When requestors begin the process of accessing non-public data from the Colorado All Payer Claims Database (CO APCD), CIVHC’s Health Data Solutions Consultants work closely with them to determine what data would meet their needs and what path the request will follow. Once the project goals are established, and they meet the legislative criteria to advance the Triple Aim (better health, better care, lower cost) for Coloradans, the first official step in the process is to fill out an application.
The application establishes the project purpose and benefit to Colorado, the data needed, how the data will be used, and what steps the requestor and/or their organization will take to ensure that the data is secure. If the request requires protected health information (PHI), the application must be reviewed by the Data Release Review Committee (DRRC). Once the application is approved internally by the CIVHC compliance team, and the DRRC (when necessary), the requestor signs the Data Use Agreement (DUA). The DUA covers much of the same ground as the application, but it serves as a formal contract rather than an application.
Data Request Application Sections
1.Project Purpose and Benefit to Colorado
In the first section of the application, requestors outlines the project for which CO APCD data is necessary. They are asked to describe goals of their project and their research questions or the problems they are trying to solve. Crucially, they also must detail how their project will benefit Colorado or Colorado residents – a requirement specifically laid out in the CO APCD Rule. The description must also indicate which element(s) of the Triple Aim it addresses.
2. Data Needed
Based on project goals, the CIVHC team works with requestors to determine what CO APCD data they need, how much, and in what format. One of the initial steps is to determine whether a data set or a report would be most beneficial. A data set is more fitting for individuals and organizations with analytic backgrounds who can perform their own analyses. A report provides analytics already performed by CIVHC analysts to help requestors answer questions more readily.
If no PHI is required, the requestor receives a De-identified Report or De-Identified Data Set. When PHI is required, there are two levels of data available depending on the need:
- Limited Data Set: Includes patient-specific dates (e.g., dates of service or DOB) or 5-digit zip codes.
- Identifiable Data Set: Includes direct patient identifiers such as name, address, or city. This requires Institutional Review Board (IRB) approval.
Limited and Fully Identifiable Data Sets have strict parameters around what can be included due to federal and local laws and regulations such as HIPAA and antitrust. Under these rules, requestors can only receive the minimum necessary amount of data to accomplish their project. They also have to explain why they require each element, and, when possible, aggregate the data to protect patient privacy.
3. How the Data Will Be Used & Protected
Requestors must provide their project schedule and explain their plans for the data, such as whether they intend to link it with other sources or engage additional parties to work on the analysis. In the event of a proposed linkage to another source, the requestor has to outline how the linkage will occur and how they will keep the CO APCD data safe. Similarly, with third-party access to the data, the names and organizations of the individuals must be disclosed as well as the reason they are being brought onboard. The requestor is also responsible for informing CIVHC, and modifying the DUA should new people join the project or people depart.
All requestors must adhere to the minimum cell size suppression policy of values higher than 11 as established by the Centers for Medicare & Medicaid Services (CMS) in any publication of CO APCD data. In the application, requestors are asked to anticipate the types of reports/publications they hope to generate and the audience they believe will benefit from the information. Prior to any publication of analysis of CO APCD data, CIVHC must review it for compliance with the CMS cell suppression policy and consistency with the application submitted for the data. The application also requires the requestor to attest that they will not attempt to “reverse engineer” CO APCD data in any fashion in order to access suppressed information.
4. Data Management
In the Data Management Plan section of the application, requestors explain, in detail, their personal and their organization’s experience with health care data, their Data Privacy and Security Policies and Procedures, and whether they have experienced a data security incident. Additionally, they are asked to outline how they will possess and store the CO APCD files, both physically and on a server, and what safeguards are in place. The Data Management section also describes the process of destruction of the CO APCD files at the end of the project and how the requestor is to certify to CIVHC that the data has been destroyed.
Data Use Agreement
Once the application is finalized and all parties agree on the data elements, the requestor signs the Data Use Agreement. This is a contract that reiterates that the requestor will use the CO APCD data in the ways stated in the application only – any deviation from what was already decided upon will be in violation of the agreement.