APCD- Frequently Asked Questions
- Q: How do I obtain access to secure payer area?
- A: In accordance with R428-15-8. Carrier Registration, each carrier shall register with the Office of Health Care Statistics by completing the online payer registration form. Once the Carrier has registered, information will be sent to contacts specified during registration process.
- Q: Is a HIPAA Business Associate Agreement (BAA) required between entities providing data to the All Payer Claims Database and the State?
- A: A BAA is not required because 45 CFR 164.512 (b)(1)(i) allows disclosure to the APCD without the authorization of the individual patient.
Normally a BAA is required for a covered entity to disclose protected health information outside normal treatment, payment and operations. However, there is a specific provision in HIPAA that allows disclosure of such data to a public health authority without the need for a BAA.
The HIPAA provision found at 45 CFR 164.512 (b)(1)(i) says that a covered entity may disclose protected health information "for public health activities" to "a public health authority that is authorized by law to collect or receive such information for the purpose of...public health investigations."
The Utah Department of Health is such a public health authority. The Utah Health Data Authority Act (Utah Code Sec 26-33a-104 ) authorizes the committee to "collect analyze, and distribute health care data to facilitate ...quality and cost-effective health care" The specific authorization for the APCD is in our administrative rules at R428-15.
In short, these disclosure are authorized by law and fall within the public health exception and do not require a BAA. The covered entity will not be violating HIPAA when they make the required disclosures to the APCD.