Federal Claims Database Plan RevisedDespite Changes, Privacy Advocates Still Have Concerns
The revised plan for a Health Claims Data Warehouse, announced in two Federal Register notices June 15 by the U.S. Office of Personnel Management, is slated to take effect July 15 "unless comments are received that would result in a contrary determination." And privacy groups are still pushing for additional major changes.
The Office of Personnel Management, in its revised plan, calls for using the database to help manage only the Federal Employee Health Benefit Program, rather than three federal programs as it originally proposed (see:Privacy Advocates Win Database Delay). That program includes federal employees, postal employees, uniformed service members, retirees and their family members who voluntarily participate in the program.
The agency plans to use the database, which will gather patient-identifiable information from participating insurance carriers, to analyze the costs and utilization of services "to ensure the best value for both enrollees and taxpayers," according to its latest proposal.
Privacy, Security IssuesPrivacy advocates, including the Center for Democracy and Technology, blasted the original proposal for its lack of detail on privacy and security issues. Harley Geiger, policy counsel for the center, says the revised proposal provides far more details, including a commitment to comply with HIPAA. "I think the Office of Personnel Management deserves a fair amount of credit for being responsive to the issues that CDT raised," Geiger told HealthcareInfoSecurity.
In a blog, he also notes the agency pledged "to use only de-identified information for analysis purposes and to release only de-identified information to external parties." And he notes the agency plans to sharply curtail the level of health information sharing called for in the original proposal.
Another advocacy group, Patient Privacy Rights, criticizes the latest plan for failing to describe its methods for de-identifying data. "OPM did not acknowledge how difficult it is to anonymize data for public use databases," says Deborah Peel, M.D., founder of the group.
Peel contends that the modifications made in the latest proposal are only "minor" and fail to adequately address numerous privacy concerns. "The lack of patient control over personal health data has a chilling effect on the willingness to seek treatment and to share information," she says. "And the more the public learns about data releases for research without consent, the more they will oppose electronic health systems and research."
Is Central Database Needed?In addition, the Center for Democracy and Technology still contends the centralized database approach is not needed. Instead, it advocates a "decentralized query-based system" that would leave enrollee health information with the health plans that serve the federal program, "rather than compile new copies of the health information into one big system."
Geiger also says in his blog: "Although CDT supports cost-cutting and fraud detection goals of health claims databases, individual privacy and security are ill-served when repositories and copies of identifiable personal information are created unnecessarily. To the extent possible, government agencies and businesses should seek to meet their objectives through methods that leave data in existing systems and maintain the relative anonymity of data subjects."
The privacy group also questions why the Office of Personnel Management must collect "fully identifiable" health information, including Social Security numbers, to conduct its analyses. The office's fraud detection goals could be achieved, the privacy group argues, using a limited data set that has several direct identifiers stripped away. Or, it could use a one-way hash function to scramble the identifiers.