Tracey Campbell, Director of Colorado’s All-Payer Claims Database (APCD) at the Center for Improving Value in Health Care (CIVHC), writes that my recent column on states selling data from their All-Payer Claims Databases made three mistakes. First, the APCD does not contain medical records. It includes “only administrative claims information.” Second, the APCD is not exempt from the Health Insurance Portability and Accountability Act (HIPAA), the federal privacy law. In fact, it is fully compliant with all federal and state privacy requirements. Third, APCD’s data release requirements are “specifically structured to avoid any re-identification,” even in areas with small populations.
The column in question focused on protecting medical privacy. It listed data elements available in CIVHC’s “de-identified” data set and explained how individuals could be identified, potentially exposing them to unscrupulous pressure. It is an open question whether claimed APCD benefits, should they materialize, exceed the costs of medical privacy loss.
Calling CIVHC records “administrative claims” rather than medical records is a distinction without a difference. Elements of your medical record include your diagnosis, the treatment you got, who gave it, and where it was given. These items also happen to be in CIVHC’s “administrative records.”
The HIPAA fig leaf does not wear well when states authorize the involuntarily collection of health information. Though officials like to say that HIPAA sets limits on who can look at your health information, it contains exemptions for “health oversight agencies.” A state, may, for example, require physicians to report private health information on cancer cases to a state cancer registry housed at a state university. As long as the registry does not violate state law, it is HIPAA compliant even if it further discloses the private information as it sees fit. As current state law requires all payers to give patient medical data to CIVHC, it likely qualifies as an exempt health oversight agency.
Ms. Campbell says that privacy is preserved by reducing the zip codes attached to the administrative records “to the first two digits (or 000 if fewer than 20,000 people live in that zip code).” This is less than it seems. HIPAA safe harbor rules for de-identification for a public use dataset require removing all names of geographic subdivisions smaller than a state. According to CIVHC’s “de-identified” database application, its records come with an individual’s city name. HIPAA safe harbor rules also require removing all elements of dates except the year for birth date, admission dates, discharge dates, and date of death, along with all elements of dates indicative of age. CIVHC provides member age, month and year of admission date, month and year prescriptions are filled, month and year one became eligible for one’s health plan, month and year of birth date, month and year of effective plan date and month first enrolled in plan.
Benitez and Malin (JAMIA, 2009) looked at using Census data and state voter registration to records to re-identify HIPAA compliant health records. For Colorado, the re-identification risk from combining HIPAA safe harbor compliant records with Colorado voter registration records and Census demographic data was 0.03 percent. Adding dates and town or city raised the risk to 40 percent.
CIVHC reminds taxpayers that it operates without public funding. According to its June 2011 grant request it plans to support itself by exchanging our medical data for grants and contracts from state agencies. It plans to charge non-state agencies for data extracts, noting that the current market cost for this data from commercially available data sets is at least $50,000. In 2014, it plans to lobby the legislature for a new “assessment schedule” on hospitals, commercial insurers, health plan administrators, pharmacies, dialysis centers, and outpatient surgical centers.
Just as “administrative data” is another term for a medical record, being “fully compliant” with HIPAA includes taking advantage of HIPAA oversight exemptions, and being “specifically structured to avoid re-identification” means raising the risk of having one’s medical record made public to 40 percent, passing an “assessment schedule” means passing a new tax to support yet another special interest group.
Without CIVHC and the APCD, Colorado residents could keep their medical records private and their money in their pockets. State legislators often say they want to help. They can prove it by repealing the APCD legislation.