Strong Privacy Protections Needed for Release of Medicare Claims Data

The federal government has been roundly criticized lately for failing to make progress on a host of important issues facing the nation (and that’s probably being too kind).  But this criticism arguably does not apply to the federal Department of Health and Human Services (HHS), which has been actively churning out proposed rules to implement two major pieces of legislation – the HITECH Act of 2009 (which includes financial incentives to spur adoption of electronic medical records and critical changes to federal health privacy rules) and the Affordable Care Act of 2010, otherwise known as “health reform”. CDT’s Health Privacy Project has recently submitted comments on two of these rulemakings:  proposed rules on the new Medicare “accountable care organizations” and proposed rules on changes to the HIPAA accounting of disclosure provisions.
On Monday, CDT filed comments on a rule proposed by the Centers for Medicare and Medicaid Services (CMS) in June that would allow the release of claims data on Medicare beneficiaries to private entities eligible to use this data to generate performance reports for Medicare providers and suppliers. Medicare claims data is sensitive, and the release of this information to private entities (albeit for important purposes related to health reform) raises significant privacy and security concerns.
We were pleased to see CMS propose strong measures to protect the privacy and security of this information. Of note, entities doing performance measurement will receive only encrypted claims data, which shields the beneficiaries’ identities but still allows the entities to measure quality of care for a particular beneficiary across multiple settings. Identifiable information may be shared only in circumstances where a provider or supplier is questioning the accuracy of a measurement report and wants to check it against his/her or its own files – but this identifiable information must be destroyed or returned to CMS after questions about the measurement report have been resolved. Entities providing measurement services must also sign a data use agreement with CMS that restricts their use of beneficiary claims data solely for measurement purposes and strictly prohibits entities from re-identifying the information.
In brief comments CDT applauded CMS for proposing such strong privacy measures and strongly urged that they be included in the final rule.  CDT also made a few suggestions for how to improve the rule.  For example, an entity is not qualified to receive Medicare claims data if they have a history of poor enforcement of the federal HIPAA privacy rules; CDT recommended that entities with a history of poor enforcement of state health privacy laws also be disqualified from participation (given that HHS has only recently begun to more aggressively enforce HIPAA). CDT also suggested that entities participating in the measurement program be subject to clear rules regarding data retention, and that providers and suppliers receiving performance reports (and potentially beneficiary-identifiable information) be required to comply with HIPAA privacy and security rules (a small percentage of them might be outside of direct coverage by HIPAA).
HHS also recently released an advanced notice of proposed rulemaking (ANPRM) proposing changes to the rules governing federally funded human subjects research (which includes research using data in electronic health records) and an ANPRM proposing standards for the metadata tags called for in the December 2010 report of the President’s Council of Advisors on Science and Technology. CDT plans to comment on both of these rulemakings.