New CMS rules will throttle access researchers need to Medicare, Medicaid data

Groundbreaking research more than a decade ago showed that almost one-fifth of people enrolled in Medicare were being readmitted within 30 days after being discharged from the hospital, harming patients and increasing costs.

That study led to a sea change in health care. The government started closely monitoring readmission rates and imposing fines on hospitals with high rates. Hospitals adopted new procedures aimed at ensuring patients could leave the hospital successfully. Today, patients do better after hospital discharge. That work wouldn’t have been possible without investigators’ access to Medicare data.

Fast-forward to this month, and that kind of sleuthing with Medicare’s data is suddenly in jeopardy. On Feb. 12, in the name of data security and without sufficient warning, the government announced it will limit access to these data and slap tens of thousands of dollars of new fees on individual researchers who are seeking to improve the nation’s most important health insurance plans and the care for millions of individuals.

Maintaining the highest standards of data security is paramount. But research access and productivity do not need to be sacrificed in the name of data security. Using data should not strain the budgets of even the most well-financed institutions. It should not exclude those with fewer resources and worsen the inequities in what is already a two-tier system.

The new rules make just two changes, but they add up to major concerns. First, starting in August, new projects will be able to access data only through CMS’ cloud environment rather than the current practice of storing the data on highly secure computing infrastructure at research institutions. In principle, this doesn’t sound so bad. In practice, the costs associated with each “seat” at the virtual table severely limits the number of researchers who can use the data. My current research team of four people will have to be pared down to one, excluding students, postdoctoral researchers, and junior colleagues. Second, CMS is imposing new fees to continue to use their data that is stored outside of their cloud — a $20,000 fee to start any new project (before August) and a $10,000 annual fee to keep existing projects going.

The $20,000 fee for new projects is hard for anyone to pay, but especially students and those early in their careers, who may see their future harmed as a result of these rules. Come August, those fees will be even higher.

The Centers for Medicare and Medicaid Services has pitched the changes as necessary because of “growing data security concerns and an increase in data breaches across the healthcare ecosystem.” CMS is right to have such concerns, but the current solution may make other things much worse.

To give an example of the costs of this new rule, consider that I am a physician, health economist, and researcher at the University of Pennsylvania’s Leonard Davis Institute of Health Economics, focused on improving the quality and value of care for older adults. To keep my current projects afloat, my costs for just storing and accessing data will rise from less than $20,000 per year to somewhere between $80,000 and $200,000 per year, depending on how many people on my team are able to continue their research. These new fees would be levied as early as Aug. 19. Though I am lucky to be well-resourced, my grants don’t contain that kind of money.

More concerning is that these rules will limit the questions we can answer, change the colleagues we can work with, and limit the training of junior researchers. Some of the most influential research I’ve done has been to answer questions that occurred to me after reading an article in the newspaper or hearing about a new policy under consideration. Quick access to data made getting answers to these questions possible, but that quick access is in jeopardy.

My best research has been done in teams, which incorporate diverse viewpoints that force us to challenge the way we think about problems and find creative solutions. The new data access rules would severely limit the number of people who can access the data and engage in a project.

The burden of the new rules is even greater for students and junior researchers, particularly at less-resourced institutions. My junior colleagues who could previously use Medicare data at a low cost will now have to scrounge to finish their degrees and launch their careers when these rules are enacted.

Limiting access to these data is not just an academic concern. It’s one that will affect anyone enrolled in Medicare and Medicaid as well as the taxpayers who fund these programs.

These rich data streams enable us to learn what is happening in giant and costly health programs. They help us identify snafus in care and document costly overruns. They help us act like the R&D arm of the government and deliver results that drive improvements to our chaotic health care system.

Will such research now get done? There will be some of it. But there certainly won’t be as much given the stiff fees that are proposed.

Well-resourced institutions and established investigators will probably find a way through this maze. But the scope of inquiry will be reduced. New or lesser-known problems may get ignored. People with complex health needs may get less attention.

Is that really the system we want? Surely not. Hundreds of researchers have signed a letter to CMS imploring the agency to reconsider the changes. While CMS is requesting comment, their guidance is for information about how to implement these changes, not about how to best enhance data security while maintaining reasonable access.

Pricing and access policies should at a minimum preserve the status quo of research and, better yet, enhance access to drive equity and innovation, which would in turn advance CMS’s strategic pillars of promoting equity, driving innovation, and engaging partners. I implore CMS to collaborate with the academic community to develop new rules that advance data security but can be implemented over a longer time horizon, giving researchers time to plan, while also maintaining the data access we have all come to depend on for scientific progress to improve the health of our nation. Let’s not kill innovation in a rush for data security.

Rachel M. Werner is the executive director of the Leonard Davis Institute of Health Economics at the University of Pennsylvania, and professor of medicine and health economics.