Yes, CO APCD data releases are subject to both HIPAA restrictions and state legal and regulatory restrictions to protect privacy:
- In keeping with the “minimum necessary” standard established under HIPAA, applicants must demonstrate need and provide justification for each data element requested. The DRRC will recommend and CIVHC will release only those data elements which are specifically necessary to accomplish the applicant’s intended use.
- Protected Health Information (PHI) may only be released in limited circumstances for public health, health care operations and pre-approved research purposes, and can never be shared publicly as a result of a research project or program.
- For research-related requests, applicants may be required to show written approval from an Institutional Review Board or a Privacy Board as part of the Application.
- As part of the Data Use Agreement, all Requestors must provide written assurances that:
- Data will be used only for the purpose stated in the Application.
- No attempt will be made to use any data released to ascertain the identity of specific insured individuals or patients, or to report data at a level of detail that could permit a reader to ascertain the identify of specific insured individuals or patients, nor will downstream linkages to outside data sources occur without specific authorization from the CO APCD Administrator.
- Restricted data elements such as PHI will not be released except as specifically approved in the original Application and Data Use Agreement.
- The Requestor will obtain these assurances in writing from any recipient of data or agent that processes data on behalf of the Requestor.
- The data will not be re-released in any format to anyone except personnel identified and approved in the original Application and Data Use Agreement.