Privacy and Security Awareness Overview

1
Privacy and Security Awareness Overview

• New Directors Training
• May 26, 2009
• Patricia Gongloff
• CMS Project Officer
• SHIP National Performance Reporting System

2
PRIVACY PROTECTION

• Range of Personal Information Collected
• CMS collects and maintains individually
  identifiable information on Medicare
  beneficiaries, Medicaid recipients, Physicians,
  Providers of Healthcare Services, Employees,
  Contractors, Consultants, Grantees, and Business
  partners of the Medicare Program.
• CMS collects such individually identifiable
  information as an individuals name, address,
  geographic location, health insurance claim
  number, social security numbers, demographic
  information unique physician identifiers,
  partners of the Medicare Program.

3
PRIVACY PROTECTION

• Authority for Collection of Personal Data by
  Federal Government Offices
• The Privacy Act of 1974, (Title 5 U.S.C.
  552a) which has been in effect since September
  27, 1975, establishes safeguards for the
  protection of records the Federal government
  collects and maintains on U.S. citizens and
  lawfully admitted permanent residents.

4
Privacy Act of 1974

• CMS Systems of Records
• The Privacy Act is limiting in scope in that it
  only pertains to information maintained in a
  system of records that is retrieved by an
  individuals personal identifier. In other words,
  it does not encompass all privacy information,
  just that contained in a Privacy Act System of
  Records.
• A system of records is a constructive notice
  which informs the public of the kinds of
  information that CMS may collect, maintain, and
  disseminate about individuals.

5
Privacy Act of 1974

• Criminal Penalties
• If you commit one of the following violations,
  you may be charged with a misdemeanor and fined
  not more than 5,000.00
• Willfully disclosing individually identifiable
  information to a person or agency not entitled to
  receive it.
• Maintaining records than can be retrieved by an
  individuals name, social security number, health
  insurance claim number, or other personal
  identifier until a notice has been published in
  the Federal Register.
• Knowingly and willfully obtaining any record
  concerning an individual under false pretenses.

6
SHIP NPR

• Contains Personally Identifiable Information
  (PII)
• CMS does not require PII information
• Many SHIPs have requested that PII be retained in
  the NPR
• PII can be the clients name, DOB, phone number

7
SHIP NPR

• By virtue of the fact the NPR contains PII
• It is governed by the Privacy Act
• It is a CMS System of Records
• CMS and SHIPs must safeguard PII

8
SHIP NPR

• CMS and SHIP Directors must
• Undergo privacy training once a year
• Assure privacy training for state staff
• Assure signed staff confidentiality statements
• Safeguard PII
• Have current CMS Data Use Agreements on file
• Follow CMS NPR security procedures