This document contains comments CDT submmited to the Office of Personnel Management in response to the agency's Multi-State Plan Program (MSP) Draft, issued on September 21, 2011.
We commend OPM for suggesting several important privacy features in this draft. We are pleased to see that OPM will evaluate MSP candidates on their privacy and security compliance under "Utilization/quality assurance." We also commend OPM for requiring applicants to describe their compliance with Fair Information Practice Principles, under "IT Systems, security and confidentiality." We urge OPM to retain these evaluation criteria in the final MSP application.
However, we have some recommendations to improve the section "IT Systems, security and confidentiality."
We appreciate OPMʼs interest in routinely analyzing line-level plan data; effectively managing the MSP program depends on access to data that will be needed for the defined set of purposes described in rules and guidance for all Exchange health plans. However, we believe that OPMʼs plan to centrally collect copies of this data creates unnecessary privacy and security risks.
Unfortunately, there is still a general trend among some businesses and government agencies to develop a new database for every analytic need, and OPM is continuing to follow this outdated and privacy-risky model. Although CDT supports cost-cutting and fraud detection goals of health claims databases, individual privacy and data security are ill served when repositories and copies of identifiable personal information are created unnecessarily. To the extent possible, government agencies and businesses should seek to meet their objectives through methods that leverage existing systems, minimize data transfer, and maintain the relative anonymity of data subjects.