Protecting health information is the highest priority for the Colorado All Payer Claims Database (CO APCD). Colorado statute CRS 25.5-1-204 requires the CO APCD to “[p]rotect patient privacy in compliance with state and federal medical privacy laws while preserving the ability to analyze data and share with providers and payers to ensure accuracy prior to the public release of information[.]” This ensures that all aspects of CO APCD data collection, processing, storage, analysis and release of data complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) , and all other federal privacy and security requirements.
What is PHI (Protected Health Information)?: PHI is individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes:
- identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or
- the payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse.
PHI is the definition used by HIPPA to determine the type of patient information that falls under the purview of the law.
What is the Health Insurance Portability and Accountability Act (HIPAA)?: HIPAA is a federal law that required the creation of national standards to protect patient health information from being disclosed without the patient’s consent or knowledge. Two main components of HIPAA are known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule standards address the use and disclosure of individuals’ PHI by “covered entities.” Covered entities include:
- Health care providers
- Health plans
- Health care clearinghouses
- Business associates
CIVHC has an important role in protecting the PHI in the CO APCD and is considered a covered entity or business associate in three different ways:
- CIVHC falls under the plain language definition of a HIPAA covered entity as a health care data clearinghouse because we process non-standard data and transactions received from payers into data elements.
- As the state Medicaid agency, the Department of Health Care Policy and Financing (HCPF) is also a covered entity and has a business associate agreement in place with CIVHC. This allows CIVHC to receive and process mandated data submissions on behalf of another covered entity, Medicaid.
- HB 10-1330, the enabling statute for the CO APCD requires CIVHC to act as a covered entity even if the first two of these situations did not apply. This means that, even if there was no other requirement to abide by HIPAA privacy standards, CIVHC, as the CO APCD administrator, and the CO APCD itself are required to adhere to all federal medical privacy laws.
The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. The Privacy Rule aims to ensure that individuals’ health information is adequately protected while “allowing the flow of health information needed to provide and promote high-quality health care and protect the public’s health and well-being.”
The Security Rule protects a subset of information covered by the Privacy Rule, defined as individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. The Security Rule does not apply to PHI transmitted orally or in writing. All covered entities must do the following:
- ensure the confidentiality, integrity, and availability of all electronic protected health information,
- detect and safeguard against anticipated threats to the security of the information,
- protect against anticipated, impermissible uses or disclosures, and
- certify compliance by their workforce.
How does CIVHC safeguard PHI in the CO APCD?
CIVHC and its data warehouse manager partner Human Services Resource Institute (HSRI) take a number of important steps to ensure PHI is protected.
De-identification: Protected data elements such as name, street address, and Social Security Number are removed as part of initial processing and replaced with a unique member identification number. Depending on the type of data requested, birth date is replaced with age or age range, and zip code data is aggregated to the first three digits. Data suppression rules are in place to prevent the release of any information that may make it possible to identify any individual represented in the CO APCD database. An example of how data is de-identified is available below.
Controls on how the database is used for analysis and research: The enabling CO APCD legislation (10 CCR 2505-5-1.200.5) requires the CO APCD Administrator (CIVHC) to establish the Data Release Review Committee (DRRC) to advise the administrator regarding requests for data release. The DRRC was established in September 2012 and meets on a monthly basis. It reviews applications and advises CIVHC whether release of the data is consistent with the statutory purpose of the CO APCD, contributes to efforts to improve health care for Colorado residents, and complies with the requirements of HIPAA and other federal privacy laws. The DRRC began reviewing the first written requests for access to CO APCD data in April 2013.
An entity interested in obtaining non-public data from the CO APCD is required to submit a written application that describes the purpose of the project, methodology, qualifications of the organization and the project staff, capacity to maintain data confidentiality and security, and experience with similar data sets or reports. CIVHC will only provide the minimum CO APCD data elements necessary to accomplish a particular research goal or project purpose, and only if the intended use of the data supports reaching the Triple Aim of better health, better care and lower costs for Colorado. The application must include justification for each data element that is needed for the project. More information is available to help understand the data release criteria, policies and procedures, and legal overview documents established by the DRRC and CIVHC for consideration and evaluation of data release requests.
The data release processes applies to the following types of data release:
- A custom report or a de-identified data set as defined under HIPAA, especially 45 CFR 164.514(a). De-identification is achieved by removing all 18 identifiers enumerated by the HIPAA de-identification standards at 45 CFR § 164.514(b)(2). Protected data elements are not included in a de-identified file, all dates are shown as year only, zip codes are reduced to three digits, and if a zip code has fewer than 20,000 residents it will show as “000.”
- A Limited Data Set as defined under HIPAA, especially 45 CFR 164.514(e). Limited Data Sets may not include name, street address, or Social Security Number. Dates related to the individual may be included.
All reports generated based on CO APCD data are subject to review and prior approval by CIVHC and must adhere to minimum cell size and complimentary cell suppression policies established by CMS (also known as the “cell suppression rules”) to prevent identification of individuals by inference.
The table below details the 18 HIPAA-defined protected health information (PHI) data elements. The CO APCD collects only eight of these. De-identified data and the Limited Data Set files make use of only two of the 18 collected data elements: zip code and date fields. Neither the De-identified data nor a Limited Data Set will include a patient’s name, street address, Social Security Number or any other direct patient identifier.
For more information, visit our CO APCD Privacy, Security, and Data Release Fact Guide or contact us at ColoradoAPCD@civhc.org.
 “HIPAA Privacy Rule and Its Impacts on Research.” National Institutes of Health, U.S. Department of Health and Human Services, https://privacyruleandresearch.nih.gov/pr_07.asp. “HIPAA Privacy Rule and Its Impacts on Research.” National Institutes of Health, U.S. Department of Health and Human Services, https://privacyruleandresearch.nih.gov/pr_07.asp. “Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Centers for Disease Control and Prevention, Centers for Disease Control and Prevention, 14 Sept. 2018, https://www.cdc.gov/phlp/publications/topic/hipaa.html.
 Reporting by the first three digits of a zip code is permitted in de-identified data if the geographic unit formed by combining all zip codes with the same initial three digits contains more than 20,000 people. This analysis will be performed prior to releasing any CO APCD de-identified data.
 De-identified data may contain age ranges, for example, 40-45 years of age, or may include year of birth or age (in years) on date of service.
 Member certificate/license numbers are not collected. Physician license numbers (National Provider Identifier) are collected.