Health Information Compliance Alert

Heads up, covered entities. CMS has proposed a new System of Records that intends to make health care operations more efficient, and theyre looking for input from you.

Centers for Medicare and Medicaid Administrator Tom Scully Sept. 19 issued a Notice of new System of Records (SOR), the Privacy Accountability Database, that aims to simplify "tracking, reporting and accounting disclosures" made from all CMS SORs to support regulatory, reimbursement and policy functions as permitted by the Privacy Act and the Health Insurance Portability and Accountability Act.

According to the notice published in the Federal Register Oct. 7 CMS maintains the nations largest collection of health care data that contains over 60 SORs and stores information on over 74 million Americans. CMS says the PAD will ensure that data files containing personally identifiable information are protected by providing the required tracking, reporting and accounting capabilities CMS needs for compliance with HIPAA and the Privacy Act.

The PAD will contain information on disclosures of CMS data that falls under exceptions of the Privacy Act, as well as routine uses of the applicable SOR or those that are allowed by HIPAA that require tracking, according to the Register.

CMS plans to implement the PAD in phases, the first of which is scheduled to coincide with the April 2003 Privacy Rule compliance deadline. The first phase will "capture and record applicable disclosure tracking information for enrollment and claims databases only."

Under the Privacy Act, CMS will only disclose information without an individuals consent if the data is to be used in ways that are "compatible with the purpose(s) for which the information was collected." Under these "routine uses," both identifiable and non-identifiable data may be disclosed.

Disclosure of information will follow a minimum necessary framework, and information will only be disclosed after CMS determines:

the use or disclosure is consistent with the reason the data had been collected;
the purpose behind the disclosure requires that the record is provided in individually identifiable form, the purpose for which the disclosure is made is important enough to warrant the risk to the privacy of the individual, and there is a strong chance that the disclosure of the data would accomplish the stated purpose; and
the data are valid and reliable.

The information recipient must: establish "administrative, technical, and physical safe guards" to prevent unauthorized use or disclosure of the protected record; remove or destroy all individually identifiable information as quickly as possible; and agree not to use or disclose the information for purposes other than the stated purpose under which the data were disclosed.

A CMS spokesman tells Eli that the PAD simp will provide the agency with the ability to account for disclosures of protected health information. "So, when a beneficiarys information is shared with, say, the research community, we will keep an accounting of that and will be able to provide the beneficiary with that information, should they choose to ask for it," he explains.

Personnel with access to the system must have been trained with Privacy Act compliance, and records are to be used in a designated work area and system location will be attended at all times during working hours, according to the Register. Users are assigned different levels of access to prevent unauthorized users from modifying or accessing data.

The database will include five classes of database users: Database Administrator, Quality Control Administrator, Quality Index Report Generator, Policy Research, and Submitter. Physical safeguards will include log-on authentications, inactivity lockouts, security warnings displayed on all servers and workstations. Procedural safeguards will also be maintained.

CMS officials say the PAD project presently has only one "nearly full-time" employee, though others are contributing to the project.

CMS is asking for comments on the notice.