GAO: Feds Not Doing Enough

April 9, 2018, Kimberly Marselas, McKnight's Long-Term Care News - The Centers for Medicare & Medicaid Services (CMS) needs to improve how it handles beneficiary data being shared with others, especially research organizations, according to a new report from the Government Accountability Office.

The study on oversight of Medicare data focused on three partners with whom Medicare recipients' health information is shared electronically: the Medicare Administrative Contractors who process and distribute payments for skilled nursing facilities and others; researchers who use the data to study how health care services are provided; and qualified public or private entities who use claims data to evaluate the performance of Medicare service providers and equipment suppliers.

Though the GAO recognized that CMS has developed proper security controls for MACs and performance evaluators, the watchdog said the health agency needs to set better standards in exchanging information with researchers.

“Researchers must adhere to broad governmentwide standards, but are not given guidance on which specific controls to implement,” finds the report, which was released Thursday.  “According to CMS, the lack of specific guidance gives the researchers more flexibility to independently assess their security risks and determine which controls are appropriate to implement; however, without providing comprehensive, risk-based security guidance to researchers, CMS increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards.”

GAO also called out CMS ........ CLICK HERE TO READ MORE