How are States Balancing Privacy with Information Needs?

A dozen states and a handful of non-profits now allow non-state agencies to request multi-payer claims data. What does this mean for patient privacy?

Currently, Arkansas, Connecticut, Colorado, Maine, Maryland, Massachusetts, Minnesota, New Hampshire, Oregon, Rhode Island, Utah, and Virginia allow non-state agencies to request APCD data. Some regional health improvement collaboratives offer similar data access. Requests might come from researchers, provider organizations, health plans or others looking to better understand disease prevalence, trends in care delivery or opportunities to improve cost and quality.

Laws, regulations and data release policies determine what data can be released, to whom and when.  While HIPAA Privacy Rules provide some guidance, details are often decided state-by-state, organization-by-organization with input from stakeholders.

States with new APCDs often reference data release models put in place by the Centers for Medicare and Medicaid Services and long-standing policies at more mature APCDs. While no two data release models are identical to another, all data sets fall into one of these types:

1. De-identified or public use files

2. Limited or comparable data sets

3. Identifiable information.

As the amount of confidential information increases, so does the bar for access.

Products, processes, and prices vary depending on the data released.

More information on APCD Data Release can be found in Freedman HealthCare’s White Paper Releasing APCD Data: How States Balance Privacy and Utility