Managing the CMS Enterprise Privacy Policy Engine (EPPE) to Secure Sensitive Data

NewWave Spares Nothing to Secure Sensitive Data: On the black market, a stolen social security number might be worth around 10 cents, while a credit card number goes for around 25 cents. An electronic health record, on the other hand, can sell for hundreds or even thousands of dollars, making it among the most valuable information targeted by criminal hackers. Controlling access to this data requires the highest degree of vigilance possible, and NewWave has been entrusted with developing and managing the Centers for Medicare and Medicaid Services Enterprise Privacy Policy Engine system. The EPPE system audits use and dissemination of the biggest dataset of health records in the nation – covering nearly half of the total American population.

Privacy is Paramount: Health records contain a wealth of exploitable data including demographic information, the history of where people have lived, their places of employment, names of their relatives, credit card and bank account numbers. It’s the single-most comprehensive record about personal identity that exists.

Health records are valuable not only to medical researchers who derive valuable insights about diseases and treatments from this rich, massive source of data, but to criminals too. For this reason, the federal government makes it available to entities such as CMS contractors, researchers and other federal/state agencies in a manner that protects individual privacy, through a role- based electronic system for data use agreements (DUA).

What NewWave has done for this project is, first, replace the paper-based process in which entities previously had to request access to healthcare datasets. Next, we modernized the process into an electronic platform. This in itself was a massive undertaking that involved successfully mediating between all the important stakeholders, to establish consensus on requirements for the new electronic request-and-approval system.

Once this crucial first step of gathering requirements to modernize the process was complete, NewWave built a role-based system that tracks the DUA process from an original point of request, all the way through approval/denial, payment and data dissemination.

Forty different sources which distribute data to approved entities were engaged by NewWave into a single platform, providing an end-to-end workflow and a comprehensive auditing trail, including tracking of access to highly sensitive health records. Today, EPPE provides an enterprise-scale auditing system for usage of healthcare data, used throughout the largest health payer in the nation.

Sensitive personal health care data represent a double-edge sword.

On one side of the sword, the data can expose individuals to criminal exploitation, potential identity theft, or blackmail. On the other side, providing legitimate researchers access to health records in an efficient, user-friendly, and highly secure way contributes to insights that can lead to new treatments and improved health outcomes.

At NewWave, we operate every day on the cutting edge of protecting the most valuable data in the world, protecting against risk while enabling secure access that creates positive economic and social benefits.

We always put security first, and we keep our eyes on the prize, which means auditing access to data with the highest degree of care, technology, and best practices. Because at NewWave, we solve for the greater good.