GAO: Feds not doing enough to protect Medicare beneficiaries' data

Share this content:

The Centers for Medicare & Medicaid Services needs to improve how it handles beneficiary data being shared with others, especially research organizations, according to a new report from the Government Accountability Office.

The study on oversight of Medicare data focused on three partners with whom Medicare recipients' health information is shared electronically: the Medicare Administrative Contractors who process and distribute payments for skilled nursing facilities and others; researchers who use the data to study how health care services are provided; and qualified public or private entities who use claims data to evaluate the performance of Medicare service providers and equipment suppliers.

Though the GAO recognized that CMS has developed proper security controls for MACs and performance evaluators, the watchdog said the health agency needs to set better standards in exchanging information with researchers.

“Researchers must adhere to broad governmentwide standards, but are not given guidance on which specific controls to implement,” finds the report, which was released Thursday. “According to CMS, the lack of specific guidance gives the researchers more flexibility to independently assess their security risks and determine which controls are appropriate to implement; however, without providing comprehensive, risk-based security guidance to researchers, CMS increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards.”

GAO also called out CMS for not following standards-setting with its performance evaluators with a program that tracks implementation of those protocols.

“Without effective oversight measures in place for researchers and qualified entities, CMS cannot fully ensure that the security of Medicare beneficiary data is being adequately protected,” the GAO said, noting that recent data breaches nationwide have highlighted the importance of ensuring the security of health information.

The GAO recommended the CMS administrator:

1. Develop and distribute guidance for researchers defining minimum security controls and implementation guidance for those controls, consistent with guidance from the National Institute of Standards and Technology guidance.

2. Design procedures to ensure findings from all MAC assessments are classified consistently and tracked appropriately.

3. Establish processes and procedures to ensure qualified entities and researchers have implemented information security controls effectively throughout their agreements with CMS.