Skip Navigation Change Font Size

Report (OEI-09-11-00430)

01-31-2014
Disclosure and Accounting of Protected Records by CMS Between 2006 and 2011

Complete Report

Download the complete report

Adobe® Acrobat® is required to read PDF files.

Summary

WHY WE DID THIS STUDY

CMS maintains millions of records containing financial and health-related information. Inappropriate disclosures of records or data maintained in a system of records (SOR) can result in loss of privacy or fraudulent activities. The Privacy Act of 1974 (Privacy Act) governs Federal agencies' collection, use, and dissemination of individuals' records maintained in an SOR. CMS maintains SORs, and its disclosures of records must be consistent with the Privacy Act. Further, the Privacy Act requires CMS to implement safeguards that protect records maintained in an SOR and to account for any disclosures. Among other things, CMS uses a data use agreement (DUA) to ensure its disclosures are in compliance with the Privacy Act. A DUA is the legally binding agreement that contains the written terms and conditions that govern each disclosure. Entities are required to submit a DUA and DUA-related documents to CMS prior to the disclosures.

HOW WE DID THIS STUDY

We reviewed data requests approved or renewed by CMS between September 2006 and August 2011. We limited our review to approved data requests from health-related SORs. We used the DUA tracking number generated by the Data Agreement and Data Shipping Tracking System (DADSS) to identify our population of approved requests. We selected a simple random sample of 150 approved requests using the DUA tracking number. We interviewed CMS staff and reviewed SOR notices, CMS policies, and documents in the user agreement files, i.e., the DUA and/or DUA-related documents. We project our findings to our population.

WHAT WE FOUND

For at least 98 percent of all approved data requests in our sample, CMS's disclosures of records were consistent with the routine uses identified in the SOR notices. Five percent of all data files disclosed by CMS were not requested in the DUAs or updated DUAs. CMS did not have the DUAs on file for 33 percent of all user agreement files. The absence of a DUA may limit CMS's ability to verify what data were requested. For 29 percent of the user agreement files, CMS extended entities' use of data without documentation of requests for extensions. Fifteen percent of DUAs were both expired and not closed properly by the entities.

WHAT WE RECOMMEND

We recommend that CMS (1) develop a process to ensure that the data requested are the ones disclosed to the entity; (2) ensure that the DUA and DUA-related documents are in a user agreement file; (3) ensure that entities submit the required documents to properly close their DUAs; (4) use a standardized, documented process for requesting and approving DUA extensions; and (5) ensure that expiration dates are consistent between the DUA and DADSS. CMS concurred with all five recommendations. In its agency response, CMS stated that it was replacing DADSS with the Enterprise Privacy Policy Engine, an electronic information system designed to provide a 100-percent-traceable record of CMS's data disclosures.

Copies can also be obtained by contacting the Office of Public Affairs at Public.Affairs@oig.hhs.gov.

I'm Looking For

Let's start by choosing a topic

Exclusions Database Report Fraud
Newsletter Sign Up Envelop Graphic

Stay up to date on the latest OIG news and opinions

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201