Shared Savings Data Security Requirements: How to Comply with CMS and HIPAA

Data Use Agreement Compliance

You cannot meet Shared Savings Data Security Requirements without mastering the CMS Data Use Agreement (DUA). The DUA governs how you request, receive, use, store, disclose, and ultimately destroy Beneficiary Identifiable Data, and it binds both your organization and any downstream partners.

Core obligations under the DUA

• Use and purpose: Limit use of CMS data strictly to authorized program administration, care coordination, quality improvement, or evaluation purposes defined in the DUA.
• Minimum necessary: Share only the least amount of Beneficiary Identifiable Data required for a task; de-identify or aggregate whenever feasible.
• Authorized users: Maintain a current roster, complete training before access, and remove access immediately upon role change or separation.
• Security controls: Enforce strong authentication, encryption in transit, and robust access controls; log all access and disclosures.
• Restrictions on re-disclosure: Flow down DUA limits to all subcontractors and prohibit unauthorized re-identification or secondary use.
• Incident response: Detect, investigate, and report suspected breaches without delay in alignment with HIPAA and DUA timelines.
• Retention and disposition: Follow defined retention periods and document return or certified destruction of CMS data at end-of-use.
• Audit readiness: Keep complete evidence of compliance and cooperate with CMS audits and inspections.

Handling Beneficiary Identifiable Data

• Segregate CMS datasets in a secure “safe haven” with network and role-based boundaries.
• Approve and log each data extract; prohibit local copies unless justified and protected.
• Use validated de-identification or masking for analytics, testing, and training environments.
• Restrict outbound transfers to vetted endpoints using hardened protocols (for example, SFTP or mutually authenticated APIs).
• Ensure downstream parties sign a Data Sharing Agreement that incorporates DUA restrictions and security standards.

Operationalize DUA governance

• Assign a DUA steward to oversee requests, access certifications, and exception approvals.
• Map DUA clauses to policies, procedures, and controls; test them through tabletop exercises.
• Run periodic audits of data locations, logs, and users; remediate gaps with documented action plans.

Developing a Compliance Plan

A written, active compliance plan is the backbone of your Shared Savings data program. It should translate legal and program rules into daily practices and measurable controls that you can certify.

Elements of an effective compliance plan

• Governance: Name a compliance officer, define a committee, and document accountability for privacy, security, and data stewardship.
• Risk management: Perform an enterprise and HIPAA Security Rule risk analysis; maintain a risk register with owners and deadlines.
• Policies and procedures: Align with the HIPAA Privacy Rule and HIPAA Security Rule, the DUA, and your Program Participation Agreement.
• Training and awareness: Provide role-based training before access and annually; track completion and comprehension.
• Vendor oversight: Execute BAAs where required and assess vendors handling Beneficiary Identifiable Data.
• Monitoring and auditing: Define control tests, access reviews, and data quality checks with clear evidence requirements.
• Incident response: Maintain playbooks, escalation paths, and after-action review templates.
• Reporting and discipline: Offer confidential reporting channels and apply consistent sanctions for violations.

From plan to practice

• Crosswalk requirements: Create a matrix linking DUA clauses, HIPAA standards, and PPA obligations to your controls and evidence.
• Define metrics: Track access recertification rates, incident mean-time-to-contain, policy exceptions, and audit findings closure.
• Schedule reviews: Update the plan at least annually or after material changes in systems, vendors, or regulations.

Establishing Data Sharing Agreements

Beyond the CMS DUA, you will often need a Data Sharing Agreement with partners who create, receive, maintain, or transmit Shared Savings data on your behalf. A strong agreement reduces ambiguity, codifies security, and ensures flow-down of obligations.

What to include in a Data Sharing Agreement

• Purpose and scope: Precisely state the datasets, permitted uses, and prohibitions on re-identification or profiling outside scope.
• Legal basis: Reference the applicable HIPAA relationship (covered entity or business associate) and incorporate the BAA if needed.
• Minimum necessary: Define processes for justifying fields and limiting Beneficiary Identifiable Data.
• Security safeguards: Require encryption in transit and at rest, least-privilege access, logging, vulnerability management, and backup protections.
• Breach handling: Set notification triggers, timelines, cooperation duties, and cost allocation for response.
• Subcontractors: Prohibit unapproved subcontracting and require equivalent protections and obligations.
• Audit and assurance: Allow assessments and request independent assurance reports where appropriate.
• Termination and disposition: Specify return/destruction and certificate of destruction requirements.

Align agreements with HIPAA and the DUA

• Mirror relevant DUA prohibitions and CMS-specific constraints; your partner should meet or exceed them.
• Insert explicit language preventing re-disclosure and re-identification of de-identified data.
• Define data location expectations and prohibit unapproved cross-border storage or transfers if applicable.

Secure transfer and ingestion

• Use hardened transfer channels (for example, SFTP with key-based auth or TLS-authenticated APIs).
• Validate files with checksums; scan for malware; verify schema before ingestion.
• Automate data lineage capture so you always know where Beneficiary Identifiable Data flows and who touched it.

Ensuring HIPAA Compliance

Shared Savings Data Security Requirements sit atop HIPAA. You must satisfy both the HIPAA Privacy Rule and HIPAA Security Rule whenever Protected Health Information is involved, including CMS claims data linked to identifiable beneficiaries.

Privacy Rule essentials

• Apply minimum necessary to disclosures and internal access; tailor role-based permissions to job duties.
• Use and disclose PHI only for treatment, payment, health care operations, and other permitted purposes, or with valid authorization.
• Execute BAAs with business associates; ensure downstream partners mirror your restrictions.
• Prefer de-identified or limited data sets with proper data use terms when full identifiers are not required.

Security Rule safeguards

• Administrative: Conduct risk analysis, assign a security official, manage workforce security, and plan for incidents and contingencies.
• Physical: Control facility access, secure workstations and devices, and protect media during transport and disposal.
• Technical: Enforce unique user IDs, strong authentication, access controls, audit logs, integrity checks, and transmission security.

Common pitfalls to avoid

• Overbroad access to data lakes or analytics platforms without minimum-necessary enforcement.
• Shadow IT and unsanctioned data copies on endpoints or collaboration tools.
• Missing or outdated Business Associate Agreements with critical vendors.
• Insufficient logging, monitoring, and access recertification cadence.

Managing Program Participation Agreements

The Program Participation Agreement defines your obligations to CMS for program integrity, data stewardship, and compliance. Treat it as a binding operational playbook, not just a contract.

Key provisions to operationalize

• Governance and oversight: Maintain documented committees, charters, and escalation paths.
• Data handling: Adhere to permitted uses, retention, and destruction terms; enforce restrictions on re-disclosure.
• Beneficiary protections: Respect privacy choices and communications expectations within program rules.
• Reporting and cooperation: Meet reporting duties and support inquiries, audits, or investigations.
• Record retention: Keep evidence for required periods, including logs, training, and certification artifacts.

Align the PPA with daily operations

• Create a control library mapping PPA clauses to owners, systems, and proof artifacts.
• Include PPA checkpoints in project and vendor onboarding workflows.
• Run readiness reviews before renewals or material changes to demonstrate continuous compliance.

Certifying Data Sharing Requirements

Certification is where policy meets proof. Your Compliance Plan Certification and related attestations confirm that you implemented the controls you claim and that you continuously monitor them.

What to certify and the evidence to keep

• Executed DUAs, BAAs, and each Data Sharing Agreement with scope, datasets, and security addenda.
• HIPAA risk analysis results, remediation plans, and closure evidence.
• Access governance artifacts: role definitions, approvals, quarterly recertifications, and termination logs.
• Security configurations: encryption settings, key management procedures, vulnerability scans, and patch reports.
• Training records: curricula, completion logs, and role-specific modules.
• Incident response materials: playbooks, exercises, post-incident reviews, and breach notifications (if any).
• Data lifecycle proofs: inventories, retention schedules, and certificates of destruction.

Annual certification cycle

• Pre-attestation checklist tying each requirement to evidence and control owners.
• Independent internal audit or third-party review of high-risk controls.
• Management and board sign-off; track corrective actions to closure with due dates.

Leverage tooling and automation

• Use a GRC repository for policies, controls, tests, and evidence versioning.
• Automate access reviews, configuration baselines, and alerting on drift.
• Maintain a single source of truth for data inventories and lineage.

Implementing Data Security Measures

Technical, administrative, and physical safeguards turn policy into protection. Build a layered program that anticipates misuse, mistakes, and malicious actors while enabling care coordination and analytics.

Technical safeguards to prioritize

• Identity and access: Single sign-on, multifactor authentication, least-privilege roles, and just-in-time elevation.
• Encryption: Protect data in transit and at rest with strong, modern cryptography; manage keys securely and rotate them on schedule.
• Network and platform security: Segment sensitive environments, harden baselines, and continuously patch and scan.
• Endpoint protection: Deploy EDR, restrict removable media, and manage mobile devices with MDM.
• Data controls: Log and monitor access, enable DLP where appropriate, and mask or tokenize Beneficiary Identifiable Data in non-production.
• Reliability: Maintain immutable backups, test restores, and document disaster recovery recovery-time and recovery-point objectives.
• Application and API security: Integrate secure SDLC, code scanning, secrets management, and rigorous change control.

Administrative and physical safeguards

• Policy and training: Keep policies current and ensure role-based, scenario-driven training.
• Workforce lifecycle: Vet roles, approve access before provisioning, and remove access at offboarding.
• Facility security: Control entry, secure server rooms, and track visitors and media.

Incident response and breach notification

• Prepare: Define incident categories, on-call rotations, and communication plans.
• Respond: Contain, eradicate, and recover using documented playbooks and forensics support.
• Assess: Conduct a HIPAA four-factor risk assessment to determine if notification is required.
• Notify: If a breach is confirmed, provide notifications without unreasonable delay and within required timelines.
• Improve: Perform after-action reviews and update controls, training, and agreements as needed.

Third-party and cloud governance

• Due diligence: Evaluate security posture, financial stability, and regulatory history of vendors.
• Contracts: Ensure BAAs and Data Sharing Agreements include flow-down of DUA and HIPAA obligations.
• Controls: Require evidence of access controls, logging, encryption, backup practices, and vulnerability remediation.
• Continuous oversight: Monitor SLAs, incidents, and audit results; enforce corrective actions.

Conclusion

Compliance with CMS and HIPAA in the Shared Savings context demands disciplined governance, precise agreements, rigorous safeguards, and defensible certification. By aligning your DUA obligations, HIPAA requirements, Program Participation Agreement, and Data Sharing Agreements with day-to-day security controls, you create a program that protects beneficiaries, supports care, and stands up to audits.

FAQs.

What are the key elements of a Data Use Agreement?

A Data Use Agreement (DUA) defines permitted uses, authorized users, and “minimum necessary” limits; mandates security controls, logging, and training; restricts re-disclosure and re-identification; sets breach reporting and cooperation duties; and specifies retention, return, or certified destruction plus audit rights and sanctions for violations.

How do ACOs certify HIPAA compliance?

ACOs certify by performing a HIPAA risk analysis, implementing Privacy and Security Rule safeguards, executing BAAs, training the workforce, testing incident response, and maintaining evidence. They then complete required attestations—often as part of Compliance Plan Certification—and retain documentation that substantiates each control.

What measures ensure the security of shared savings data?

Strong identity and access management, encryption in transit and at rest, segmented networks, continuous patching and scanning, monitored logs, DLP where needed, secure transfer channels, immutable backups, and vendor oversight form a layered defense that protects Beneficiary Identifiable Data throughout its lifecycle.

What is the role of the Program Participation Agreement?

The Program Participation Agreement sets the operational terms for participating organizations, including governance, reporting, and data stewardship obligations. It ties program rules to your daily practices, requiring you to align policies, controls, and evidence with CMS expectations for privacy, security, and responsible data use.