Blog

How Data Are Kept Secure in the All-Payer Claims Database

August 27, 2019

data

Author

Kenley Money, MA, MFA
Director, Information Systems Architecture
501-526-2244
kenley.money@achi.net

 

With oversight from the Arkansas Insurance Department, ACHI maintains the Arkansas All-Payer Claims Database (APCD), a large-scale database containing health insurance claims data submitted by public and private payers and other health information. In this blog post we will discuss how we ensure the security of the data in the APCD.

When files are sent to ACHI, the data are encrypted, or scrambled into unreadable formats. This is done using a secret, protected code that can only be read by people who have the code key. Each submitter is assigned a unique code key. To anyone else, the files appear as gibberish, like this:

…‹·ÿö¦ô¤g–M?ƒèZ¤9‚`•ký^GÊU_xOÚž§Ü L øw‹‰Ëy*¶…z¹x*±+?;­n B‚Ó“8¸’¼ìk3ãiï½n~Êa…ÿ¼‑y½ª„:!u`سë)­œlâÛѪ÷±¢@d¶3XËíÚ

 

Encrypted data files are sent via a secure internet connection to ACHI. The internet connection can be accessed only by authorized users from the entities submitting information to the APCD. The submitters are identified by their unique IP (internet protocol) addresses prior to transmission, and transmission is only allowed from predetermined sources.

When ACHI receives a data file, security checks automatically run in a secure environment without manual intervention. Other data delivered on hard media are transferred by authorized personnel only to secure data storage for encryption. All servers are encrypted, protecting data within the database. An encrypted data file is not translated until it is at rest in the secure database. Then it is encrypted again; at this point only ACHI has the code key that can decrypt the file.

We store the data in a high-security location with no public access. The data are also protected under state law: They are exempt from the Freedom of Information Act and are not subject to subpoena except under the authority of the Arkansas Insurance Department.