Help make our site better with this short survey!

Medicaid MCOs → Data & Reporting


Data & Reporting


The types of data involved with the National Diabetes Prevention Program (National DPP) lifestyle change program and the processes and protocols by which that data is shared among parties are similar to other data and data-sharing processes used by state Medicaid agencies and Medicaid managed care organizations (MCOs) in their normal business operations with each other and with medical providers.

The unique issue at play with the National DPP lifestyle change program is that some CDC-recognized organizations are community-based, non-clinical entities that may have no or little experience operating in the health care delivery system. While linking community-based organizations with the health care delivery system is an innovative approach that supports the overall goals of improving health outcomes and reducing health disparities, Medicaid MCOs may need to work with their CDC-recognized organizations to ensure that these organizations have the capability to exchange data necessary for program participation and to comply with all relevant statutory and regulatory requirements pertaining to privacy and data security.


Types of Data

Medicaid MCOs, CDC-recognized organizations, and third-party administrators (TPAs), if used, will need to establish procedures to exchange the following data:

  • Medicaid eligibility information
  • Program enrollee contact information
  • CDC-recognized organization encounter data
  • Claims data
  • Cost data

CDC-recognized organizations maintain attendance logs and weigh-in information and aggregate the data being tracked (i.e., attendance, weight, minutes of exercise, etc.) as required by the CDC’s Diabetes Prevention Recognition Program (DPRP), which sets the standards for CDC recognition and serves as a neutral quality assurance function to assure quality and fidelity to scientific evidence. Note: Only MCOs that elect to become CDC-recognized organizations are required to submit data to CDC. While CDC-recognized organizations are free to share program data with their MCO partners, the CDC will not provide such data to the MCOs.


Data Process Flows

The following are the key process flows/data exchange frameworks that the relevant parties will need to put in place to facilitate program participation, to ensure an appropriate reimbursement framework is established between CDC-recognized organizations and the MCO, and to support program evaluation:

  1. CDC-recognized organization access Medicaid eligibility data from the state Medicaid agency to confirm that an individual eligible for the National DPP lifestyle change program is enrolled in Medicaid.
  2. MCO submission of member lists, generated based on an analysis of historical claims data, to CDC-recognized organizations to identify potential enrollees for outreach efforts.
  3. Physician group and hospital submission of electronic health record (EHR) data to a Medicaid MCO or CDC-recognized organization to identify enrollees for outreach efforts. (For more information, see Program Delivery: Screening & Identification)
  4. CDC-recognized organization submission of a claim or invoice and encounter data to the state Medicaid agency or Medicaid MCO (or TPA, if used) for reimbursement and evaluation purposes.
  5. CDC-recognized organization or Medicaid MCO submission of a claim or invoice and encounter data as a way to track quality improvements, meet program integrity, or ensure compliance in case of audit.
  6. CDC-recognized organization collection of and submission to CDC of required program evaluation data elements for purposes of receiving “pending” and “full recognition” National DPP lifestyle change program designation status. (For more information, see DPRP requirements)
  7. Medicaid MCO submission of program cost data to state Medicaid agency for purposes of refining health plan rates.

Note: The footnotes in the graphic correspond to the numbers in the text above.



Data Security and Regulatory Compliance

Medicaid MCOs will want to ensure that CDC-recognized organizations with which they work have the capacity to meet all statutory and regulatory requirements pertaining to privacy and data security. At a basic level, CDC-recognized organizations will need to be able to ensure the privacy and confidentiality of the data their program participants will be sharing with them.

Business Associate Agreement (BAA) or Data Use Agreement (DUA)

CDC-recognized organizations will need to be aware of and able to comply with all relevant requirements of the federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act). In addition, CDC-recognized organizations will need to be aware of and able to comply with any separate state privacy and data security statutes and relevant regulatory requirements issued by state insurance commissioners or other state regulatory authorities.

Medicaid MCOs will enter into agreements with the CDC-recognized organizations they contract with to ensure data security and regulatory compliance. A Business Associate Agreement or Data Use Agreement will likely be used and may include the following elements:

  • Permitted and prohibited uses of Protected Health Information (PHI) and nonpublic personal financial information: Outlines that uses of PHI and nonpublic personal financial information must comply with all applicable privacy and security laws, including HIPAA.
  • Obligations for privacy and security breaches: Outlines that a CDC-recognized organization may have obligations, such as reporting obligations, if there is a privacy or security breach. Examples of breaches include information systems being exposed to a virus or worm, an individual using company data through unauthorized access, an attack compromising a server, or unauthorized access or disclosure of PHI.
  • Obligations upon termination: Outlines obligations upon the conclusion of a BAA, including the return or destruction of PHI or continued protection of PHI.
  • Required security controls: Required security controls may include (a(n)):
    • Information security program – such as written policies for security and the identity of the individual responsible for enforcement of the security program.
    • Audit plan – may include who can complete an audit and how frequently the audit must be conducted.
    • Approved encryption – required use of approved encryption for the transfer of confidential information to and from the Medicaid MCO and to and from third-parties.
    • Network and systems security programs/tools – required use of security programs such as an industry standard malware detection program, an intrusion detection or prevention system, and firewalls that separate networks containing confidential information from public networks. Medicaid MCOs may also require third-party annual penetration testing of both internal and external systems.
    • Data destruction agreement – outlines the type of data that must be destroyed, the circumstances under which destruction is required, and the method of destruction required.
    • Physical and system controls – may include required use of endpoint protection for remote access of confidential information, keeping operating systems updated, safeguarding hard copies with a clean desk policy, and/or retaining visitor logs for the facility.
    • Controls on workforce members accessing information – examples include background checks prior to providing employee access to confidential information, only providing access to employees who have a legitimate need to use the information as part of their job responsibilities, using IDs and passwords to access confidential information, and providing security awareness trainings prior to granting employees access to confidential information.
    • Cloud storage controls – additional controls may be necessary if data is stored using a cloud-based technology.
    • Business continuity and disaster recovery plan – plans outlining the critical information an organization needs to continue operating during an unplanned event or disaster needs be documented and tested regularly.
    • Incident response plan – to be documented and tested regularly.



Data Sharing and Ownership

It is critical that all parties have a clear understanding around National DPP lifestyle change program data sharing and ownership needs and that all agreements pertaining to data sharing and ownership are reflected in any relevant contracts, business associate agreements, and memoranda of understanding. This is especially key for CDC-recognized organizations.

Local CDC-recognized organizations may need to share data with their parent organization or a third-party program evaluator. These organizations are required to share program data with the CDC. Note: CDC-recognized organizations do not need a data-sharing agreement with the CDC, and thus will need assurance that they have the agreement of Medicaid MCOs to do so.