5 issues to consider about data security
Personalized health care information in the palm of your hand. That’s the goal of the Center for Medicare and Medicaid Services' (CMS) Interoperability and Patient Access Final Rule. This level of patient access to data and insights marks a big step forward in health care.
Unlocking data to give people the information they need to take ownership of their health can help lead to better health outcomes. But it also raises new questions about patient data privacy and security.
Here are five issues states should consider as they work to comply with the CMS regulation to maintain security and privacy for members and realize the full value of data exchange.
1. Validation of third-party apps and organizations
State governments may not be accustomed to working with third-party apps and services available to members. What happens when these third parties get access to sensitive data?
States will need to validate that third-party organizations are who they say they are and have the necessary security and privacy protections in place.
Seek out a vendor partner that can perform these processes on their behalf and collaborate with them to ensure third-party organizations are validated.
The law requires that organizations — and the data they collect — are located (and remain) in the United States. So the validation process should include physical and IP address verification.
2. Member identity proofing and consent management
Interoperability allows members to sign into third-party applications and manage access to their health care data. Just as the third-party organizations need to be validated, applications need to be able to confirm that a member is who they say they are.
Member identity proofing is essential, given that Medicare and Medicaid populations may struggle with technology. Ensuring that robust security and privacy protections are in place can help to protect members and prevent fraud and misuse of data.
Access and consent management are critical components of security. This includes:
- Managing identity and access control
- Delegating who can see a member’s data
- Transferring data between entities
A hospital system or private industry might have data intake processes for consent management in place. But states may need help in establishing CMS-compliant processes.
3. Compliance with CMS security and privacy policies
Any application offered to Medicare or Medicaid members must comply with the HIPAA requirements for health record privacy and security. HIPAA establishes controls to protect health care data from misuse and exposure.
Note that many states may have other individual requirements that go above and beyond HIPAA. These may include enhanced privacy laws and regulations.
Requirements and policies may differ between the states where third-party app owners are located and the states where the app users live. For states with more stringent requirements, solutions must meet regulatory needs and security requirements.
These are often found under CMS’ Minimum Acceptable Risk Standard for Exchanges (MARS-E) or the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53), and privacy laws such as the California Consumer Privacy Act (CCPA).
Ensuring that applications accommodate both the federal baseline and state-specific requirements requires a combination of technical capabilities and regulatory expertise.
4. Consumer education and empowerment
Many users of Medicare and Medicaid may not be entirely comfortable or confident with technology. Member education and empowerment can help them learn to navigate and secure their data.
It’s critical that members know who is accessing their data. States should look for a vendor that can deliver detailed profile information about an organization and application into the hands of the member.
Members should also be notified if there are gaps in the information the organization provides. They need to be aware of any potential risks. Members grant apps access to their data. They need to know they also have the right to revoke it and how to do so.
5. Maintaining oversight and control
It’s not enough to validate third-party organizations once and then send members and applications forth with the state’s blessing. States are still primary owners of the health care data in question, along with the individual members. They must maintain oversight over how the data is managed.
Vendors that partner with states to manage an interoperability solution are stewards of data. But the state and its members own the data. States have the ultimate responsibility for the data, and vendors must ensure they can take on that responsibility.
Program administrators and coordinators should always be able to log in, check out logs and see dashboards. They must always be able to validate the data monitoring. Responsible vendors will ensure that states retain ultimate ownership and control over their data.
Enabling data access for 60 million Americans
Interoperability is a complex topic with many variables — and security and privacy play a critical role. But with the right solutions, it’s achievable. In fact, our solution has made it possible for more than 60 million Americans to securely access their own data.
Optum team members are accredited as:
- ISC2 Certified Information Systems Security Professionals (CISSP)
- ISC2 HealthCare Information Security and Privacy Practitioners (HCISSP)
- ISACA (Information Systems Audit and Control Association)
- Certified Data Privacy and Security Engineers (CDPSE) program
Solutions can be customized to meet each state's needs. We can also provide complete, ready-to-enact solutions or help states set up and manage solutions independently. Optum is a partner and resource for states in providing better member access to health care information and improving health outcomes.
Let’s continue the conversation about your state’s unique situation and how Optum can be a resource for you. Contact us or visit us at optum.com/stategov