skip to main content


APCDs: One Solution to Obtaining Meaningful Performance Data

January 21, 2016

Authors: Joan W. Feldman, William J. Roberts

The American health care system is under immense pressure to control costs and improve quality.  As a result, there is a corresponding need for access to health care data and the development of new methods to obtain value from such data.  The amount of data created by health care providers, payers, benefit managers and others is increasing exponentially, with some estimating that the total amount of health care data in the United States to be increasing by 40% annually.[1]  For example, third-party health care payers collect valuable information through their receipt, processing and maintenance of health care claims data.[2]  This vast amount of data holds significant potential for public policy makers, payers, researchers, providers, consumers and others interested in the quality, efficacy, affordability and accessibility of the American health care system.  The challenge, however, is to use such data effectively and efficiently when the data is maintained in numerous databases which may not be interoperable and are subject to federal and state privacy laws.

One solution to these challenges has been the establishment of all-payer claims databases (APCDs) in many states which aim to implement structures and protocols to facilitate the aggregation, utilization and dissemination of health care data for purposes of improving health care planning, quality and consumer choice.  This article provides background information on APCDs, discusses challenges to their collection of data and addresses various legal and operational “lessons learned” when establishing an APCD based upon our role as legal counsel to the development of an APCD.

APCDs are state-sponsored or state-designated databases that collect and maintain health claims data (e.g. medical, dental and pharmacy claims) and other related data sets, such as provider or eligibility files. [3] The form APCDs take varies by state - some are housed in state agencies, some are managed by not-for-profit nongovernmental organizations and others are housed in quasi-governmental entities.  APCDs also vary in the amount and type of information they collect and the purposes for which the APCD and its staff may utilize or disclose the information.  

An APCD’s basic purpose is to serve as a platform for the collection, aggregation and analysis of health care data from disparate sources.  The establishment of an APCD generally allows for a consistent and uniform approach to data submission by payers and uses the force of state law to overcome legal impediments, namely HIPAA, which often frustrate efforts to collect and utilize health claims information.  For example, many APCDs make use of HIPAA’s “required by law” exception and mandate the submission of health care claims data by payers to the state APCD.  Once the data is submitted, the APCD enables data from different payers and different information systems to be aggregated in a uniform manner that overcomes the interoperability issues that often inhibit data analytics across various, distinct data sets.  In effect, the APCD model overcomes many of the most difficult hurdles faced by health care data analysts.

Once the data is collected and organized by the APCD, multiple opportunities exist for making use of the data.  For example, Connecticut law permits its APCD to utilize de-identified data to provide health care consumers with information concerning the cost and quality of health care services that allows such consumers to make more informed health care decisions.  Such utilization may include the production of consumer-facing reports or websites that address price transparency, access or other metrics of interest to consumers.  Connecticut law also permits its APCD to disclose de-identified data to state agencies, insurers, employers, health care providers, consumers, researchers and others for purposes of reviewing such data as it relates to health care utilization, costs or quality of health care services.  For example, a state agency may use the data when engaging in health care planning or consumers may utilize the data when comparison-shopping for particular health care services.  Researchers may make use of a master patient index to track individual patients through various payers and providers or may use the data when investigating lack of access to health care services by residents of rural communities.  Providers may also be interested in the data for “bragging rights” or comparison purposes.

APCDs collect health claims information from numerous sources and, in many states, such sources include both “fully-insured” and “self-insured” health plans.[4] As of 2012, 58.5% of individuals with employer-sponsored health insurance obtained that health insurance through a self-insured plan and the percentage of employees in a self-insured plan has been growing steadily since the late 1990s.[5]  This growth has been driven by large employers (i.e. 1,000 or more employees) that have opted for self-insured plans as a way to control costs and reduce administrative plan expenses.  Participation in self-insured plans varies by state from a high of 73.8% in Minnesota to a low of 30.5% in Hawaii.  [6]  Thus, given the prevalence of self-insured plans both nationally and particularly in certain states, self-insured plans are an important source of health care claims data for APCDs.

Despite the prevalence of self-insured plans in the employee benefit marketplace, APCD access to the health care claims data maintained by such plans has recently been brought into question by a 2nd Circuit decision out of Vermont, for which certiorari review by the United State Supreme Court has been requested.  Unless heard and overturned by the Supreme Court, Liberty Mutual Insurance Company v. Donegan [7] has the potential to be an impediment to the expansion and effectiveness of APCDs, at least in the 2nd Circuit.

In 2008, Vermont passed a law that required health plans and third-party administrators, among others, to provide certain claims data to a central database.  Similar to other APCDs, the database is a data repository for insurers, employers, providers, consumers, and state agencies to review health care utilization, expenditures, and provider performance.  In 2011, Liberty Mutual Insurance Company, a multi-state employer operating a self-insured health plan for its Vermont employees, objected to providing information as required by the Vermont statute, arguing that the statute was preempted by federal law, namely the Employee Retirement Income Security Act (ERISA).[8]

ERISA is a federal law that applies to private sector employee benefit plans, including plans sponsored by an employer.  ERISA provides that federal law supersedes any state laws that “relate to” employee benefit plans covered by ERISA.  When a state law is “superseded,” it is invalid even if ERISA has no provision governing the same issue.  This is often referred to as “preemption.” [9]  Courts have struggled with the meaning of the phrase “relate to” in order to come up with a workable way of identifying which state laws are preempted and which are not.  The Supreme Court has decided a number of preemption cases over the 40 years since the passage of ERISA, but despite all these decisions the difficulty of applying the preemption rule to new fact situations has not been eliminated.

Taking this preemption reasoning to the Vermont federal district court, Liberty Mutual argued that the Vermont APCD statute imposed a “reporting” requirement on its self-insured employer health plan, and that ERISA makes reporting the exclusive domain of the federal government.  Therefore, Liberty Mutual argued, since the Vermont statute “relates to” a self-insured employer health plan, it is preempted by ERISA.  The district court rejected Liberty Mutual’s assertion and Liberty Mutual appealed the decision to the 2nd Circuit Court of Appeals.  In early 2014, the 2nd Circuit decided in favor of preemption, thereby making the Vermont APCD statute null and void with respect to self-insured plans.  The Court agreed that Vermont was imposing “reporting” requirements on self-insured employer health plans, and that ERISA makes reporting the exclusive domain of the federal government.  Therefore, the Court held that since the Vermont APCD statute “relates to” a self-insured employer health plan, it is preempted by ERISA and cannot be used to require Liberty Mutual to disclose health claims data.  Vermont requested certiorari review in late 2014 and the parties are currently awaiting a decision from the Supreme Court.[10]

The Supreme Court’s failure to hear the case, or a decision to let the 2nd Circuit decision stand, may have a potentially chilling effect on the further development of APCDs.[11]  While APCDs will continue to be able to aggregate health claims data, excluding a large and growing segment of health claims from the databases, and thus from any resulting research or data analytics, may limit the usefulness of conclusions and the effectiveness of APCD data for planning, cost containment and quality of care purposes.  Exclusion of self-insured claims data may also frustrate other future attempts at data aggregation arising from the Affordable Care Act or other state or federal efforts to understand the complex and dynamic health care delivery and payment sector.[12]

Despite the concerns posed by Liberty Mutual Insurance Company v. Donegan, interest in the establishment of APCDs continues to grow in states across the country as state agencies and others recognize the value health claims data and data analytics offers to health care reform efforts including health system planning, care coordination, and price transparency.  While there exists considerable variability among existing and planned APCDs, many have engaged external data management firms to assist the APCD in the collection, de-identifying and management of data, including the establishment of data management environments and privacy and security programs. 

When developing an APCD and engaging a vendor to assist in the data management process, entities must be cognizant of, and must appropriately address, issues common to all APCDs.  Some of the issues most pertinent to APCDs include the following:

  • Data Collection: APCDs should work collaboratively with data submitters to ensure an orderly and effective data submission protocol.  A data submission guide should be developed to educate and assist data submitters in the preparation and transfer of health claims data, including with respect to the form, format and frequency of data transfers. Emphasis should be given to data standardization, the completeness of the claims data provided and periodic checks for identifying submission errors or failures.
  • Maintaining Privacy and Security: An APCD and all its stakeholders, including payers, state agencies, providers and community members, have an interest in maintaining the privacy and security of the data collected by the APCD.  When developing a privacy and security plan, an APCD should consider at least the following: (i) minimum security standards for the database, such as reference to HIPAA and the National Institute of Standards and Technology (NIST) standards for the protection of data at rest and in motion; (ii) policies regarding which individuals at the APCD may access identifiable or de-identifiable information; (iii) if a vendor is engaged, a process to ensure continuity of access and security during any transitional period;  (iv) robust security incident and breach response protocols; and (v) periodic audits of vendor’s security safeguards.  
  • Disclosure: While state statute or regulation generally sets the parameters for what information may be disclosed (i.e. full data sets or de-identified data) and to whom, APCDs must often develop and implement the procedures, safeguards and protocols necessary to balance access with privacy and security.  APCDs should consider: (i) how to receive requests for data, such as through the use of an application; (ii) who should review the application and determine whether disclosure is appropriate; (iii) whether to bind the recipient of the data to certain obligations, such as through a data use agreement; and (iv) whether the APCD desires any publication rights (e.g. acknowledgments) to any resulting research.  The disclosure process may also entail a review of the applicant’s privacy and security safeguards and its intended purpose of requesting the data (i.e. is the purpose consistent with applicable law?).  Further, an APCD should be cognizant of any other state or federal laws, such as trade secrets laws, which may affect the APCD’s disclosure of data.

APCDs hold great promise as a tool for the aggregation and use of health care claims data for the purposes of health care planning, quality, transparency and access.  If an APCD can successfully operate within existing legal structures, it can be a significant asset for health care reform activities.  We note that while the 2nd Circuit decision may result in an impediment for certain APCD activities, the case may also serve as an impetus for action on a federal level to create a consistent legal structure in which all APCDs may operate.  An APCD with protections in place to protect all stakeholders is likely to prove its worth and garner cooperation from all those involved.


[1] Corbin, Kenneth, Why Health Data Is a Big Data ChallengeCIO, June 6, 2014, available at (accessed May 26, 2015).

[2] Such data is collected by health insurance companies, pharmacy benefit managers, third-party administrators and public health care programs including Medicare, Medicaid and TRICARE. 

[3] The first state-based APCD was established in Maine in 2003.  By 2008, four additional states (Kansas, Maryland, Massachusetts, and New Hampshire) had established APCDs.  During the next several years, Colorado, Connecticut, Minnesota, Tennessee, Utah, and Vermont also established APCDs.  Currently, more than 30 states have, are implementing, or have expressed an interest in establishing APCDs.  APCD Council, The Basics of All-Payer Claims Databases: A Primer for States, Robert Wood Johnson Foundation, January 2014, available at  (accessed May 26, 2015).

[4] A fully insured health plan is one in which the employer pays a per-employee premium to an insurance company, and the insurance company assumes the risk of providing health coverage for the insured.  In contrast, with a self-insured plan, instead of purchasing health insurance from an insurance company and paying a per-employee premium, the employer acts as its own insurer.  Typically, a self-insured employer will engage a third party, such as a health insurance company, to administer the plan and perform services on behalf of the plan, including disclosing claims data to an APCD. 

[5] Fronstin, Paul, Self-Insured Health Plans: State Variation and Recent  Trends by Firm Size, Employee Benefits Research Institute Notes, Vol. 33, Number 11, November 2012 available at (accessed May 26, 2015)

[6] Id.

[7] 746 F.3d 497 (2nd Cir., Feb. 4, 2014).  Note that the case before the Supreme Court is now referred to as Gobeille v. Liberty Mutual Insurance Company.

[8]  Liberty Mutual objected after the Vermont APCD subpoenaed Blue Cross Blue Shield of Massachusetts (Liberty Mutual’s third party administrator) for Liberty Mutual’s claims information.

[9] Although there is an exception to preemption for state laws that regulate insurance in ERISA, a self-insured health plan is not considered an insurance relationship for purposes of that exception.  Thus, state laws that regulate insurance are not preempted when applied to insured plans, but are preempted when applied to self-insured plans.

[10] Most recently, on May 19, 2015, the Solicitor General urged the Supreme Court to not hear the case.  While agreeing with Vermont that Liberty Mutual Insurance Company v. Donegan was decided incorrectly, the Solicitor General believed that the Supreme Court’s “consideration of the question would likely be aided by further percolation in the courts of appeals.”  Brief for the United States as Amicus Curiae, Gobeille v. Liberty Mut. Ins. Co., 2015 WL 239540, *18 (May 19, 2015).  Thus, this issue may not be ripe for consideration until other courts of appeal rule. Further, if the case stands, it is possible that payers will be less likely to challenge APCDs of other states given the Solicitor General’s opinion that “the court of appeals erred in holding that the Vermont reporting requirements are preempted by ERISA.”  Id.

[11] Note that the 2nd Circuit decision is only binding in Connecticut, New York and Vermont.

[12] We note that some have argued that self-insured plans may seek to voluntarily disclose claims data to APCDs.  If a self-insured plan so desires, the plan and its counsel should carefully consider whether such voluntary disclosures are permissible under state and federal health care privacy laws, particularly HIPAA.

© Shipman & Goodwin LLP 2020. All Rights Reserved.