Privacy:

Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE

GAO-06-676: Published: Sep 5, 2006. Publicly Released: Sep 5, 2006.

Additional Materials:

Contact:

Kathleen M. King
(312) 220-7767
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Federal contractors and state Medicaid agencies are responsible for the day-to-day operations of the Medicare, Medicaid, and TRICARE programs. Because these entities may contract with vendors to perform services involving the use of personal health data, outsourcing and privacy protections are of interest. GAO surveyed all federal Medicare and TRICARE contractors and all state Medicaid agencies (a combined total of 378 entities) to examine whether they (1) outsource services--domestically or offshore--and (2) must notify federal agencies when privacy breaches occur. Survey response rates ranged from 69 percent for Medicare Advantage contractors to 80 percent for Medicaid agencies. GAO interviewed officials at the Department of Health and Human Services' Centers for Medicare & Medicaid Services (CMS), which oversees Medicare and Medicaid, and the Department of Defense's TRICARE Management Activity (TMA), which oversees TRICARE.

Federal contractors and state Medicaid agencies widely reported domestic outsourcing of services involving the use of personal health information but little direct offshore outsourcing. Among those that completed GAO's survey, more than 90 percent of Medicare contractors and state Medicaid agencies and 63 percent of TRICARE contractors reported some domestic outsourcing in 2005. Typically, survey groups reported engaging from 3 to 20 U.S. vendors (commonly known as subcontractors). One federal contractor and one state Medicaid agency reported outsourcing services directly offshore. However, some federal contractors and state Medicaid agencies also knew that their domestic vendors had initiated offshore outsourcing. Thirty-three Medicare Advantage contractors, 2 Medicare fee-for-service (FFS) contractors, and 1 Medicaid agency indicated that their domestic vendors transfer personal health information offshore, although they did not provide information about the scope of personal information transferred offshore. Moreover, the reported extent of offshore outsourcing by vendors may be understated because many federal contractors and agencies did not know whether their domestic vendors transferred personal health information to other locations or vendors. In responding to GAO's survey, over 40 percent of the federal contractors and state Medicaid agencies reported that they experienced a recent privacy breach involving personal health information. (The frequency or severity of these breaches was not reported.) By survey group, 47 percent of Medicare Advantage contractors reported privacy breaches within the past 2 years, as did 44 percent of Medicaid agencies, 42 percent of Medicare FFS contractors, and 38 percent of TRICARE contractors. TMA and CMS differ in their requirements for notification of privacy breaches. TMA requires monthly reports on privacy breaches from its TRICARE contractors and follows up with contractors that report recurring lapses in privacy. While CMS requires Medicare FFS contractors to report privacy breaches within 30 days of discovery, such oversight is lacking for privacy breaches that may occur with personal health information held by state Medicaid agencies and Medicare Advantage contractors, as CMS does not require reports of privacy breaches from these entities.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendation for Executive Action

    Recommendation: To help ensure that the personal health information entrusted to federal and state health programs is being adequately protected and to facilitate prompt corrective action when appropriate, the privacy breach notification requirements that currently apply to TRICARE and Medicare FFS contractors should also apply to other Medicare contractors that handle personal health information (such as Medicare Advantage contractors) and to state Medicaid agencies. The Administrator of CMS should require all Medicare contractors responsible for safeguarding personal health information and state Medicaid agencies to notify CMS of the occurrence of privacy breaches.

    Agency Affected: Department of Health and Human Services: Centers for Medicare and Medicaid Services

    Status: Closed - Implemented

    Comments: In comments on a draft of the report, CMS notified GAO of a recent requirement that Medicare Advantage contractors notify CMS officials of such privacy breaches. In September 2006 (after release of this GAO report), CMS notified state Medicaid agency directors that state Medicaid agency staff must report breaches involving personal health information (whether discovered internally or reported by a contractor) to CMS.

    Aug 22, 2014

    Aug 13, 2014

    Aug 11, 2014

    Jul 30, 2014

    Jul 29, 2014

    Jul 23, 2014

    Jul 16, 2014

    Jul 15, 2014

    Looking for more? Browse all our products here