Confirm which data handling standards we need to comply with

[brainwane]

If we are going to get set up as a data wrangler of various data sources, I want to be able to check that we are following any MITA or CMS standards that are appropriate for handling provider info. I presume that provider info could not possibly constitute sensitive PII but I would like to double-check this!

I started looking at the MITA framework but think it does not address this question.

I am beginning to think that the relevant standards might well be "Minimum Acceptable Risk Standards for Exchanges (MARS-E) 2.0 Framework" -- discussed privately on CALT and publicly listed in cms.gov's Regulations and Guidance, explained in this summary from CMS (pdf) and described in this surprisingly cogent Microsoft compliance page. But I haven't gone deeply enough into it to understand whether it applies just to patients or includes any discussion of providers as well.

And I stumbled across a NIST standard, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" (pdf) -- but this only applies if any of the data we deal with counts as PII.

The resolution of this issue may depend on which federal data services we integrate with, in which case we can close it as a duplicate of #17.

Relates to #10.

[kfogel]

+1 -- thanks for thinking of this, @brainwane.

[jvasile]

MARS-E is for exchanges and doesn't apply here.

We have PII for some providers and we should take steps to protect it, but I can't find any federal regulations that mandate specific standards. At any rate, industry standard protection should suffice and obviously leaking such data constitutes a bug. We don't need to do specific work on this issue except to continue our work on building secure infrastructure with sane access controls.

Those NIST guidelines are pretty good. We should aspire to meet them. :)