The Centers for Medicare & Medicaid Services keeps records containing financial or health-related information on millions of Americans, including providers and insurance beneficiaries. An audit of how the agency protects those records and accounts for their disclosure revealed substantial compliance with The Privacy Act of 1974, according to the Office of Inspector General.
The OIG findings released Friday contrast with news that safeguarding information is getting more difficult despite efforts to protect the privacy of patients who grant external access to their electronic healthcare data. Wrongful disclosures can lead to medical identity theft and inappropriate billing.
The OIG examined 150 data requests from health-related system of records (SOR) approved or renewed by CMS between September 2006 and August 2011. The audit included CMS staff interviews along with examination of SOR notices, CMS policies and user agreement files.
"For at least 98 percent of all approved data requests in our sample, CMS' disclosures of records were consistent with the routine uses identified in the SOR notices," the report states.
However, 5 percent of all data files CMS disclosed weren't requested in data use agreements (DUA), the legal documents setting disclosure terms and conditions. And CMS didn't have these agreements for one-third of all user agreement files, which could limit the agency's ability to verify data requests, the OIG noted. For 29 percent of the user agreement files, CMS granted DUA extensions without documentation of requests from outside parties, including researchers or other government agencies. And 15 percent of DUAs were expired and not closed properly, the audit revealed.
Consequently, OIG recommended five corrective actions for CMS: Develop a process to ensure data requested are the ones disclosed, ensure DUA and DUA-related documents are in user agreement files, ensure submission of required documents to close DUAs properly, implement a process to request and approve DUA extensions, and ensure expiration dates match in DUAs and the data shipping and tracking system.
CMS concurred with all five recommendations.
- see the OIG audit