In October 2021, an advisory committee established under the No Surprises Act (part of the Consolidated Appropriations Act, 2021 (CAA-21)) issued a report with recommendations to help the Department of Labor (DOL) develop a standardized reporting format for voluntary reporting of claims information by self-funded group health plans to state all-payer claims databases (APCDs). The committee (referred to as the State All-Payer Claims Databases Advisory Committee (SAPCDAC)) is also authorized to advise the DOL on how states can collect claims data in a standard reporting format. The reporting may include medical, pharmacy, and dental claims (as well as certain eligibility information) collected from public payers and private payers—such as employer-sponsored health plans.

(For more information on the CAA-21's requirements, see Legal Update, Year-End COVID-19 Stimulus Legislation Includes Numerous Employee Benefit and Executive Compensation Provisions, Including Surprise Medical Billing Requirements for Health Plans: State All Payer Claims Databases.)

Citing a 2016 Supreme Court decision, the committee's report confirms that reporting of claims information by self-funded health plans to state APCDs is voluntary (Gobeille v. Liberty Mut. Ins. Co., 577 U.S. 312 (2016)). However, the report also includes several recommendations for encouraging voluntary data submission by self-funded health plans (see Voluntary Data Submission).

In Gobeille, the Supreme Court held that ERISA preempted a Vermont law (as applied to ERISA plans) that required self-funded health plans, health insurers, and other entities to report health care claims and services information to an APCD (see Practice Note, ERISA Litigation: Preemption of Select State Laws: Health Care Databases and Legal Update, Supreme Court Holds That ERISA Preempts State Health Care Reporting Law). The Court concluded that Vermont's health database law was inconsistent with ERISA's goal of providing a single uniform national scheme for administering ERISA plans.

The committee's report acknowledges that health plans (as HIPAA covered entities (CEs)) have expressed privacy and security concerns over providing participants' claims data to APCDs (see Practice Note, HIPAA Privacy Rule: Entities Subject to Privacy Rule).

Regarding HIPAA compliance, the report indicates that CEs:

The committee also observed that many state APCDs:

(For more information, see HIPAA Privacy, Security, and Breach Notification Toolkit.)

The committee also noted that many APCDs must comply with state requirements that mirror the HIPAA Privacy and Security Rules (although these rules may vary from state-to-state). As an offset to privacy concerns, the report suggests that data disclosures must provide for access to data for addressing policy problems, such as:

The committee's report makes several recommendations regarding data privacy and security. First, the report indicates that existing state APCDs should maintain (and new ones should adopt) stringent privacy and security safeguards for health information that they receive, maintain, or disclose—including rigorous administrative, technical, and physical safeguards (see Practice Note, HIPAA Security Rule: Safeguards and Related Organizational and Document Requirements).

According to the report, issues to address in this regard include:

In general, collected data should not permit individuals to be re-identified and permitted uses of information should focus on aggregated data findings. Moreover, the report instructs the DOL to consider implementing a uniform set of data release procedures and DUAs for state APCDs to protect the data and permit users to access it with appropriate privacy and security standards.

Under a second recommendation, APCDs would need to develop standards for timely releasing data to approved data requesters. These standards would include:

In a final recommendation on privacy and security, the report indicates that state APCDs should develop secure, privacy-protective, multi-state data aggregation and dissemination models to permit the wider use of data.

The report includes several recommendations intended to encourage self-funded health plans to voluntarily contribute claims data information to APCDs, though they cannot be required to do so (under the Gobeille decision). According to the committee, the Gobeille ruling created a hole that represents the health care experiences of participants covered by self-funded plans. However, the report also acknowledges certain disincentives for plans to participate in state APCDs, including:

The report also suggests that some TPAs may:

Regarding voluntary data submission, the report encourages the DOL to emphasize the public policy reasons for self-funded health plans to submit data to state APCDs. These reasons include:

In another recommendation, the report indicates that the DOL should create a simple process for self-funded health plans to submit data to APCD (for example, through streamlined procedures and a standardized opt-in process, such as an online portal). To promote a uniform experience, the standardized opt-in procedure should be used in all states. Also, the DOL could create and manage a federal opt-in process for data submission (for example, using Form 5500) (see Practice Note, Form 5500 for Employee Benefit Plans: Overview).

In addition, the DOL could recommend model contract language under which health plans (rather than their TPAs) would authorize APCD data submission.

The report also includes recommendations for creating standards for the electronic format and exchange of health data and related information by APCDs. The report asserts that greater standardization of data definitions and processes for submitting claims data to third parties will promote greater efficiency and reduce burden and cost.

The report identifies the APCD Common Data Layout (APCD-CDL) as the starting point for standardization. The report makes the following recommendations regarding the APCD-CDL:

The report also provides recommendations on the process for submitting data to state APCDs. Under these recommendations:

The report concludes with several additional recommendations. For example, the report indicates that the DOL should:

Under another recommendation, the DOL should establish a date (the committee recommends within three years) and a metric (for example, a target of data submitted for 80% or more of insured individuals) by which the DOL will determine if voluntary data submission has succeeded in creating more complete APCD data. If the target is not met, this could trigger one or many future actions by the DOL to encourage voluntary data submission by self-funded plans.

Health plans that have been focusing in recent months on complying with other aspects of the CAA-21 (most notably, its surprise medical billing requirements) will be relieved that this report confirms the voluntary nature of reporting by self-funded health plans to state APCDs (see Group Health Plans and Health Insurance Toolkit: Surprise Medical Billing Resources (CAA-21)). In places, the report implies that TPAs for self-funded plans may bear some responsibility for low participation by plans in APCD reporting—though limited bandwidth for additional compliance activities also may be a factor. And, as the report acknowledges, plans may have privacy-related concerns about submitting information to state APCDs (particularly in the wake of increased HIPAA privacy enforcement in recent years).