The safety and privacy of personal information is a foundational principle of how the Colorado APCD is designed and operated. Not only is data always encrypted and protected but personal information will never appear in any public APCD data output or report.
Data Security: When carriers submit files to the APCD, the datasets are always encrypted and sent over a secure connection (File Transfer Protocol or FTP) to Treo Solutions, the APCD Data Manager. The FTP will be limited to a pre-determined list of users and IP addresses (internet connections) reserved for the carriers submitting the data. When Treo Solutions receives a file, security protocols run automatically, without manual intervention and in a secure environment, to confirm that the files contain the expected information before they are stored in the secured data warehouse.
Treo Solutions specializes in providing secure solutions that comply with the Health Information Portability and Accountability Act of 1996 (including HITECH act), Federal Information Processing Standards, as well as conforming to standards published by the National Institute of Standards and Technology. Treo Solutions also engages third party review of its services and uses modern technologies, including advanced encryption, biometrics and intrusion prevention and detection, to secure its facilities providing solutions to healthcare organizations throughout the United States.
Elimination of personal identifiers: As data are loaded into the warehouse, all personal information is removed from the record and replaced with an identification number that is generated by a separate software tool. This tool allows the assignment of an identification number that is completely unique and is not based on reconfiguring personal information. Additionally, birth date will be replaced with age category and zip codes will be reduced to the first 3 digits (or 000 if from a zip code with fewer than 20,000 people).
Controls on how the database is used for analysis and research: Simply stated: your personal information will never appear in any public APCD data output or report.
The APCD is establishing a data release process for specialized reports and data requests. All requests must detail the purpose of the project, the methodology, the qualifications of the research entity and, by executing a data use agreement, comply with the requirements of HIPAA.
The data release review committee will review the request and advise CIVHC whether release of the data is consistent with the statutory purpose of the APCD, contributes to efforts to improve health care for Colorado residents, and complies with the requirements of HIPAA.