All-Payer Claims Databases: The Balance between Big Healthcare Data Utility and Individual Health Privacy

Abstract

As policymakers pursue the Triple Aim of reducing costs, improving quality, and expanding access, the development of an All-Payer Claims Database (APCD) can provide invaluable information about the drivers of cost, the value of health care interventions, and the efficacy of policy initiatives. All-Payer Claims Databases form the foundation for the development of price and quality transparency tools, and offer a means of providing critical information in a timely manner for patients, policymakers, and health services researchers. The data collected by APCDs, however, also contains information that individuals, providers, and insurers would like to remain confidential. Given the sensitivity of individual health information contained in claims data, any database collecting, storing, and disseminating such information must ensure adequate privacy and security for all patient information. Furthermore, a web of federal and state privacy laws that govern the use, storage, and disclosure of information from an APCD must be untangled to determine the privacy requirements that each APCD must attain. This report examines the balance policymakers in California must strike between providing the necessary access to healthcare price and utilization data to improve healthcare decision-making and protecting confidential health information. We recommend that California establish an All Payer Claims Database designed to collect all health care claims data within the state to promote transparency, informed decision making, and improve health and healthcare for all Californians. We recommend that the legislature do so in a manner that provides robust protection for personal health information while enabling policymaker, researchers, and public health authorities reasonable access to the data collected by the APCD to promote improvements in health and health care throughout the state. We recommend an independent oversight body with a broad membership appointed by a range of individuals and organizations to ensure diversity and expertise within its membership. At a minimum, the legislature should subject the APCD to the requirements of HIPAA and CMIA, as though it were a covered entity. These requirements provide a solid baseline for privacy protections, while granting the oversight body or the Department of Health and Human Services the option to increase the stringency of the requirements as needed.