Government Should Use Distributed Networks for Health Data Security
CDT Policy Counsel Harley Geiger has a guest post featured on ID Experts' blog discussing ways to reduce the quantity of unnecessary copies of personal health information in government databases. The post highlights comments CDT issued to a proposed regulation from the Centers for Medicare and Medicaid Services (CMS).
The proposed rule would compel federal or state government agencies to collect claims and encounter data from health plans in the individual or small group markets, essentially creating new centralized databases of sensitive health information. Geiger writes in the guest post:
Unfortunately, CMS' proposed rule – as written – would exacerbate a trend underway among states and other federal agencies: the large-scale collection and centralized retention of digital copies of health care claims data. Yet the unnecessary duplication and aggregation of sensitive data worsen the risk and severity of data breaches. This week [CDT] submitted comments to the proposed rule in which we urged CMS to adopt a form of distributed network architecture – rather than the centralized approach proposed by CMS – as a more secure and privacy protective method of accessing and analyzing claims data.
CMS should require each plan to set aside a copy of structured, de-identified claims and encounter data in a secure system, such as an edge server. CMS could then require plans to make their respective edge servers accessible to state or federal agencies to carry out the analyses CMS describes in the proposed rule. CMS and states could retain the results of their analyses, rather than keep full copies of the claims data. This distributed 'edge server' approach would leave physical possession of the claims data with the plans rather than sending copies to data warehouses, thereby reducing the risk and severity of data breaches.