Ask most Utahns, and they will likely tell you that their most sensitive medical information is protected by federal (HIPAA) and state privacy laws from redisclosure to third parties unless their prior consent is received. That may be true if they don’t have medical, dental or prescription drugs insurance. However, if they do have insurance, the state of Utah collects their most sensitive personal identifiable information (PII), plus their medical, dental and pharmacy information, including diagnostic codes, without their consent.
The state then stores this information in the All Payers Claims Database (APCD). Once there, all that is required for the release of this information for research purposes is for an unelected state employee to determine that “the value of the research is greater than or equal to the infringement upon personal privacy.”
But it doesn’t stop there. The state provides a digital copy of the APCD to the University of Utah where it is maintained in the Utah Population Database, which has 620 million APCD records plus another 204 million records obtained from the Centers for Medicare and Medicaid Services. In addition, the One Utah Health Collaborative, which, according to legislative auditors, is a 501c3 founded by the governor, has been given access to APCD data. This is done without receiving the consent of those whose records are being spread far and wide.
Entities can then link an individual’s insurance claims together by using their name, date of birth and social security number. Therefore, the state and others with access to the APCD are able to use diagnostic codes to compile a complete health profile of each and every Utahn who has health, dental and prescription drug insurance. They know if an individual is vaccinated, has dentures, takes antidepressants, uses birth control, has been diagnosed with autism, is cognitively impaired, receives treatment for impotence or infertility, has cancer, is receiving counseling, and everything else that has been submitted for payment by an individual’s insurance carrier.
Entities that maintain these databases are subject to unrelenting pressure from researchers and a wide range of governmental and private entities who want access to these extremely valuable records. However, when Dr. Zimmerman (one of the authors of this article) asked to see who her records had been shared with, she was informed that those managing the APCD didn’t know.
Recently, legislative auditors looked at the APCD and its use. However, in keeping with Governor Cox’s Executive Order 2023-01 that calls for increased data sharing, rather than evaluating how well Utahns’ PII and highly sensitive medical records are protected, the audit called for greater data sharing while bemoaning the fact that it is “easier for external requestors (such as university researchers) to access APCD data than internal DHHS staff.”
The auditors then recommended that the Legislature consider policy options that allow for still more data sharing within DHHS and that the Legislature consider balancing the need for more robust behavioral health metrics with data privacy principles. The audit also recommended that the Legislature look at increasing revenue from data user fees.
Given the highly sensitive nature of this PII and medical information, we would suggest that, rather than making it easier to access APCD data, the following three things be done:
First, the state auditor should conduct a comprehensive audit to determine if the state has the legal authority to collect Utahns’ data for the APCD without their consent, the legal authority that permits the sharing and selling of APCD data, who the data has been shared with, how shared data is protected by the recipients, if the shared data has been re-disclosed to others, and if all transfers and redisclosures of APCD data have been done legally.
Second, all health insurance providers should be required to notify Utahns in a conspicuous place on their websites and on all insurance claims forms that their PII and medical claims information is being provided to the APCD and that it may be shared with other entities.
Third, the transfer of any APCD data by DHHS, either in limited data sets or in total, to researchers or other entities, should be prohibited unless the written, informed consent of each person whose PII and sensitive medical information being transferred is obtained.