Report Materials
WHY WE DID THIS STUDY
CMS maintains millions of records containing financial and health-related information. Inappropriate disclosures of records or data maintained in a system of records (SOR) can result in loss of privacy or fraudulent activities. The Privacy Act of 1974 (Privacy Act) governs Federal agencies' collection, use, and dissemination of individuals' records maintained in an SOR. CMS maintains SORs, and its disclosures of records must be consistent with the Privacy Act. Further, the Privacy Act requires CMS to implement safeguards that protect records maintained in an SOR and to account for any disclosures. Among other things, CMS uses a data use agreement (DUA) to ensure its disclosures are in compliance with the Privacy Act. A DUA is the legally binding agreement that contains the written terms and conditions that govern each disclosure. Entities are required to submit a DUA and DUA-related documents to CMS prior to the disclosures.
HOW WE DID THIS STUDY
We reviewed data requests approved or renewed by CMS between September 2006 and August 2011. We limited our review to approved data requests from health-related SORs. We used the DUA tracking number generated by the Data Agreement and Data Shipping Tracking System (DADSS) to identify our population of approved requests. We selected a simple random sample of 150 approved requests using the DUA tracking number. We interviewed CMS staff and reviewed SOR notices, CMS policies, and documents in the user agreement files, i.e., the DUA and/or DUA-related documents. We project our findings to our population.
WHAT WE FOUND
For at least 98 percent of all approved data requests in our sample, CMS's disclosures of records were consistent with the routine uses identified in the SOR notices. Five percent of all data files disclosed by CMS were not requested in the DUAs or updated DUAs. CMS did not have the DUAs on file for 33 percent of all user agreement files. The absence of a DUA may limit CMS's ability to verify what data were requested. For 29 percent of the user agreement files, CMS extended entities' use of data without documentation of requests for extensions. Fifteen percent of DUAs were both expired and not closed properly by the entities.
WHAT WE RECOMMEND
We recommend that CMS (1) develop a process to ensure that the data requested are the ones disclosed to the entity; (2) ensure that the DUA and DUA-related documents are in a user agreement file; (3) ensure that entities submit the required documents to properly close their DUAs; (4) use a standardized, documented process for requesting and approving DUA extensions; and (5) ensure that expiration dates are consistent between the DUA and DADSS. CMS concurred with all five recommendations. In its agency response, CMS stated that it was replacing DADSS with the Enterprise Privacy Policy Engine, an electronic information system designed to provide a 100-percent-traceable record of CMS's data disclosures.
Notice
This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.