LADMF and ACAB: New Rules for Accessing Data of the Deceased

Organizations who utilize government data to monitor and track deaths in the U.S. are learning that it is no longer the simple process it once was. The Death Master File data, governed by the U.S. Department of Commerce National Technical Information Service (NTIS), is commonly referenced by healthcare providers, insurance companies, and financial institutions, among others, to identify concerns such as expired account holders and fraudulent activities. Until recently, this data was obtained from NTIS through a formal, yet uncomplicated, request process.

New regulations have now gone into effect with the intent of ensuring secure and responsible handling of this data, regulations that have created additional regulatory compliance for requestors.

The new NTIS cybersecurity standards were called for as part of the 2013 Bipartisan Budget Act and ultimately were established through a final rule published on November 28, 2016. The new rule prohibits the Secretary of Commerce from disclosing Death Master File (DMF) information during the three-calendar-year period following an individual’s death (the “Limited Access DMF or LADMF”). The only entities who can access this data must be certified to receive that information.

In short, organizations requesting access to LADMF data must:

Attest to the security of the systems and processes utilized in the acquisition and management of this data.
Gain an assessment by a reputable independent party, otherwise known as an Accredited Conformity Assessment Body (ACAB), against an established cybersecurity standard.
The submitted assessment must be in line with security control requirements documented in the LADMF Certification Program (Publication 100). Security controls listed in Publication 100 are “not intended to be prescriptive” and that results of an assessment against other established standards or in the course of satisfying other regulations, can satisfy the LADMF security and safeguard requirements.
Then the assessor will submit an attestation form to the NTIS on behalf of the applicant after which, subject to acceptance of the attestation and associated fees, the applicant is provided access to LADMF data.

Fortunately, this assessment can be addressed as a component of other security assessment programs and, according to the NTIS website, must only be completed every three years in addition to annual certification and fee requirements.

Whether organizations choose to assess their LADMF program directly or as part of other organizational security assessments, choosing the right partner to serve as their ACAB is important. LBMC Information Security is an Accredited Conformity Assessment Body. To request a private briefing, or for questions about the NTIS LADMF certification program, contact us today.