The Security Scrutinizer with Howard Anderson

Claims Database Raises Privacy Concerns

Consumer Advocates Decry Lack of Details
Claims Database Raises Privacy Concerns

They contend the proposal from the U.S. Office of Personnel Management lacks sufficient privacy policy details and security provisions. And they question whether the project is even necessary. Let's hope OPM officials carefully consider the advocates' concerns before they launch the ambitious project.

OPM announced in the Federal Register Oct. 5 plans for a "central and comprehensive database" that it will use to manage three government programs. They are: The Federal Employee Health Benefit Program; the National Pre-Existing Condition Insurance Program, initiated in August under healthcare reform; and the Multi-State Option Plan, another healthcare reform measure that begins January 2014. The agency will gather the information by establishing regular data feeds from health plans participating in the three programs.

Let's hope officials carefully consider the advocates' concerns before they launch the ambitious project. 

Some privacy advocates are upset about the lack of detail in the announcement about how the information, including Social Security numbers and other personal identifiers, in the potentially massive database will be kept secure. Plus, the announcement outlines plans to share the data with "researchers and analysts inside and outside the federal government for the purpose of conducting research on healthcare and health insurance trends and topical issues," which raises additional concerns.

"They are creating a new database with very little detail on the terms of access and disclosure," says Deven McGraw, director of the health privacy project at the Center for Democracy & Technology.

"We do not think the proposal seriously addresses the very significant privacy concerns associated with aggregation of such data and its possible release to researchers," said a statement from Patient Privacy Rights, an advocacy group.

In its announcement, the OPM notes: "In many instances, the data will be de-identified for specific analyses..." It also states: "OPM restricts access to the records on the databases to employees who have the appropriate clearance and need-to-know to perform their official duties. Computerized records are located in a secured database on a secure system."

Patient Privacy Rights, headed by Deborah Peel, M.D., blasts the announcement for failing to describe precisely how data would be de-identified. And the group labels as "grossly inadequate" the announcement's reference to a "secured database on a secured system," calling for further details, such as spelling out the use of encryption.

McGraw contends the database project, besides lacking security specifics, is fundamentally unnecessary.

The claims data OPM needs "to better manage their benefit programs and ensure they are being administered effectively and efficiently is with the health plans," she says. "And OPM, as benefit manager, has the authority to have the plans do the needed analysis on the data without the need for OPM to collect all of the raw data into one big database."

Aggregating the data, McGraw contends, "magnifies the risk to the data by duplicating it in a central database. The data already exists at the health plan level, and there isn't a need to create an additional database in order to leverage it."

She adds: "The fact that they are making this raw data available for research purposes without any indication of which types of research will be permitted and whether the results may be shared with the public and to what extent they will seek the consent of the individuals in the database is highly irresponsible."

McGraw also criticizes OPM for its plans to retrieve data using names and Social Security numbers, citing a 2007 directive from the Office of Management and Budget that called for reducing unnecessary use of Social Security numbers.

Patient Privacy Rights summarized its concerns in this way: "Although this proposal is being described as intended to help promote medical research and efficiency analysis, we do not see adequate safeguards to ensure that the aggregated records are made secure from thieves and are not used as fodder for the health data mining industry."

The OPM announcement says the plans for the database will move forward effective November 15 "unless comments are received that would result in a contrary determination."

Let's hope the comments from the Centers for Democracy & Technology, Patient Privacy Rights -and hopefully many others -- will lead OPM to shed light on its security plans or announce substantial changes in the project.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.