The Two Faces of CMS IT

As I mentioned in last week’s article, I attended the Healthcare Analytics symposium in Chicago a couple weeks ago.  During this meeting, Niall Brennan, CMS Chief Data Officer, spoke about recent advances and future enhancements to data and systems provided by CMS for the healthcare community.

He described the new “Blue Button Initiative” where CMS and the VA are providing the public access to “synthetic sample data sets for the purpose of fostering innovation and enabling industry stakeholders to provide feedback for future development.”

He discussed the new CMS Virtual Research Data Center (VRDC).  This system allows users to access approved data files within a virtual environment that is supposed to keep this data private and secure.  Users can purchase their own workspace in this environment and upload their own data to generate queries against related CMS information.

Two Faces of CMS IT

These systems use advanced concepts and tools that will undoubtedly provide benefits for providers and vendors who are on the leading edge of analytics and are experienced in leveraging this information in new and innovative ways.

As an organization that deals regularly with CMS on many different fronts, this information was both exciting, and frustrating.  Although the possibility of accessing and examining this new data was enticing, all I could think about at the time was the immense gap between the CMS he was describing, and the technology I saw in use every day by our customers.

Although this new technology will provide historical claim data in advanced and useful formats, current claims are processed using some of the oldest computer environments still in existence.  Each day, thousands of users log on to IBM mainframe computers running COBOL software developed in the early 1980s to look up claim data, enter new claims, and correct suspended claims.  These green screen systems represent a majority of CMS IT services used by providers each day.

During a question and answer session after Mr. Brennan’s presentation, I pointed out this disparity between the CMS he described and the CMS most of us knew.  He sheepishly explained that limited funding prevented the transition of these systems, in existence for over 30 years, to a more modern solution.  I pointed out that if he simply applied the tools he described for historical data, especially the ability to extract and export/import the Common Working File data in a CSV format, that vendors could develop new systems in a matter of months that would render DDE obsolete, with no additional investment from CMS.  I did not get a response.

In addition to the outdated technology associated with this process, the DDE system is not considered HIPAA compliant for privacy protection based on modern definitions and practices.   DDE allows for the search of claim data using partial names.  For any vendor of healthcare information systems, this would be a serious problem since it allows access to data for people you are not looking for specifically.

Even the most basic element of information, the Medicare number, presents serious issues for patient privacy since the heart of this number is the Social Security Number.  This can be used for gathering other information on beneficiaries and reconstructing the data needed to access valuable credit and financial information used in identity theft.  Seniors are the most common victims of identity theft, so this is a significant problem.

For over a decade, federal agencies have recommended removing the SSN from the Medicare ID card, but CMS argues that the cost prevents this happening.

In Missouri, the Social Security Number was used as the driver’s license number over a decade ago.  This practice was discontinued because of the danger in distributing this number through this publically available document.  It is hard to imagine that the Missouri DMV has more resources than CMS.

In April, Obama signed a bill requiring HHS to issue new cards that do not display, code or embed the SSN in the Medicare ID card.  This bill allows HHS four years to get this accomplished.

I seriously doubt that if healthcare providers still used the SSN in publicly distributed information, that they would be given the same latitude.

I applaud CMS on their new tools for proving historical data for analysis, but their existing systems for current data processing and collection provide serious obstacles to the growth of healthcare IT and put the financial welfare of beneficiaries at risk.  Despite their self-assessment as being innovative and responsive to the industry, they lack any serious commitment in addressing the most basic needs of the industry regarding healthcare IT and HIPAA compliance.  This is not an issue of money, planning or resources.  It is an issue of leadership and the inability to focus on the real issues affecting the industry and the taxpayer.


By Kalon Mitchell, President – MEDTranDirect