This document contains comments CDT submmited to the Office of Personnel Management in response to the agency's Multi-State Plan Program (MSP) Draft, issued on September 21, 2011.
We commend OPM for suggesting several important privacy features in this draft. We are pleased to see that OPM will evaluate MSP candidates on their privacy and security compliance under "Utilization/quality assurance." We also commend OPM for requiring applicants to describe their compliance with Fair Information Practice Principles, under "IT Systems, security and confidentiality." We urge OPM to retain these evaluation criteria in the final MSP application.
However, we have some recommendations to improve the section "IT Systems, security and confidentiality."
We appreciate OPMʼs interest in routinely analyzing line-level plan data; effectively managing the MSP program depends on access to data that will be needed for the defined set of purposes described in rules and guidance for all Exchange health plans. However, we believe that OPMʼs plan to centrally collect copies of this data creates unnecessary privacy and security risks.
In response to the epidemic of smartphone thefts, a number of state and federal lawmakers are proposing legislation that would mandate that all mobile devices include a “kill switch” that can remotely shut down a device that is stolen or lost. In Congress, Senator Amy Klobuchar recently put forward a kill switch bill (S. 2032...