The Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) protect Medicare beneficiary data when being accessed by external entities. There are three main types of external entities that the CMS can share Medicare beneficiary data. They are the MACs, researchers and other qualified entities.
Medicare Administrative Contractors (MACs) check and process over 1.2 billion Medicare fee-for-service claims submitted by more than 1.5 million healthcare providers each year. To process the claims, MACs need to access the personally identifiable information (PII) and protected health information (PHI) of Medicare beneficiaries from the CMS virtual data centers (VDCs) by connecting directly to the CMSNet telecommunications network.
Researches need Medicare beneficiary data to study how healthcare services are provided to beneficiaries and to help improve the delivery of public healthcare services. CMS grants access to specific dataset that the researchers need for their study. But before CMS gives researchers access, they enter into a data use agreement. The agreement details the description of data to be accessed, the purpose and the length of access. It also mentions the requirements to ensure data confidentiality and safety. Researchers can access the data by connecting the CMS’s Chronic Conditions Warehouse/Virtual Research Data Center (CCW/VRDC) using a secure network connection. Another option is that CMS will send copies of encrypted data via the U.S. mail.
There are qualified public or private entities that utilize claims data to evaluate the performance of Medicare service providers and equipment suppliers. They can access data using a Secure File Transfer System connection to the CCW/VRDC. Or they can get encrypted data via U.S. mail. A data use agreement is also required before access to data is granted.
There must be established security controls consistent with federal guidance when CMS allow the above entities to access Medicare beneficiary data. CMS must also make sure that these security requirements are strictly implemented to avoid data breaches. The question is “Can CMS do its job effectively?”