The Centers for Medicare & Medicaid Services (CMS) oversees the Medicare program, which covers nearly 58 million aged and disabled Americans. Federal spending for Medicare benefits totaled approximately $696 billion in fiscal year 2016. Every dollar that is spent on Medicare is connected to someone’s personal information, and if that information is not carefully secured, it could result in financial fraud.
Today’s WatchBlog explores how CMS protects Medicare data.
Who Can See Medicare Information?
As part of running the Medicare program, CMS shares data on Medicare recipients with other groups for three major reasons:
- Medicare Administrative Contractors (MAC) use this data to process the payment of Medicare benefits.
- Researchers use this data to study how recipients get health care services.
- “Qualified entities”—public or private organizations responsible for reporting on provider performance for one or more locations—use this data to determine how well Medicare service providers and equipment suppliers are performing.
Is Guidance for Guarding Personal Information Being Followed?
CMS has set requirements that follow federal standards for MACs and qualified entities about guarding personal information. However, while researchers are required to follow federal standards, they are not given detailed guidance on which specific security measures to put in place. CMS notes that when researchers don’t have to follow specific guidance, they have more flexibility to assess security risks and decide which security measures to use. But this flexibility may result in researchers not using security measures that meet CMS standards. We recommended that CMS establish specific guidance for researchers so that they put in place security measures that are consistent and effective.
Who Ensures that Security Measures Are Effectively Carried Out?
In addition to setting requirements for MACs, researchers, and qualified entities, CMS must ensure that these groups are effectively carrying out CMS’s security measures. While assessing effective performance is a good management practice, the Federal Information Security Management Act also requires this. CMS is specifically required to assess the MACs under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003.
We found that CMS is performing assessments for MACs but is not always tracking their findings effectively. We recommended that CMS track all findings for MACs and set up oversight programs for qualified entities and researchers. Currently, CMS does not have assessment programs for these groups.
Check out our full report to learn more.