Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE
GAO-06-676: Published: Sep 5, 2006. Publicly Released: Sep 5, 2006.
Federal contractors and state Medicaid agencies are responsible for the day-to-day operations of the Medicare, Medicaid, and TRICARE programs. Because these entities may contract with vendors to perform services involving the use of personal health data, outsourcing and privacy protections are of interest. GAO surveyed all federal Medicare and TRICARE contractors and all state Medicaid agencies (a combined total of 378 entities) to examine whether they (1) outsource services--domestically or offshore--and (2) must notify federal agencies when privacy breaches occur. Survey response rates ranged from 69 percent for Medicare Advantage contractors to 80 percent for Medicaid agencies. GAO interviewed officials at the Department of Health and Human Services' Centers for Medicare & Medicaid Services (CMS), which oversees Medicare and Medicaid, and the Department of Defense's TRICARE Management Activity (TMA), which oversees TRICARE.
Federal contractors and state Medicaid agencies widely reported domestic outsourcing of services involving the use of personal health information but little direct offshore outsourcing. Among those that completed GAO's survey, more than 90 percent of Medicare contractors and state Medicaid agencies and 63 percent of TRICARE contractors reported some domestic outsourcing in 2005. Typically, survey groups reported engaging from 3 to 20 U.S. vendors (commonly known as subcontractors). One federal contractor and one state Medicaid agency reported outsourcing services directly offshore. However, some federal contractors and state Medicaid agencies also knew that their domestic vendors had initiated offshore outsourcing. Thirty-three Medicare Advantage contractors, 2 Medicare fee-for-service (FFS) contractors, and 1 Medicaid agency indicated that their domestic vendors transfer personal health information offshore, although they did not provide information about the scope of personal information transferred offshore. Moreover, the reported extent of offshore outsourcing by vendors may be understated because many federal contractors and agencies did not know whether their domestic vendors transferred personal health information to other locations or vendors. In responding to GAO's survey, over 40 percent of the federal contractors and state Medicaid agencies reported that they experienced a recent privacy breach involving personal health information. (The frequency or severity of these breaches was not reported.) By survey group, 47 percent of Medicare Advantage contractors reported privacy breaches within the past 2 years, as did 44 percent of Medicaid agencies, 42 percent of Medicare FFS contractors, and 38 percent of TRICARE contractors. TMA and CMS differ in their requirements for notification of privacy breaches. TMA requires monthly reports on privacy breaches from its TRICARE contractors and follows up with contractors that report recurring lapses in privacy. While CMS requires Medicare FFS contractors to report privacy breaches within 30 days of discovery, such oversight is lacking for privacy breaches that may occur with personal health information held by state Medicaid agencies and Medicare Advantage contractors, as CMS does not require reports of privacy breaches from these entities.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: In comments on a draft of the report, CMS notified GAO of a recent requirement that Medicare Advantage contractors notify CMS officials of such privacy breaches. In September 2006 (after release of this GAO report), CMS notified state Medicaid agency directors that state Medicaid agency staff must report breaches involving personal health information (whether discovered internally or reported by a contractor) to CMS.
Recommendation: To help ensure that the personal health information entrusted to federal and state health programs is being adequately protected and to facilitate prompt corrective action when appropriate, the privacy breach notification requirements that currently apply to TRICARE and Medicare FFS contractors should also apply to other Medicare contractors that handle personal health information (such as Medicare Advantage contractors) and to state Medicaid agencies. The Administrator of CMS should require all Medicare contractors responsible for safeguarding personal health information and state Medicaid agencies to notify CMS of the occurrence of privacy breaches.
Agency Affected: Department of Health and Human Services: Centers for Medicare and Medicaid Services