OLR Research Report

November 7, 2013





By: Robin K. Cohen, Principal Analyst

Katherine Dwyer, Legislative Analyst II

You want to know the relationship between the federal Health Insurance Portability and Accountability Act's (HIPAA) privacy provisions and the Department of Social Services (DSS) privacy law and policy. You also want to know how DSS' claims database will be integrated with the new All Payer Claims Database, which the legislature created and the state's Health Insurance Exchange (HIX) is charged with maintaining.


Both HIPAA and Connecticut's privacy statutes provide protection for DSS clients' personal information. HIPAA provides a minimum level of protection. Generally, DSS complies with HIPAA but where the state law protections exceed HIPAA's, it complies with the state law.

Additionally, DSS complies with federal confidentiality regulations that restrict the use and disclosure of Medicaid program applicants' and beneficiaries' personal information (42 CFR 431.300).

In 2012, the legislature required that an all payer claims database (APCD) be created to provide to both consumers and health care providers information about health care utilization in the state. The law (1) requires the HIX to create and maintain the database and (2) contemplates that the database will include fee-for-service health claims data under the Medicaid program, because it permits the HIX to take actions to obtain such information. DSS, through a contractor, maintains a claims database. It is still evaluating whether to share this information with the APCD.


DSS client personal information is protected by both HIPAA and Connecticut's privacy statutes. Generally, when state law provides greater privacy protections than HIPAA, state law takes precedence. For example, HIPAA regulations allow covered entities to use or disclose personal health information (PHI) without the individual's written authorization in certain circumstances (45 CFR 164.512). State law, however, places additional limitations on the types of, and circumstances in which, PHI may be disclosed without the individual's written authorization (CGS 17b-90). DSS complies with HIPAA and, in the instances where the state law privacy protections exceed HIPAA's, it complies with the state law.

Additionally, DSS complies with federal confidentiality regulations that restrict the use and disclosure of Medicaid program applicants' and beneficiaries' personal information (42 CFR 431.300).

HIPAA PHI Disclosures

The HIPAA regulations allow covered entities to use or disclose PHI without the individual's written authorization in some circumstances. They may disclose PHI:

1. to certain public health authorities for public health activities;

2. to certain government authorities, including social service or protective service agencies, when the information relates to abuse, neglect, or domestic violence;

3. to health oversight agencies for audits; licensure or disciplinary actions; civil, administrative, or criminal investigations, proceedings, or actions; or other oversight activities;

4. in the course of any judicial or administrative proceeding in response to a court or administrative tribunal order, subpoena, discovery request, or other lawful process;

5. for certain law enforcement purposes;

6. about decedents (a) to coroners, medical examiners, and funeral directors and (b) for cadaveric organ, eye, or tissue donation purposes;

7. for research purposes (with a board-approved waiver authorization);

8. to avert a serious threat to health or safety;

9. for specialized government functions, including some military and veterans activities; and

10. for worker's compensation cases (45 CFR 164.512).

Connecticut Privacy Protections

With exception, state law prohibits anyone from soliciting, disclosing, receiving, making use of, or authorizing, knowingly permitting, participating in or acquiescing in the use of any information about DSS assistance applicants or recipients or program participants that is directly or indirectly derived from the state's records, papers, files, or communications or acquired in the course of performing official duties (CGS 17b-90). The law exempts such use for DSS program administration purposes and in accordance with department regulations. The law requires DSS to disclose specific information in certain circumstances, including to:

1. authorized labor commissioner (DOL) representatives, information directly related to unemployment compensation;

2. authorized Department of Mental Health and Addiction Services representatives, information necessary for (a) Medicaid or basic needs supplement program implementation and administration or (b) the behavioral health managed care program;

3. authorized Department of Administrative Services (DAS) or Department of Emergency Services and Public Protection (DESPP) representatives, information DSS determines is necessary for DAS and DESPP to (a) collect social services recoveries, overpayments, or support or (b) investigate social services fraud or locate absent parents of public assistance recipients;

4. authorized Department of Children and Families (DCF) representatives, any necessary information about a child receiving DSS services or the child's immediate family, if DCF or DSS determines that the child's health, safety, or welfare is in imminent danger, in order to target DCF family service program services;

5. a town official or other contractor or authorized labor commissioner representative, information about a state-administered general assistance (SAGA) applicant or recipient necessary for DSS and DOL to carry out their responsibilities to SAGA applicants and recipients; and

6. authorized Department of Public Health (DPH) representatives, to carry out child day care service or youth camp program responsibilities.

State law also requires DSS to disclose specific information in IV-D child support cases—that is, any case in which (1) a child for whom support is sought received public assistance benefits or (2) an application for enforcement services is filed with either DSS' Bureau of Child Support Enforcement or the Judicial Department's Support Enforcement Services unit. DSS must disclose to:

1. a health insurance provider, information about a child or the child's custodial parent that is necessary to enroll the child in a health insurance plan when the noncustodial parent is under court order to provide health insurance coverage but is unable to provide such information, provided the disclosure is in the child's best interest;

2. authorized Department of Correction (DOC) representatives, noncustodial parent information necessary to provide inmates or parolees in such cases DOC education, training, skill building, work, or rehabilitation programming that will significantly increase their ability to fulfill their support obligations; and

3. authorized Judicial Branch representatives, noncustodial parent information needed to identify a child support obligor who owes overdue child support before the treasurer pays his or her claim to unclaimed or presumed abandoned property.

State law also requires DSS to disclose the current address of a benefit applicant or recipient upon the request of any federal, state, or local law enforcement officer if:

1. the officer provides DSS with the individual's name;

2. (a) the officer notifies DSS that the individual is fleeing to avoid prosecution, custody, or confinement for a felony or probation or parole violation or (b) the individual has information necessary for the officer to conduct his or her official duties related to a committed or attempted felony or misdemeanor; and

3. the individual's location or apprehension is within the officer's official duties (CGS 17b-16a).

Medicaid Confidentiality Regulations

Federal regulations also require state plans to provide specific safeguards that restrict use or disclosure of applicant and beneficiary information to plan administration purposes, including:

1. establishing eligibility;

2. determining the medical assistance amount;

3. providing beneficiary services; and

4. conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to plan administration.

Agencies that exchange information to verify applicant and beneficiary income and eligibility must have adequate safeguards to assure that (1) such information is available only to the extent necessary to assist in the recipient program's administrative needs and (2) the information is adequately stored and processed so that it is protected against unauthorized disclosure for other purposes. Starting January 1, 2014, these protections will extend to non-applicant information as well (42 CFR 431.300).


DSS Claims Data

DSS contracts with Community Health Network of Connecticut (CHNCT) to help the department administer its medical assistance programs. CHNCT maintains a complete, integrated set of claims data (claims database) for the department. The data is used to run various analyses, including identifying a client's provider (i.e., attribution). According to DSS officials, the department is evaluating the permissibility of releasing such data to the APCD. Such releases will have to be consistent with the above-referenced federal and state statutory requirements on record confidentiality.

APCD—Legislative History

In 2012, the legislature established the APCD and directed the then-Office of Health Reform and Innovation (OHRI) to:

1. oversee its creation and administration,

2. ensure any data collected under it was secure, and

3. conduct audits of data submitted to it. According to the state APCD's advisory council, Connecticut was awarded a $6.6 million federal grant to create the database.

The purpose of the database is to collect, assess, and report health care information about the safety, quality, cost-effectiveness, access, and efficiency for all levels of care provided to state residents. The ACPD will receive and store data from a “reporting entity” on medical insurance claims, dental insurance claims, pharmacy claims, and other insurance claims information from enrollment and eligibility files.

In 2013, the legislature transferred responsibility for the database from OHRI (which the act eliminated) to the HIX. It required the HIX board of directors to adopt written procedures to implement and administer the APCD.

APCD—Who Must Report—“Reporting Entities”

Under the 2012 act and unchanged in 2013, the following entities must submit to HIX certain claims data that the HIX board prescribes:

1. insurers licensed to conduct business in Connecticut,

2. health maintenance organizations (HMO),

3. insurers or HMOs providing coverage under the Medicare Part C (managed care) or D (pharmacy) programs,

4. third-party administrators,

5. pharmacy benefits managers,

6. hospital service corporations,

7. nonprofit medical service corporations,

8. fraternal benefit societies that transact health insurance business in Connecticut,

9. dental plan organizations,

10. preferred provider networks, and

11. any other person (a) administering health care claims and payments under a contract or agreement or (2) required by law to administer them.

An employee welfare benefit plan, as defined under the federal Employee Retirement Income Security Act, that is also a trust established under a collective bargaining agreement subject to federal labor law does not have to submit data (PA 12-166, as amended by PA 13-247 144).

APCD—What Must Be Reported

The law requires reporting entities to submit claims data in a form and manner the HIX prescribes. The HIX has drafted policies and procedures for data collection and submission. Additionally, it has drafted a Data Submission Guide, which spells out in greater detail what data files the entities will be required to submit.

For medical claims data, the guidance requires that the data files include all services provided to the member (health care plan subscriber or someone on the subscriber's plan), including medical, behavioral health, home care, and durable medical equipment. Entities must also provide information that will identify the type and setting of service. And they must submit only data for which action has been taken on the claim (e.g., payment), as well as reference numbers that link the original claim to any subsequent actions associated with it. Finally, the entities must identify encounters corresponding to a capitation payment.