The Center for Democracy & Technology (CDT) submits these comments in response to the Department of Health and Human Servicesʼ (HHS) Centers for Medicare and Medicaid Services' (CMS) proposed rulemaking on Standards Related to Reinsurance, Risk Corridors and Risk Adjustment.
As written, CMS' proposed rule would exacerbate a trend underway among states and other federal agencies: the large-scale collection and centralized retention of digital copies of individually identifiable health care data. Continually building huge repositories of medical data for new research or policy needs is risky, inefficient and a poor long-term strategy, raising the risk of data breach, burdening health plans and eroding public trust in the confidentiality of digital health care records.
CMS should modify its proposed rule to require participating states to utilize a distributed "edge server" approach for the programs set forth in the rule. HHS and states should require plans to upload standardized claims and encounter data (not aggregated or summarized data) into plans’ own secure servers – to which state or federal agencies are granted access. State or federal agencies (not the plans) could then access each plan’s server and run the necessary analyses on plans’ data to calculate risk adjustment while leaving the physical possession of the claims data with the plans. Auditing and accountability controls should be incorporated to ensure accurate risk adjustment. Such an approach would allow HHS and the states to have access to the data they need to accomplish accurate risk adjustment without the privacy risks HHS acknowledges are present with the government centrally collects individual level data.