HCPF and the federal government have the authority to monitor, audit and hold CIVHC fully accountable for compliance with all state and federal laws and rules associated with the CO APCD.
CIVHC is required to provide HCPF with an annual report on or before April 1st of each year that includes:
- Any policies established or revised pursuant to state and federal medical privacy laws, including HIPAA.
- The number of requests for data and reports from the CO APCD, whether the request was by a state agency or private entity, the purpose of the project, a list of the requests for which the DRRC advised the Administrator that the release was consistent with rule and HIPAA, and a list of the requests not recommended for release.
- For each request recommended, the Administrator must provide the HIPAA regulation pursuant to which the use or disclosure was recommended, and whether a data use agreement or limited data set data use agreement was executed for the use or disclosure.
- A description of any data breaches, actions taken to provide notifications, if applicable, and actions taken to prevent a recurrence.