CO APCD Oversight and Governance
The oversight structure for the CO APCD is as follows:
- HCPF appoints the Administrator (CIVHC), which in turn is required by law and contract to strictly adhere to HIPAA, HITECH and related state and federal laws. CIVHC must annually report data requests and uses, and must immediately report any breaches of data to HCPF.
- HCPF promulgates all rules associated with the CO APCD including how data is protected and released.
- A statewide, multi-stakeholder Advisory Committee, reauthorized in 2013 through SB 13-149, makes recommendations to CIVHC for administration of the database.
- A separate Data Release Review Committee (DRRC), established by HCPF rules, develops protocols for data release, reviews requests for CO APCD reports and advises CIVHC on the appropriateness of those requests.
- CIVHC is required to submit annual reports to HCPF and the Colorado General Assembly.
- As a non-profit organization, CIVHC is governed by a Board of Directors with a fiduciary duty and financial liability related to the organization’s operation of the CO APCD.
- Because the CO APCD is funded by grants from the Colorado Health Foundation and The Colorado Trust, CIVHC is required to provide those foundations detailed reports on the progress of the CO APCD, a series of grant milestones, and an evaluation of the CO APCD’s impact.
CO APCD Data Warehouse Management
As Administrator of the Colorado All Payer Claims Database (CO APCD) and allowed by the CO APCD enabling legislation, CIVHC contracts with third party CO APCD technology vendors, Human Services Research Institute (HSRI) and the independent research organization, NORC, at the University of Chicago to securely collect, store, manage, and conduct limited analysis of claims information submitted by health insurance payers to the CO APCD. CIVHC retains all rights, to the information provided by the health insurance payers.
All CO APCD data submissions are received and processed on systems and equipment owned and operated by HSRI and NORC. CIVHC does not directly receive claims data from data submitters, however, once processed and encrypted to protect Personal Health Information (PHI), CIVHC receives limited access to data warehouse files to conduct internal analysis for public and custom reporting.
As the CO APCD technology vendors, HSRI and NORC are legally required to abide by all CIVHC policies and procedures established to maintain the privacy, security, confidentiality, integrity, and availability of the data contains within the CO APCD. These policies and procedures comply with all state, local, and Federal security and privacy laws including the Health Insurance Portability and Accountability Act ("HIPAA") and the Health Information Technology for Economic and Clinical Health ("HITECH") Act.