The Security Scrutinizer with Howard Anderson

Is National Claims Database Needed?

Privacy Advocates Make Strong Case for Alternative Approach
Is National Claims Database Needed?

The U.S. Office of Personnel Management's claims database, which had been slated for a Nov. 15 launch, is now on hold, the office announced this week. In a Federal Register notice, the office said it is considering revising its plans to "provide greater specificity regarding the authorities for maintaining the system, clarify its intent to significantly limit the circumstances under which personally identifiable records may be released and provide a more detailed explanation of how the records in this system will be protected."

Protecting Privacy

Let's hope that review yields a much more detailed database proposal that spells out adequate privacy protections. Better yet, we'd like the office to carefully consider whether it even needs to create a centralized database.

The agency would use the database to conduct research designed to help manage three government programs: The Federal Employee Health Benefit Program; the National Pre-Existing Condition Insurance Program, initiated in August under healthcare reform; and the Multi-State Option Plan, another healthcare reform measure that begins January 2014.

Ensuring patient privacy is certainly far more important than administrative convenience. 

The Office of Personnel Management would gather the information by establishing regular data feeds, including Social Security numbers and a wealth of other personal information about enrollees, from health plans participating in the programs. And that troubles privacy advocates.

In announcing the delay, the agency made it clear that if it revises its plans, it will give the public the opportunity to comment on them before making them final. Meanwhile, it's now accepting comments on its original plans through Dec. 15.

Security Risks

In an Oct. 27 letter to the agency, the Center for Democracy & Technology joined with 15 other groups to express concerns about the project. The letter made a very strong case against the centralized database project, given the potential security risks and the available alternative methods for analyzing data.

"Rather than duplicate sensitive enrollee information by copying it into the warehouse, government agencies and researchers could access data already routinely collected in the ordinary course of business by the health plans participating in the affected insurance programs," the letter stated.

"Health plans are already authorized to release medical information for research and statistical analysis, provided certain privacy protections are in place," the letter added. So the Office of Personnel Management should simply ask health plans to run data analyses as needed and then provide the office with aggregated information in response to its queries "rather than exposing identifiable raw data on individuals. ... OPM should explain why it believes it must have physical possession of the enrollee's data to achieve its research goals."

The letter also pointed out that the Food and Drug Administration already has a good model for this approach to research. The FDA's Sentinel Initiative enables it to quickly monitor the safety of products it regulates by sending queries to data holders, including health plans, and allowing them to keep the data in their possession when conducting analyses.

The consumer advocacy groups said it appears the primary purpose of creating a healthcare claims warehouse is "administrative convenience." And ensuring patient privacy is certainly far more important than administrative convenience. As we noted in an earlier blog, Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, stressed that risks are magnified by duplicating information in a central database. "The data already exists at the health plan level, and there isn't a need to create an additional database in order to leverage it," she contended.

The Office of Personnel Management deserves credit for giving itself some extra time to carefully consider the issues involved. At the very least, it needs to spell out every security precaution it would take to protect the privacy of information gathered.

But why not go back to the drawing board and reconsider the necessity of the database? If the office needs advice, it can just ask the FDA it conducts timely research without having physical possession of the data.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.