Introduction to Privacy The topics of privacy and security for the Centers for Medicare and Medicaid Services (CMS) refers to the combined process of keeping sensitive information about public individual beneficiaries secure both physically and digitally. This sensitive information includes PHI and PII. Personally Identifiable Information, or PII, refers to any information that can be used to identify an individual, such as name, address, social security number, and medical information. Protected Health Information, or PHI, is a subset of PII that refers to any personal and identifiable health information that is collected, used, or disclosed by the Centers for Medicare and Medicaid Services. In the context of any research conducted within the QualityNet community, this guidance focuses on three scenarios for collecting and storing data when conducting research with volunteers: Before, During, and After. Before: Recruiting Research Volunteers There are a variety of methods for recruiting research participants. Some of these people may be considered “internal” volunteers. That is, federal employees and government contractors working in support of CMS and its mission. However, for public facing solutions, researchers may need to recruit members of the public who must use a product or service provided by the QualityNet community. It is this latter group that introduces a bit more complexity with recruitment. A general rule of thumb is that if you are collecting equivalent information from 10 or more members of the public, this is considered “burden” and must go through an approval process. We will describe recruitment that both utilizes a Paperwork Reduction Act (PRA) approval process that may collect PII and a process that does not trigger PRA or collect PII. Recruiting Volunteers via a PRA-approved Information Collection Request (ICR) One option for collecting information from the public is to initiate coverage process on your own, but the process can be long and drawn out. The good news is that there is existing PRA coverage (CMS-10706) for CCSQ employees and partners who seek to collect information from the public in order to aid in the design and development of product or service design solutions. If you fall within those parameters, chances are that you would more expeditiously be able to collect survey data from the public that may include PII or PHI. Please reach out to our team or the CMS Office of Strategic Operations and Regulatory Affairs (OSORA) to learn if you quality. Recruiting Volunteers without Triggering PRA The good news for researchers who are new to the community is that there is an existing system that securely captures information from people who have contacted the community help desk (“Service Center”) and volunteered to participate in research. This “Participant Database” stores volunteer information by program and is freely available for researchers in the QualityNet community. But even if you do not have access to this resource, there are options for soliciting volunteers without capturing PII or PHI. Our Participant Communication guidance includes some examples where, as a recruiter, instead of asking volunteers to provide screener information, you call out the specific requirements you have and the volunteer responds if they meet the criteria that might otherwise be collected in the form of PII. In this recruiting method, you are not asking people to volunteer information but simply to express interest in participating in a research activity. During: Conducting Research with Volunteers Once you have identified volunteers for a particular research activity, what are best practices for protecting participant privacy? Consider implementing the following safeguards* (per MACBIS HCD SOP): - – It's not just text. Even audio and video recordings with volunteers are considered PII. In some states (MD being one of them) you must ask permission to record.
- Hide or mark research participant information – Depending on how session information is captured and stored, consider masking or hiding volunteer information. This may include:
- Hiding or masking participant names if session uses video conferencing software
- Hiding or masking participant names when documenting any information pertaining to a research session with a volunteer
- Consider avoiding mentioning participant names during a recording – This keeps PII out of any or documents that may be used for later synthesis. Or, if using names during a session, consider replacing transcript names with unique IDs
After: Storing Research Data and Anonymization Once research has been conducted, teams need to store raw data used for synthesis and making solution recommendations. Consult with your CMS Information System Security Officer (ISSO) for approved systems and storage procedures. For PII/PHI that may be saved on local devices, CCSQ ISG recommends the following protocols* (per QPP HCD SOP):
- Regular deletion of locally hosted PII from completed studies: All recordings and other PII data should be cleared from local devices and accounts (e.g. Zoom) for completed studies. This should happen every 3-6 months.
- Secure Shredding for Paper Documents: Paper documents containing PII should be shredded using a cross-cut shredder or a shredding service that ensures the information is irreversibly destroyed.
- Secure Disposal of Electronic Media: For electronic media, such as hard drives, USB drives, or CDs/DVDs, use secure disposal methods. This can include using data wiping software that overwrites the data multiple times to make it unrecoverable, physically destroying the media, or using certified disposal services that specialize in electronic media destruction.
- Verification of Disposal: Maintain a record of all disposed PII, including the date, method of disposal, and responsible parties involved. This documentation can be important for auditing, compliance, or in case of any future inquiries.
In addition to storage and disposal procedures, steps should be taken to anonymize data when possible. CCSQ ISG recommends the following protocols* (per QPP HCD SOP):
- Remove Identifying Information: Remove any such as names, email addresses, phone numbers, and social media handles.
- Replace Identifiers: Replace participants' names with unique identifiers, such as Participant A, Participant B, or User 1, User 2, to maintain anonymity.
- Redact Direct References: Ensure that any direct references to specific individuals, organizations, or locations are redacted or replaced with generic terms.
- Modify Dates and Times: Adjust or generalize specific dates and times mentioned in the transcript to prevent identification. For example, change "last week" to "recently" or "in the past."
- Use Generic Terminology: Replace specific product names, project codes, or any other proprietary or sensitive information with generic terms to avoid disclosing confidential information.
- Review for Oversights: Conduct a thorough review of the anonymized transcript to identify and correct any oversights or missed instances of identifiable information.
- Data Protection Documentation: Maintain documentation outlining the anonymization process and the measures taken to protect participant privacy. This documentation helps ensure compliance and accountability.
Appendix The 18 PHI (Protected Health Information) identifiers are specific pieces of information that, when linked with health data, can be used to identify an individual. These identifiers are defined by the Health Insurance Portability and Accountability Act (HIPAA) and include the following: - Names
- Geographic subdivisions smaller than a state
- Dates related to an individual (such as birthdate, admission date, discharge date, and date of death)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- Internet Protocol (IP) address numbers
- Biometric identifiers (including fingerprints and voiceprints)
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
It's important to note that the unauthorized use or disclosure of PHI identifiers is prohibited under HIPAA regulations to protect individuals' privacy and confidentiality. Additional Resources Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Rev. 5) Federal Information Security Management Act (FISMA) Federal Risk and Authorization Management Program (FedRAMP) CMS Information Security & Privacy Group: Privacy CMS Privacy Program Plan QualityNet Security CMS Policy QualityNet Atlassian Security Policy *Thanks to contributions from QPP and MACBIS HCD communities
We’re |