Skip to main content

Privacy: Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE

GAO-06-676 Published: Sep 05, 2006. Publicly Released: Sep 05, 2006.
Jump To:
Skip to Highlights

Highlights

Federal contractors and state Medicaid agencies are responsible for the day-to-day operations of the Medicare, Medicaid, and TRICARE programs. Because these entities may contract with vendors to perform services involving the use of personal health data, outsourcing and privacy protections are of interest. GAO surveyed all federal Medicare and TRICARE contractors and all state Medicaid agencies (a combined total of 378 entities) to examine whether they (1) outsource services--domestically or offshore--and (2) must notify federal agencies when privacy breaches occur. Survey response rates ranged from 69 percent for Medicare Advantage contractors to 80 percent for Medicaid agencies. GAO interviewed officials at the Department of Health and Human Services' Centers for Medicare & Medicaid Services (CMS), which oversees Medicare and Medicaid, and the Department of Defense's TRICARE Management Activity (TMA), which oversees TRICARE.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Centers for Medicare & Medicaid Services To help ensure that the personal health information entrusted to federal and state health programs is being adequately protected and to facilitate prompt corrective action when appropriate, the privacy breach notification requirements that currently apply to TRICARE and Medicare FFS contractors should also apply to other Medicare contractors that handle personal health information (such as Medicare Advantage contractors) and to state Medicaid agencies. The Administrator of CMS should require all Medicare contractors responsible for safeguarding personal health information and state Medicaid agencies to notify CMS of the occurrence of privacy breaches.
Closed – Implemented
In comments on a draft of the report, CMS notified GAO of a recent requirement that Medicare Advantage contractors notify CMS officials of such privacy breaches. In September 2006 (after release of this GAO report), CMS notified state Medicaid agency directors that state Medicaid agency staff must report breaches involving personal health information (whether discovered internally or reported by a contractor) to CMS.

Full Report

Office of Public Affairs

Topics

ContractorsHealth information privacyInternal controlsMedicaidMedicarePrivacy lawPrivacy policiesSafeguardsStandards evaluationSubcontractorsSupport services