Privacy Advocates Win Database DelayNational Healthcare Claims Warehouse Is Controversial
The office has announced it is considering revising its plans to "provide greater specificity regarding the authorities for maintaining the system, clarify its intent to significantly limit the circumstances under which personally identifiable records may be released and provide a more detailed explanation of how the records in this system will be protected."
The agency would use the central database to manage three government programs. They are: The Federal Employee Health Benefit Program; the National Pre-Existing Condition Insurance Program, initiated in August under healthcare reform; and the Multi-State Option Plan, another healthcare reform measure that begins January 2014. The agency would gather the information by establishing regular data feeds from health plans participating in the three programs.
In announcing the delay, the agency made it clear that if it revises its plans, it will give the public the opportunity to comment on them before making them final. Meanwhile, it's now accepting comments on its original plans through Dec. 15.
Lack of Privacy SpecificsSome privacy advocates were upset about the lack of detail in the Oct. 5 announcement about how the information in the potentially massive database, including Social Security numbers and other personal identifiers, would be kept secure. Plus, the announcement outlined plans to share the data with "researchers and analysts inside and outside the federal government for the purpose of conducting research on healthcare and health insurance trends and topical issues," which raised additional concerns.
In an Oct. 27 letter to the agency, the Center for Democracy & Technology joined with 15 other groups to express concerns about the project.
As reported in a recent blog, Deven McGraw, director of the health privacy project at the center, said OPM was "creating a new database with very little detail on the terms of access and disclosure."
Patient Privacy Rights, an advocacy group that also signed the letter to OPM, said in a separate statement: "We do not think the proposal seriously addresses the very significant privacy concerns associated with aggregation of such data and its possible release to researchers."
In its Oct. 5 announcement, the OPM noted that: "In many instances, the data will be de-identified for specific analyses..." It also stated: "OPM restricts access to the records on the databases to employees who have the appropriate clearance and need-to-know to perform their official duties. Computerized records are located in a secured database on a secure system."
Patient Privacy Rights, headed by Deborah Peel, M.D., blasted the announcement for failing to describe precisely how data would be de-identified. And the group labeled as "grossly inadequate" the announcement's reference to a "secured database on a secured system," calling for further details, such as spelling out the use of encryption.
Is Claims Database Necessary?McGraw contended the database project, besides lacking security specifics, is fundamentally unnecessary.
The claims data OPM needs "to better manage their benefit programs and ensure they are being administered effectively and efficiently is with the health plans," she said. "And OPM, as benefit manager, has the authority to have the plans do the needed analysis on the data without the need for OPM to collect all of the raw data into one big database."
Aggregating the data, McGraw contended, "magnifies the risk to the data by duplicating it in a central database. The data already exists at the health plan level, and there isn't a need to create an additional database in order to leverage it."
She added: "The fact that they are making this raw data available for research purposes without any indication of which types of research will be permitted and whether the results may be shared with the public and to what extent they will seek the consent of the individuals in the database is highly irresponsible."
McGraw also criticized OPM for its plans to retrieve data using names and Social Security numbers, citing a 2007 directive from the Office of Management and Budget that called for reducing unnecessary use of Social Security numbers.
Patient Privacy Rights summarized its concerns: "Although this proposal is being described as intended to help promote medical research and efficiency analysis, we do not see adequate safeguards to ensure that the aggregated records are made secure from thieves and are not used as fodder for the health data mining industry."