Data & Reporting

 
The types of data involved with the National Diabetes Prevention Program (National DPP) lifestyle change program and the processes and protocols by which that data is shared among parties are similar to other data and data-sharing processes used by payers (e.g., state Medicaid agencies, Medicaid managed care organizations (MCOs), and commercial plans) in their normal business operations with each other and with medical providers. For example, CDC-recognized organizations will need to be aware of and able to comply with all relevant requirements of the federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act). In addition, CDC-recognized organizations will need to be aware of and able to comply with any separate state privacy and data security statutes and relevant regulatory requirements issued by state insurance commissioners or other state regulatory authorities.

The unique issue at play with the National DPP lifestyle change program is that some CDC-recognized organizations are community-based, non-clinical entities that may have no or little experience operating in the health care delivery system. While linking community-based organizations with the health care delivery system is an innovative approach that supports the overall goals of improving health outcomes and reducing health disparities, payers may need to leverage existing internal and external resources (e.g., MCO provider relation teams, public health departments, national partners, etc.) to work with their contracted CDC-recognized organizations to ensure that these organizations have the capability to exchange data necessary for program participation and to comply with all relevant statutory and regulatory requirements pertaining to privacy and data security.

 


 

Types of Data

Payers, CDC-recognized organizations, and third-party organizations, if used, will need to establish procedures to exchange the following data:

  • Medicaid eligibility information
  • Program enrollee contact information
  • CDC-recognized organization encounter data
  • Claims data
  • Cost data

CDC-recognized organizations maintain participant data such as attendance, weight, minutes of exercise, etc., as required by the CDC’s Diabetes Prevention Recognition Program (DPRP), which sets the standards for CDC recognition and serves as a neutral quality assurance function to assure quality and fidelity to scientific evidence.

Note: Only entities that elect to become CDC-recognized organizations are required to submit deidentified data to CDC.

 


 

Data Process Flows

The following are the key process flows/data exchange frameworks that the relevant parties will need to put in place to facilitate program participation, to ensure an appropriate reimbursement framework is established between CDC-recognized organizations and applicable payers, and to support program evaluation:

Medicaid Agencies


  1. Beneficiaries are enrolled in Medicaid and eligible for services at the time they are furnished;
  2. Physician group and hospital may provide electronic health record data to identify enrollees for outreach efforts (for more information, see Screening & Identification);
  3. To the extent required to be documented by the State, maintain evidence that the participant is eligible to take part in the National DPP lifestyle change program;
  4. CDC-recognized organization submission of a claim or invoice and encounter data to the state Medicaid agency for reimbursement and evaluation purposes;
  5. CDC-recognized organization collection of and submission to CDC of required program evaluation data elements for purposes of receiving “pending,” “preliminary,” or “full recognition” designation status. (For more information, see DPRP requirements);
  6. Experience has shown that provider referrals and sharing National DPP lifestyle change program results with a participant’s primary care provider can increase program enrollment and retention.

Medicaid MCOs


  1. CDC-recognized organization access Medicaid eligibility data from the state Medicaid agency (e.g., via the eligibility verification system) to confirm that an individual eligible for the National DPP lifestyle change program is enrolled in Medicaid.
  2. Physician group and hospitals can provide evidence of program eligibility as part of a referral and/or outreach effort to a CDC-recognized organization. Data sharing agreements may be required if lists of potential participants are going to the CDC-recognized organization directly for outreach purposes (for more information, see Program Delivery: Screening & Identification).
  3. CDC-recognized organization submission of a claim or invoice to the Medicaid MCO (or third party organization, if used) for reimbursement and evaluation purposes.
  4. CDC-recognized organization or Medicaid MCO submission of a claim or invoice and encounter data as a way to track quality improvements, meet program integrity, or ensure compliance in case of audit.
  5. CDC-recognized organization collection of and submission to CDC of required program evaluation data elements for purposes of receiving “pending,” “preliminary,” and “full recognition” National DPP lifestyle change program designation status (for more information, see DPRP requirements).
  6. Medicaid MCO submission of program cost data to state Medicaid agency for purposes of refining health plan rates.
  7. Experience has shown that provider referrals and sharing National DPP lifestyle change program results with a participant’s primary care provider can increase program enrollment and retention.

Commercial Plans


  1. Commercial plan submission of member lists to CDC-recognized organizations, generated based on an analysis of historical claims data, to identify enrollees for outreach efforts.
  2. Physician group and hospital submission of electronic health record (EHR) data to a commercial plan or CDC-recognized organization to identify enrollees for outreach efforts. (For more information, see Program Delivery: Screening & Identification)
  3. CDC-recognized organization submission of a claim or invoice and encounter data to the commercial plan, employer, or third party organization for reimbursement and evaluation purposes.
  4. CDC-recognized organization collection, and submission to CDC, of required program evaluation data elements for purposes of receiving pending, preliminary, and full recognition. (For more information, see DPRP requirements)
  5. Experience has shown that provider referrals and sharing National DPP lifestyle change program results with a participant’s primary care provider can increase program enrollment and retention.

 


 

Data Security and Regulatory Compliance

Payers will want to ensure that CDC-recognized organizations with which they work have the capacity to meet all statutory and regulatory requirements pertaining to privacy and data security. At a basic level, CDC-recognized organizations will need to be able to ensure the privacy and confidentiality of the data their program participants will be sharing with them.
 
Business Associate Agreement (BAA) or Data Use Agreement (DUA)
As noted above, CDC-recognized organizations will need to comply with HIPAA, the HITECH Act, and all applicable state privacy and data security statutes and relevant regulatory requirements issued by state insurance commissioners or other state regulatory authorities.

Payers will enter into agreements with the CDC-recognized organizations they contract with to ensure data security and regulatory compliance. A BAA or DUA will likely be used and may include the following elements:

  • Permitted and prohibited uses of Protected Health Information (PHI) and nonpublic personal financial information: outlines that uses of PHI and nonpublic personal financial information must comply with all applicable privacy and security laws, including HIPAA.
  • Obligations for privacy and security breaches: outlines that a CDC-recognized organization may have obligations, such as reporting obligations, if there is a privacy or security breach. Examples of breaches include information systems being exposed to a virus or worm, an individual using company data through unauthorized access, an attack compromising a server, or unauthorized access or disclosure of PHI.
  • Obligations upon termination: outlines obligations upon the conclusion of a BAA, including the return or destruction of PHI or continued protection of PHI.
  • Required security controls: required security controls may include (a(n)):
    • Information security program – such as written policies for security and the identity of the individual responsible for enforcement of the security program.
    • Audit plan – may include who can complete an audit and how frequently the audit must be conducted.
    • Approved encryption – required use of approved encryption for the transfer of confidential information to and from the Medicaid MCO and to and from third-parties.
    • Network and systems security programs/tools – required use of security programs such as an industry standard malware detection program, an intrusion detection or prevention system, and firewalls that separate networks containing confidential information from public networks. Medicaid MCOs may also require third-party annual penetration testing of both internal and external systems.
    • Data destruction agreement – outlines the type of data that must be destroyed, the circumstances under which destruction is required, and the method of destruction required.
    • Physical and system controls – may include required use of endpoint protection for remote access of confidential information, keeping operating systems updated, safeguarding hard copies with a clean desk policy, and/or retaining visitor logs for the facility.
    • Controls on workforce members accessing information – examples include background checks prior to providing employee access to confidential information, only providing access to employees who have a legitimate need to use the information as part of their job responsibilities, using IDs and passwords to access confidential information, and providing security awareness trainings prior to granting employees access to confidential information.
    • Cloud storage controls – additional controls may be necessary if data is stored using a cloud-based technology.
    • Business continuity and disaster recovery plan – plans outlining the critical information an organization needs to continue operating during an unplanned event or disaster needs be documented and tested regularly.
    • Incident response plan – to be documented and tested regularly.

A sample BAA developed by the American Medical Association (AMA) can be accessed here.

 


 

Data Sharing and Ownership

It is critical that all parties have a clear understanding around National DPP lifestyle change program data sharing and ownership needs and that all agreements pertaining to data sharing and ownership are reflected in any relevant contracts, business associate agreements, and memoranda of understanding. This is especially key for CDC-recognized organizations.

CDC-recognized organizations are required to share deidentified program data with the CDC’s DPRP to maintain recognition. They do not need a data-sharing agreement with the CDC to provide this information. They may also need to share data with their parent organization, a third-party program evaluator, or other entity on a case-by-case basis. For data to be shared with groups other than the CDC, data sharing agreements may be required.