Protecting health information is the highest priority for Center for Improving Value in Health Care, administrator of the Colorado All Payer Claims Database (CO APCD). Colorado statute CRS 25.5-1-204 requires the administrator of the CO APCD to “[p]rotect patient privacy in compliance with state and federal medical privacy laws while preserving the ability to analyze data[.]” CIVHC’s stringent data release and compliance policies ensure that all aspects of CO APCD data collection, processing, storage, analysis, and release of data comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and all other federal privacy and security requirements.
What is HIPAA?: HIPAA is a federal law requiring the creation of national standards to protect patient health information from being disclosed without the patient’s consent or knowledge. Two main components of HIPAA are known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule standards address the use and disclosure of individuals’ protected health information (PHI) by “covered entities.” Covered entities include:
- Health care providers
- Health plans
- Health care clearinghouses
- Business associates
CIVHC has an important role in protecting PHI in the CO APCD and is considered a covered entity or business associate in three different ways:
- CIVHC falls under the plain language definition of a HIPAA covered entity as a health care data clearinghouse because we process non-standard data and transactions received from payers into data elements.
- As the state Medicaid agency, the Colorado Department of Health Care Policy and Financing (HCPF) is also a covered entity and has a business associate agreement in place with CIVHC to administer the database on behalf of the state. This allows CIVHC to receive and process mandated data submissions on behalf of another covered entity, in this case, Medicaid.
- HB 10-1330, the enabling statute for the CO APCD, requires CIVHC to act as a covered entity even if the first two of these situations did not apply. This means that, even if there was no other requirement to abide by HIPAA privacy standards, CIVHC, as the CO APCD administrator, and the CO APCD itself are required to adhere to all federal medical privacy laws.
The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. The Privacy Rule aims to ensure that individuals’ health information is adequately protected while “allowing the flow of health information needed to provide and promote high-quality health care and protect the public’s health and well-being.”
The Security Rule protects a subset of information covered by the Privacy Rule, defined as individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. The Security Rule does not apply to PHI transmitted orally or in writing. All covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information,
- Detect and safeguard against anticipated threats to the security of the information, and
- Protect against anticipated, impermissible uses or disclosures, and certify compliance by their workforce.
How does CIVHC safeguard PHI in the CO APCD?
CIVHC and its data warehouse manager partner take a number of important steps to ensure PHI is protected.
De-identification: Protected data elements such as name, street address, and Social Security Number are removed as part of initial processing and replaced with a unique member identification number. Depending on the type of data requested, birth date is replaced with age or age range, and zip code data is aggregated to the first three digits. Data suppression rules are in place to prevent the release of any information that may make it possible to identify any individual represented in the CO APCD database. An example of how data is de-identified is available below.
Controls on how the database is used for analysis and research: The enabling CO APCD legislation (10 CCR 2505-5-1.200.5) requires the CO APCD Administrator (CIVHC) to establish and utilize a Data Release Review Committee (DRRC) to advise the administrator regarding requests for data release. The DRRC was established in September 2012 and meets on a monthly basis. It reviews applications and advises CIVHC on whether release of the data is consistent with the statutory purpose of the CO APCD, contributes to efforts to improve health care for Colorado residents, and complies with the requirements of HIPAA and other federal privacy laws. The DRRC began reviewing the first written requests for access to CO APCD data in April 2013.
An entity interested in obtaining non-public data from the CO APCD is required to submit a written application that describes the purpose of the project, methodology, qualifications of the organization and the project staff, capacity to maintain data confidentiality and security, and experience with similar data sets or reports. CIVHC will only provide the minimum CO APCD data elements necessary to accomplish a particular research goal or project purpose, and only if the intended use of the data supports reaching the vision of better health, better care and lower costs for Colorado. The application must include justification for each data element that is needed for the project. More information is available to help understand the data release criteria, policies and procedures, and legal overview documents established by the DRRC and CIVHC for consideration and evaluation of data release requests.
All reports generated based on CO APCD data that will be made public by external requestors are subject to review and prior approval by CIVHC and must adhere to minimum cell size and complimentary cell suppression policies established by the Centers for Medicare & Medicaid Services (also known as the “cell suppression rules”) to prevent identification of individuals by inference. CIVHC’s public reporting team also strictly adheres to cell size suppression rules and only provides aggregated, de-identifiable data in publicly available reports at civhc.org.
The table below details the 18 HIPAA-defined PHI data elements. The CO APCD collects only eight of these. CIVHC offers both De-identified Data Set and Limited Data Set files, and both make use of only two of the 8 collected data elements: zip code and date fields. Neither De-identified Data Sets or Limited Data Sets include a patient’s name, street address, Social Security Number or any other direct patient identifier. See the table below for more information on PHI elements and what’s included in De-Identified and Limited Data Sets.
For more information, review our blog outlining CIVHC’s compliance initiatives, visit our CO APCD Privacy, Security, and Data Release Fact Guide, or contact us at ColoradoAPCD@civhc.org.