Protecting health information is the highest priority for the Colorado All Payer Claims Database CO APCD). Colorado statute CRS 25.5-1-204 requires the CO APCD to “[p]rotect patient privacy in compliance with state and federal medical privacy laws while preserving the ability to analyze data and share with providers and payers to ensure accuracy prior to the public release of information[.]” This ensures that all aspects of CO APCD data collection, processing, storage, and analysis complies with the Health Insurance Portability and Accountability Act (HIPAA) and all other federal privacy and security requirements.

What is PHI (Protected Health Information) ? [1]: Individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes:

  • identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or
  • the payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse.

PHI is the definition used by HIPPA to determine the type of patient information that falls under the purview of the law.

What is the Health Insurance Portability and Accountability Act (HIPAA)?[2]: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect patient health information from being disclosed without the patient’s consent or knowledge. Two main components of HIPAA are known as the HIPAA Privacy Rule and the HIPAA Security Rule.

The Privacy Rule standards address the use and disclosure of individuals’ PHI by “covered entities.” Covered entities include:

  • Health care providers
  • Health plans
  • Health care clearinghouse
  • Business associates

The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. The Privacy Rule aims to ensure that individuals’ health information is adequately protected while “allowing the flow of health information needed to provide and promote high-quality health care and protect the public’s health and well-being.”

The Security Rule protects a subset of information covered by the Privacy Rule, defined as individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. The Security Rule does not apply to PHI transmitted orally or in writing. All covered entities must do the following:

  • ensure the confidentiality, integrity, and availability of all electronic protected health information,
  • detect and safeguard against anticipated threats to the security of the information,
  • protect against anticipated, impermissible uses or disclosures, and
  • certify compliance by their workforce.

How does CIVHC safeguard PHI in the CO APCD?

CIVHC and its data warehouse manager partner Human Services Resource Institute (HSRI) take a number of important steps to ensure PHI is protected.

De-identification: Protected data elements such as name, street address, and Social Security Number are removed as part of initial processing and replaced with a unique member identification number. Depending upon the type of data requested, birth date is replaced with age or age range, and zip code data is aggregated to the first three digits. Data suppression rules are in place to prevent the release of any information that may make it possible to identify any individual represented in the CO APCD database. An example of how data is de-identified is available below.

Controls on how the database is used for analysis and research: 10 CCR 2505-5-1.200.5 requires the CO APCD Administrator to establish the Data Release Review Committee (DRRC) to advise CIVHC regarding requests for data release. The DRRC was established in September 2012 and meets on a monthly basis. It reviews applications and advises CIVHC whether release of the data is consistent with the statutory purpose of the CO APCD, contributes to efforts to improve health care for Colorado residents, and complies with the requirements of HIPAA and other federal privacy laws. The DRRC began reviewing the first written requests for access to CO APCD data in April 2013.

An entity interested in obtaining custom non-public data from the CO APCD is required to submit a written application that describes the purpose of the project, the methodology, the qualifications of the organization and the project staff, capacity to maintain data confidentiality and security, and experience with similar data sets or reports. CIVHC will provide only the minimum CO APCD data elements necessary to accomplish a particular research goal or project purpose, and only if the intended use of the data supports reaching the Triple Aim of better health, better care and lower costs for Colorado. The application must include justification for each data element that is needed for the project. More information is available to help understand the data release criteria, policies and procedures, and legal overview documents established by the DRRC and the CO APCD Administrator for consideration and evaluation of data release requests.

The data release processes established by the CO APCD Administrator contemplates the following types of data release:

  • A custom report or a de-identified data set as defined under HIPAA, especially 45 CFR 164.514(a). De-identification by CIVHC and the CO APCD will be achieved by removing all 18 identifiers enumerated by the HIPAA de-identification standards at 45 CFR § 164.514(b)(2). Protected data elements will not appear in a de-identified file; all dates are shown as year only; zip codes will be reduced to three digits; if a zip code has fewer than 20,000 residents it will show as “000.”
  • A Limited Data Set as defined under HIPAA, especially 45 CFR 164.514(e). Limited Data Sets may not include name, street address, or Social Security Number. Dates related to the individual may be included.

All reports generated based on CO APCD data are subject to review and prior approval by CIVHC and must adhere to minimum cell size and complimentary cell suppression policies established by CMS (also known as the “cell suppression rules”) to prevent identification of individuals by inference.

The table below details the 18 HIPAA-defined protected health information (PHI) data elements. The CO APCD collects only eight of these. De-identified data and the Limited Data Set files make use of only two of the 18 collected data elements: zip code and date fields. Neither the De-identified data nor a Limited Data Set will include a patient’s name, street address, Social Security Number or any other direct patient identifier.