breach or mishandling of sensitive information or PHI could lead to non-compliance. This includes failures to implement proper security measures, unauthorized access to data, or insufficient protection against data breaches.
What are the consequences of a health care database company's non-compliance?
Given the sensitive nature of health care data, the consequences of non-compliance in this industry are particularly severe. Health care claims database organizations must prioritize compliance to protect their operations, reputation, and, most importantly, the privacy of the individuals whose data they handle.
It's important to note that the consequences for non-compliance may depend on the severity and nature of the violations. Regulatory bodies, such as those overseeing health care data privacy, can impose substantial fines for non-compliance and restrict data processing until compliance is achieved, leading to delays and interruptions in services.
How has maintaining compliance evolved over the years?
Health care compliance is continually evolving through technological advancements, regulatory changes, and shifts in healthcare practices. Most recently, Artificial Intelligence (AI) stands out as both a challenge and an opportunity in this landscape. As health care organizations increasingly rely on AI and data analytics for population health management, predictive analytics, and personalized medicine, they face new cybersecurity concerns. Protecting electronic health information has become more complex, requiring updated cybersecurity measures at a very fast pace.
Can you share any examples of CIVHC adapting to new rules and regulations?
One example is our response to changes in substance use disorder (SUD) data regulations under the 2020 CARES Act. Recognizing the need for careful handling of sensitive SUD data, CIVHC collaborated with the Human Services Research Institute (HSRI) in 2022 to introduce a unique flagging system for SUD claims within the CO APCD. This solution ensures that SUD claims are stored and managed separately, aligning with new legal requirements and safeguarding patient privacy. You can read more about the SUD flag here.
What We Mean When We Talk About Compliance
- Ensuring Data Privacy and Security
- Protecting patient information is paramount. Compliance with HIPAA ensures that the sensitive data within the CO APCD is secure and accessible only to authorized users. These regulations mandate robust encryption, strict access controls, and meticulous audit logs, forming the foundation for innovative work.
- Protecting Competitive Practices
- Fair competition fosters innovation. Adhering to anti-trust laws ensures that CO APCD data is used ethically and transparently, maintaining a level playing field and encouraging innovative health care solutions.
- Adherence to Colorado Laws and Regulations
- Colorado’s regulations require comprehensive data submission from all major payers as well as specific criteria for the projects using CO APCD data. Compliance with these laws ensures that data is not only robust and reliable but used for innovative analyses to benefit Colorado.
- Confidentiality of Sensitive Data
- Protecting the confidentiality of individuals seeking treatment for SUDs is crucial. Compliance with 42 CFR Part 2 ensures that this sensitive data is handled with the utmost confidentiality, maintaining trust and data integrity.
- Compliance with CMS Rules
- Strict adherence to Data Use Agreements from the Centers for Medicare & Medicaid Services (CMS) and robust security measures that protect Medicare Fee for Service and Medicaid data. Following CMS’s Cell Size Suppression Policy further safeguards patient privacy in public reports, ensuring the integrity of the work.
- Building Trust through Transparency
- Compliance with all relevant data privacy and security laws builds public trust, essential for comprehensive data collection. This trust enables partners to share their information confidently, fueling the innovative analyses and solutions that drive CIVHC’s mission.
- Promoting Innovation through Secure Data Usage
- A secure and compliant data environment is the bedrock of CIVHC’s innovative analyses. From population health management to health equity research, compliance ensures that these groundbreaking applications are possible, driving improvements in health care quality and policy.