|
10/12/2007 Medicare / CMS
The World Privacy Forum filed extensive pubic comments on the substantive
changes to the Medicare database release policy that the Centers for Medicare
and Medicaid Services (CMS) has proposed in a System of Records Notice.
As it currently stands, CMS is planning to release the individually identifiable
protected health information of patients in the Medicare database to third
parties in some circumstances. CMS has not established strong enough checks
and controls on its release policy, and it has not explained how it is
able to do this under HIPAA. The comments state that CMS has an obligation
to explain how each routine use in its new policy is consistent with the
authority in the HIPAA privacy rule. If a routine use allows disclosures
that are broader than those permitted by HIPAA, then the routine use must
be narrowed so that it is consistent with HIPAA. The comments also note
that nothing in the CMS notice discusses substance abuse rules and other
legal restrictions of the protected health data. The World Privacy Forum
asked CMS to specify that the qualifications of any data aggregators who
may potentially receive the data exclude any entity that sells other consumer
data for any general business, credit, identification, or marketing purpose.
Read
the comments (PDF) | Permalink
|
|
