The U.S. Government Accountability Office released a report April 5 outlining recommendations to improve CMS' oversight of Medicare beneficiary data security.
For the report, the GAO analyzed information about how external entities accessed Medicare beneficiary data; compared federal guidance on data security with CMS security requirements; evaluated the results of independent security reviews; and interviewed CMS officials about their oversight practices.
The GAO determined CMS shares Medicare beneficiary data with three major types of external entities:
- Medicare Administrative Contractors
- Research organizations
- Qualified entities, which use claims data to evaluate the performance of service providers and equipment suppliers
For MACs and qualified entities, CMS has developed security requirements aligned with federal guidance, according to the report. However, the GAO determined CMS has not developed sufficient guidance for implementing security controls when it comes to researchers, and has not established an adequate program to oversee the implementation of security controls by researchers or qualified entities.
"According to CMS, the lack of specific guidance gives the researchers more flexibility to independently assess their security risks and determine which controls are appropriate to implement," the report reads. "However, without providing comprehensive, risk-based security guidance to researchers, CMS increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards."
CMS agreed with the GAO's recommendations to develop additional guidance for researchers on implementing security controls, track results of independent assessments and provide oversight of researchers and qualified entities.
To access the GAO's report, click here.