Part 350 - All Payer Database (APD)

Effective Date: 
Wednesday, September 13, 2017
Statutory Authority: 
Public Health Law, Sections 206(18-a)(d) and 2816

Section 350.1 - Definitions

Section 350.1 Definitions. For the purposes of this Part, these terms shall have the following meanings:

(a) “All Payer Database” or “APD” means the health care database maintained by the Department or its contractor that contains APD data.

(b) “APD data” means covered person data, claims data, and any other such data contained within standard transactions for Electronic Data Interchange (EDI) of health care data adopted by the X12 standards organization, the National Council for Prescription Drug Programs (NCPDP) standards organization, any other organizations designated by the federal Department and Human Services to develop and maintain standard transactions for EDI of health care data, as provided in section 1320d-2 of Title 42 of the United States Code (USC) or any other federal law, or any other format designated by the Department for the collection of such data.

(c) “claims data” means:

(1) Benefits and coverage data – data specifying the benefits and coverage available to a covered person, such as cost-sharing provisions and coverage limitations and exceptions;                                   

(2) Health care provider network data – data related to the health care provider and service networks associated with third-party health care payer plans and products, such as the services offered, panel size, licensing/certification, National Provider Identifier(s), demographics, locations, accessibility, office hours, languages spoken, and contact information;

(3) Post-adjudicated claims data – data related to health care claims, including payment data, that has been adjudicated by a third-party health care payer, such as the data included in the X12 Post Adjudicated Claims Data Reporting and the NCPDP Post Adjudication Standard transactions; and

(4) Other health care payment data, such as value based payment information, as determined by the Department.

(d) “covered person” means a person covered under a third-party health care payer contract, agreement, or arrangement that is licensed to operate in New York State by the New York State Department of Financial Services.

(e) “covered person data” means data related to covered persons, such as demographics, member identifiers, coverage periods, policy numbers, plan identifiers, premium amounts, and selected primary care providers.

(f) “data user” means any individual or organization that the Department has granted access to APD data, with or without identifying data elements.

(g) “health care provider” means a provider of “medical and other health services” as defined in 42 USC section 1395x(s), a “provider of services” as defined in 42 USC section 1395x(u), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. This includes a clinical laboratory, a pharmacy, an entity that is an integrated organization of health care providers, and an accountable care organization described in 42 USC section 1395jjj. The term also includes atypical providers that furnish nontraditional services that are indirectly health care-related, such as personal care, taxi, home and vehicle modifications, habilitation, and respite services.

(h) “identifying data elements” means those APD data elements that, if disclosed without restrictions on use or re-disclosure, would constitute an unwarranted invasion of personal privacy consistent with federal and state standards for de-identification of protected health information.

(i) “New York State agency” means any New York State department, board, bureau, division, commission, committee, public authority, public benefit corporation, council, office, or other governmental entity performing a governmental or proprietary function for the State of New York.

(j) “submission specifications” means specifications determined by the Department for submitting covered person data and claims data to the APD, such as the data fields, circumstances, format, time, and method of reporting.

(k) “third-party health care payer” means an insurer, organization, or corporation licensed or certified pursuant to article 42, 43, or 47 of the Insurance Law or article 44 of the Public Health Law; or an entity, such as a pharmacy benefits manager, fiscal administrator, or administrative services provider that participates in the administration of a third-party health care payer system, including any health plan under 42 USC section 1320d. Unless permitted by federal law, the term does not include self-insured health plans regulated by the Employee Retirement Income Security Act of 1974, 29 USC Chapter 18, although such plans that operate in New York State may choose to participate as a third-party health care payer.

Effective Date: 
Wednesday, September 13, 2017
Statutory Authority: 
Public Health Law, Sections 206(18-a)(d) and 2816

Section 350.2 - APD Data Submission

Section 350.2 APD data submission.

(a) Third-party health care payers shall submit complete, accurate, and timely APD data to the Department, pursuant to the submission specifications.

(b) The Department shall consult with the Department of Financial Services and third-party health care payers before issuing any submission specifications.

(c) The Department shall set a compliance date of at least 120 days from the date that new or revised submission specifications are issued.

(d) Third-party health care payers shall submit APD data in an electronic, computer-readable format through a secure electronic network of the Department or its designated administrator on a monthly basis, or more frequently, as specified in the submission specifications.

(e) Third-party health care payers shall submit at least 95 percent of APD data within 60 days from the end of the month that the adjudicated claims were paid.

(f) Third-party health care payers shall submit 100 percent of APD data within 180 days from the end of the month of the adjudicated claims being submitted for payment.

(g) The Department may audit APD data submitted by third-party health care payers to evaluate the quality, timeliness, and completeness of the data. The Department may issue an audit report or statement of deficiencies listing any inadequacies or inconsistencies in the APD data submitted and requiring corrective actions. Any third-party health care payer that receives an audit report or statement of deficiencies shall submit a plan of correction to the Department within 30 days from the date of receipt of the audit report or statement of deficiencies. Third-party heath care payers shall be in full compliance with APD data submission specifications and the plan of correction within 90 days from the date of submission of the plan of correction.

(h) A third-party health care payer may submit a written request to the Department for an extension, variance, or waiver of APD data submission specifications requirements. The written request shall include: the specific requirement to be extended, varied, or waived; an explanation of the reason or cause; the methodology proposed to eliminate the need for future extension, variance, or waiver; and the time frame required to come into compliance. The Department shall respond to such requests as soon as practicable.

(i) Any third-party health care payer that violates this section shall be liable pursuant to the provisions of the Public Health Law, including, but not limited to, sections 12 and 12-d of the Public Health Law, and applicable sections of New York State Insurance Law and regulations.

Effective Date: 
Monday, January 1, 2018
Statutory Authority: 
Public Health Law, Sections 206(18-a)(d) and 2816

Section 350.3 - APD Data Release

Section 350.3 APD data release.

(a) The Department shall implement quality control and validation processes to provide reasonable assurance that APD data released to the public is complete, accurate, and valid. The Department shall adhere to applicable State and federal laws, regulations, and policies on release of Medicare and Medicaid data.

(b) Upon reasonable assurance that subdivision (a) has been satisfied, the Department may release data in the following manner:

(1) De-identified and/or aggregated APD data of a public use nature may be posted to a consumer-facing website.

(2) APD data, including data with identifying data elements, may be released to a New York State agency or the federal government in a manner that appropriately safeguards the privacy, confidentiality, and security of the data.

(3) APD data, including data with identifying data elements, may be released to other data users that have met the Department’s requirements for maintaining security, privacy, and confidentiality and have approved data use agreements with the Department.

(c) Data users shall adhere to security, confidentiality, and privacy guidelines established by the Department to prevent breaches or unauthorized disclosures of personal information resulting from any data analysis or re-disclosure. Data users bear full responsibility for breaches or unauthorized disclosures of personal information resulting from use of APD data.

(d)(1) Where the Department grants data users access to APD data that does not include identifying data elements, such access shall be subject to terms and conditions established by the Department.

(2) Data users who wish to request APD data that includes identifying data elements shall submit an application for a proposed project in a form established by the Department, which shall include an explicit plan for preventing breaches or unauthorized disclosures of identifying data elements of any individual who is a subject of the information. The Department’s review of the proposed project shall include, but not be limited to: (i) use of the specific identifying data elements; (ii) adherence to the Department’s guidance on the appropriate and controlled release of data; and (iii) assurance on whether the release of identifying data elements reflects overall goals of confidentiality, privacy, security, and benefits to public and population health.

(e) Any data user that violates this section or any data use agreement executed under this section shall be liable pursuant to the provisions of the Public Health Law, including, but not limited to, sections 12 and 12‑d of the Public Health Law.

(f) The Department may charge reasonable fees for access to APD data, which shall be based upon estimated costs incurred and recurring for data processing, operation of the platform/data center, and software. The Department shall establish a policy describing any APD data that shall be available at no charge, the fees for access to APD data subject to charge, the process for fee payment, and under what circumstances fees may be reduced or waived.

Effective Date: 
Wednesday, September 13, 2017
Statutory Authority: 
Public Health Law, Sections 206(18-a)(d) and 2816

Section 350.4 - APD Advisory Group

Section 350.4 APD advisory group.

(a) The Department may establish an advisory group to provide recommendations on any or all of the following areas: submission specifications, patient privacy and confidentiality, data release, data aggregation, and security.

(b) The Department may accept, reject, or amend recommendations, in whole or in part, from the advisory group.

Effective Date: 
Wednesday, September 13, 2017
Statutory Authority: 
Public Health Law, Sections 206(18-a)(d) and 2816

Section 350.5 - APD Guidance

Section 350.5 APD guidance.

The Department shall make guidance available on its website that includes:

(a) APD submissions specifications, including the data standards used and the method for reporting to the Department.  Submission specifications shall be developed with a goal of minimizing burden on health care providers and third-party health care payers, including utilization of nationally standardized file formats where available and feasible.

(b) APD data access and release policy, including security and usage requirements to become a data user; requirements for maintaining privacy, confidentiality, and security; and data release fee information. Data access and release requirements shall include restrictions on the release of any information that could be used, alone or in combination with other reasonably available information, to identify an individual who is a subject of the information, as well as procedures for request of identifying data elements, including the project application process established pursuant to subdivision (d) of section 350.3 of this Part.

(c) Program operations policy, including program purpose, scope and objectives, and general governance.

Effective Date: 
Wednesday, September 13, 2017
Statutory Authority: 
Public Health Law, Sections 206(18-a)(d) and 2816