In 2010, the Colorado General Assembly saw the opportunities an immense repository of data such as the Colorado All Payer Claims Database (CO APCD) could afford – they also saw the possibilities for exploitation and built safeguards into the use of the CO APCD. When drafting the legislation that shaped the database, they explicitly stated that the purpose of the CO APCD was “facilitating the reporting of health care and health quality data that results in transparent and public reporting of safety, quality, cost, and efficiency information at all levels of health care. The bill sponsors detailed how the data collected would be available in two ways 1) “to the public…as a resource to insurers, consumers, employers, providers, purchasers of health care, and state agencies to allow for continuous review of health care utilization, expenditures, and quality and safety performance in Colorado;…”, and 2) to “state agencies and private entities in Colorado engaged in efforts to improve health care.”

The policymakers also directed an administrator to be appointed and a multi-stakeholder Advisory Committee to be seated to work out the remaining logistics of creating a database that would go on to collect upwards of four million claims each month, at last count. These logistics included arranging for funding, determining what data elements to collect, and establishing the criteria under which this valuable data could be released. Decisions governing the collection, release, and reporting of CO APCD are enacted via Executive Director Rule from the Colorado Department of Health Care Policy and Financing and incorporated into the Colorado Code of Regulations (10 CCR 2505-5/1.2004.A-1.200.9A – the CO APCD Rule).

The CO APCD Rule outlines the claim types to be collected, what entities must submit data, what penalties might be assessed in the event of non-compliance, and the conditions which must be met for release of CO APCD data. Public releases of data are governed by different rules than releases of non-public data. Public releases must:

  • be aggregated and summarized to protect patient identity according to the Health Information Portability and Accountability Act (HIPAA),
  • follow all federal regulations, such as the Health Information Technology for Economic and Clinical Health (HITECH), and anti-trust laws,
  • “describe patterns of incidence and variation of targeted medical conditions, state and regional cost patterns and utilization of services[;]” and
  • should be published via a consumer-facing website to achieve the purposes of the CO APCD.

The criteria for releases of non-public CO APCD data focus on both the entity requesting access and the proposed purpose for the information. The data requestor must:

  • be engaged in efforts to improve health care quality, value or public health outcomes for Colorado residents[;]” and
  • be prepared to comply with all federal regulations, such as HIPAA, HITECH, or anti-trust laws.

A Data Release and Review Committee (DRRC) evaluates requests to ensure they are “consistent with the statutory purpose of the APCD, will contribute to efforts to improve health care quality, value or public health outcomes for Colorado residents and compl[y] with the requirements of HIPAA.” The DRRC then advises the administrator whether the request meets the requirements for release. Once a project is determined to meet the criteria for release, non-public CO APCD data requestors must complete the application process, which involves fulfilling additional requirements to adhere to CIVHC data privacy and security policies.

Examples of public releases of CO APCD data can be found on civhc.org under Public Data, and descriptions of non-public releases are available on the Change Agent Index.