The safety and privacy of personal information is a foundational principle of how the CO APCD is designed and operated.
Data Security: When carriers submit files to the CO APCD, the datasets are encrypted and sent over a secure connection (File Transfer Protocol or FTP) to the CO APCD Data Manager. The FTP will be limited to a pre-determined list of users and IP addresses (internet connections) reserved for the carriers submitting the data. When the CO APCD Data Manager receives a file, security protocols run automatically, without manual intervention and in a secure environment, to confirm that the files contain the expected information before they are stored in the secured data warehouse.
The CO APCD Data Manager specializes in providing secure solutions that comply with the Health Information Portability and Accountability Act of 1996 (including HITECH act), Federal Information Processing Standards, as well as conforming to standards published by the National Institute of Standards and Technology. The CO APCD Data Manager also engages third party review of its services and uses modern technologies, including advanced encryption, biometrics and intrusion prevention and detection, to secure its facilities providing solutions to healthcare organizations throughout the United States.
Elimination of personal identifiers: As data are loaded into the warehouse, all personal information is removed from the record and replaced with an identification number that is generated by a separate software tool. This tool allows the assignment of an identification number that is completely unique and is not based on reconfiguring personal information. Additionally, birth date will be replaced with age category and zip codes will be reduced to the first 3 digits (or 000 if from a zip code with fewer than 20,000 people).
Controls on how the database is used for analysis and research: Simply stated: your personal information will never appear in any public APCD data output or report. The CO APCD has established a data release process for specialized reports and data requests. All requests must detail the purpose of the project, the methodology, the qualifications of the research entity and, by executing a data use agreement, comply with the requirements of HIPAA.
The DRRC will review the request and advise CIVHC whether release of the data is consistent with the statutory purpose of the CO APCD, contributes to efforts to improve health care for Colorado residents, and complies with the requirements of HIPAA.