CMS must ensure that third parties use Medicare data more securely, GAO report cautions

The report advises CMS to set up more processes and procedures for security.
(Wikimedia Commons)

When third parties, like researchers or select private entities, collaborate with the Centers for Medicare and Medicaid Services (CMS) to access Medicare beneficiary data, they do so under certain security requirements. But according to a recent report by the Government Accountability Office, CMS needs to do a better job making sure these requirements are being followed correctly.

The report states that while CMS provides guidance and oversight of security practices for some types of data users (namely Medicare Administrative Contractors, or MACs), it is not so thorough with others.

For example, researchers with access to the data are asked to adhere to general government data security standards, but they aren’t given guidance on how to adhere to these standards. CMS says this gives researchers “more flexibility,” but GAO thinks it’s a bit risky.

“Medicare beneficiary data are created, stored, and used by a wide variety of entities, such as health care providers, insurance companies, financial institutions, academic researchers, and other federal/state agencies for a wide variety of purposes,” a letter that opens the report reads. “However, the distributed nature of Medicare systems and networks, along with the fact that so many entities external to CMS are connected to them, increases the potential that unauthorized individuals could gain access to these systems and the extensive amount of Medicare beneficiary data they contain.”


When it comes to assessing the third-party entities’ security procedures, there’s also room for improvement. CMS has assessment rituals for MACs, the report states, but it’s not always consistent with these. And oversight of researchers and other qualified data users is “much more limited.”

“Without more effective oversight programs in place,” the report concludes, “CMS lacks full assurance that external entities are appropriately implementing security protections for Medicare beneficiary data.”

The report makes three recommendations, mostly surrounding the development of “processes and procedures” to ensure that the data is being kept safe. CMS concurred with all three recommendations.

The issue of the security of Medicare beneficiary data takes special significance as CMS and its parent, the Department of Health and Human Services, are showing an interest in opening up more data to more users. CMS recently released Blue Button 2.0, for example, an application programming interface (API) that Medicare recipients can use to share their claims data with chosen third-party entities. The GAO report does not include an evaluation of the security impact of this API.

Reached for comment, a CMS spokesperson told FedScoop that “CMS is committed to protecting the safety and security of our Medicare beneficiaries’ data.”


CMS mandates that developers participating in Blue Button 2.0 clear an approval process “based on industry best practice” before they are allowed to use the data, the spokesperson said. “As a result of the careful approach CMS has taken to ensure that beneficiaries’ health data remains safe and secure with Blue Button 2.0, we don’t anticipate that this report will have implications for this initiative.”

Latest Podcasts