Commercial Plans → Data & Reporting
Data & Reporting
The types of data involved with the National Diabetes Prevention Program (National DPP) lifestyle change program and the processes and protocols by which that data are shared among parties are similar to other data and data-sharing processes used by commercial health insurance plans and self-insured employers in their normal business operations with vendors and with medical providers.
The unique issue with the National DPP lifestyle change program is that some CDC-recognized organizations are community-based, non-clinical entities that may have no or little experience operating in the health care delivery system. While linking community-based organizations with the health care delivery system is an innovative approach that supports the overall goals of improving health outcomes and reducing health disparities, commercial plans and employers may need to work with the CDC-recognized organizations they contract with to ensure that these organizations have the capability to exchange data necessary for program participation and to comply with all relevant statutory and regulatory requirements pertaining to privacy and data security.
Types of Data
Commercial plans, employers, CDC-recognized organizations, and third-party administrators (TPAs), if used, will need to establish procedures to exchange the following data:
- Program enrollee contact information
- CDC-recognized organization encounter data
- Claims data
- Cost data
- Participant attendance and weight loss data (as desired or appropriate)
CDC-recognized organizations maintain attendance logs and weigh-in information and aggregate the data being tracked (i.e., attendance, weight, minutes of exercise, etc.) as required by the CDC’s Diabetes Prevention Recognition Program (DPRP), which sets the standards for CDC recognition and serves as a neutral quality assurance function to assure quality and fidelity to scientific evidence. Note: Only commercial plans or employers that elect to become a CDC-recognized organization are required to submit data to CDC. While CDC-recognized organizations are free to share program data with their third-party partners, the CDC will not provide such data to commercial plans or employers.
Data Process Flows
The following are the key process flows/data exchange frameworks that the relevant parties will need to put in place to facilitate program participation, to ensure an appropriate reimbursement framework is established between CDC-recognized organizations and the commercial plan, and to support program evaluation:
- Commercial plan submission of member lists to CDC-recognized organizations, generated based on an analysis of historical claims data, to identify enrollees for outreach efforts.
- Physician group and hospital submission of electronic health record (EHR) data to a commercial plan or CDC-recognized organization to identify enrollees for outreach efforts. (For more information, see Program Delivery: Screening & Identification)
- CDC-recognized organization submission of a claim or invoice and encounter data to the commercial plan, employer, or TPA for reimbursement and evaluation purposes.
- CDC-recognized organization collection, and submission to CDC, of required program evaluation data elements for purposes of receiving pending, preliminary, and full recognition. (For more information, see DPRP requirements)
Note: The footnotes in the graphic correspond to the numbers in the text above.
Data Security and Regulatory Compliance
Commercial plans and employers will want to ensure that CDC-recognized organizations with which they contract have the capacity to meet all statutory and regulatory requirements pertaining to privacy and data security. At a basic level, CDC-recognized organizations will need to be able to ensure the privacy and confidentiality of the data their program participants will be sharing with them.
Business Associate Agreement (BAA) or Data Use Agreement (DUA)
CDC-recognized organizations will also need to be aware of and able to comply with all relevant requirements of the federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act). In addition, CDC-recognized organizations will need to be aware of, and able to comply with, any separate state privacy and data security statutes and relevant regulatory requirements issued by state insurance commissioners or other state regulatory authorities.
Commercial plans and employers will enter into agreements with the CDC-recognized organizations they contract with to ensure data security and regulatory compliance. A Business Associate Agreement or Data Use Agreement will likely be used and may include the following elements:
- Permitted and prohibited uses of Protected Health Information (PHI) and nonpublic personal financial information: Outlines that uses of PHI and nonpublic personal financial information must comply with all applicable privacy and security laws, including HIPAA.
- Obligations for privacy and security breaches: Outlines that a CDC-recognized organization may have obligations, such as reporting obligations, if there is a privacy or security breach. Examples of breaches include information systems being exposed to a virus or worm, an individual using company data through unauthorized access, an attack compromising a server, or unauthorized access or disclosure of PHI.
- Obligations upon termination: Outlines obligations upon the conclusion of a BAA, including the return or destruction of PHI or continued protection of PHI.
- Required security controls: Required security controls may include (a(n)):
- Information security program – such as written policies for security and the identity of the individual responsible for enforcement of the security program.
- Audit plan – may include who can complete an audit and how frequently the audit must be conducted.
- Approved encryption – required use of approved encryption for the transfer of confidential information to and from the commercial plan or employer and to and from third-parties.
- Network and systems security programs/tools – required use of security programs such as an industry standard malware detection program, an intrusion detection or prevention system, and firewalls that separate networks containing confidential information from public networks. Commercial plans or employers may also require third-party annual penetration testing of both internal and external systems.
- Data destruction agreement – outlines the type of data that must be destroyed, the circumstances under which destruction is required, and the method of destruction required.
- Physical and system controls – may include required use of endpoint protection for remote access of confidential information, keeping operating systems updated, safeguarding hard copies with a clean desk policy, and/or retaining visitor logs for the facility.
- Controls on workforce members accessing information – examples include background checks prior to providing employee access to confidential information, only providing access to employees who have a legitimate need to use the information as part of their job responsibilities, using IDs and passwords to access confidential information, and providing security awareness trainings prior to granting employees access to confidential information.
- Cloud storage controls – additional controls may be necessary if data is stored using a cloud-based technology.
- Business continuity and disaster recovery plan – plans outlining the critical information an organization needs to continue operating during an unplanned event or disaster needs be documented and tested regularly.
- Incident response plan – to be documented and tested regularly.
Data Sharing and Ownership
It is critical that all parties have a clear understanding of National DPP lifestyle change program data sharing and ownership needs, and that all agreements pertaining to data sharing and ownership are reflected in any relevant contracts, business associate agreements, and memoranda of understanding. This is especially key for CDC-recognized organizations.
Local CDC-recognized organizations may need to share data with their parent organization or a third-party program evaluator. These organizations are required to share program data with the CDC. Note: CDC-recognized organizations do not need a data-sharing agreement with the CDC, and thus will need assurance that they have the agreement of commercial plans, employers, or TPAs to do so.