A Distributed Network Approach to Health Data Security
As ID Experts president Richard Kam recently observed, information technology is forcing rapid changes to data security practices in the health care system. Now, as digital health records are becoming more widespread, is a critical juncture that will profoundly influence how government and businesses handle the security of health data in the future. Encryption, employee training, PHI inventories and risk assessments are crucial elements of any security plan, but we should also be thinking at a more fundamental level about the way in which companies and government agencies collect and store health data for research, cost comparisons and other analytical purposes. The Centers for Medicare and Medicaid Services (CMS) recently proposed a regulation that provided an opportunity to do just that. CMS proposed a health data collection program that followed a conventional “put all the data copies in one place” model, but CMS and other agencies should consider more secure alternatives.
CMS’ proposed rule would compel federal or state government agencies to collect claims and encounter data from health plans in the individual or small group markets. As required under the Affordable Care Act of 2010, CMS would use the data for an insurance risk adjustment program. Unfortunately, CMS’ proposed rule – as written – would exacerbate a trend underway among states and other federal agencies: the large-scale collection and centralized retention of digital copies of health care claims data. Yet the unnecessary duplication and aggregation of sensitive data worsen the risk and severity of data breaches. This week the Center for Democracy & Technology (CDT) submitted comments to the proposed rule in which we urged CMS to adopt a form of distributed network architecture – rather than the centralized approach proposed by CMS – as a more secure and privacy protective method of accessing and analyzing claims data.
Many agencies with a project or program that needs medical data will simply require health plans to compile the data and submit it to the agencies, which then collect the data into new centralized databases. In addition to CMS’ proposed rule, three recent examples come to mind: First, numerous states have established “All-Payer Claims Databases” to compile longitudinal digital claims data for broad public policy, law enforcement and research goals. Second, the federal Office of Personnel Management, as part of its management of the Federal Employee Health Benefits Program, is also in the process of building its “Health Claims Data Warehouse” for very similar purposes. Third, shortly after CMS proposed its rule, the HHS Office of the Secretary announced plans to establish a “Multi-Payor Claims Database” that will access longitudinal claims data (and eventually information from electronic medical records) for comparative effectiveness research.
Continually building huge repositories of medical data for new research or policy needs is risky, inefficient and a poor long-term strategy. Maintaining copies of sensitive information in various locations for long periods of time sharply worsens the risk and severity of data breaches. As ID Experts has pointed out numerous times, breaches of identifiable medical data are a growing – and extremely costly – problem for patients, health care companies and government agencies. Moreover, it is burdensome and costly for plans to set up and secure multiple data feeds to different entities in various locations. Finally, unnecessarily funneling copies of patients’ identifiable data to state and federal agencies inflames public perception of government snooping, eroding trust in the confidentiality of digital medical records.
In our comments to CMS’s proposed rule on the risk adjustment program, CDT offered an alternative to the creation of yet more centralized databases stocked by data feeds from health plans. Instead, we argued, CMS should adopt a distributed “edge server” approach. CMS should require each plan to set aside a copy of structured, de-identified claims and encounter data in a secure system, such as an edge server. CMS could then require plans to make their respective edge servers accessible to state or federal agencies to carry out the analyses CMS describes in the proposed rule. CMS and states could then retain the results of their analyses, rather than keep full copies of the claims data. Auditing and accountability controls should be incorporated to ensure accurate risk adjustment. Similar distributed systems are already broadly deployed in the public and private sectors.
This distributed “edge server” approach would leave physical possession of the claims data with the plans rather than sending copies to data warehouses, thereby reducing the risk and severity of data breaches. This distributed approach would still allow CMS and the states to have access to the data they need to accomplish accurate risk adjustment, but without some of the privacy risks CMS acknowledges are present when the government centrally collects individual level data. A distributed network would leverage existing infrastructure, minimize data transfer, cut down on redundant work and would be less costly for state and federal government agencies to build than a centralized database. Uploading structured data to secure edge servers maintained by each plan would also likely be less costly and time-consuming for each plan than compiling and submitting regular reports to government agencies, and may mitigate plans’ concerns over releasing copies of proprietary data sets.
CDT is not the only voice urging government agencies to “bring questions to the data” rather than bring the data to their questions. Some major health plans and technology companies also commented on the proposed rule, likewise asking CMS to consider this distributed approach. The HHS Office of the National Coordinator also recently held a series of workshops on distributed networks. The distributed approach is gaining traction, and it would be unfortunate if state or federal regulations locked health plans into participating in a centralized data collection model. As breach incidents continue to rise, we should take the opportunity at this relatively early stage of health data digitization to address a key data security issue – reducing the quantity of unnecessary copies of sensitive data.