Medicare:

Improvements Needed to Enhance Protection of Confidential Health Information

HEHS-99-140: Published: Jul 20, 1999. Publicly Released: Jul 20, 1999.

Additional Materials:

Contact:

Leslie G. Aronovitz
(312) 220-7767
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed four areas related to the Health Care Financing Administration's (HCFA) use of personally identifiable health information, focusing on: (1) HCFA's need for personally identifiable health information to manage the Medicare program and accomplish other purposes; (2) HCFA's policies and practices regarding disclosure of information on Medicare beneficiaries; (3) the adequacy of HCFA's safeguards for protecting the confidentiality of electronic information and HCFA's monitoring of others' protection of beneficiary information; and (4) the effect on HCFA of state restrictions on the disclosure of confidential health information.

GAO noted that: (1) to carry out its legislated responsibilities, HCFA needs to collect and maintain personally identifiable health information on its 39 million Medicare beneficiaries; (2) HCFA also uses this information in essential research activities that can lead to improvements in rate-setting, services provided, and quality of care; (3) HCFA's policies and practices regarding disclosure of personally identifiable health information are generally consistent with the provisions of the Privacy Act of 1974; (4) in accordance with the Privacy Act, when determining whether to disclose information, HCFA officials attempt to balance the information needs of data requestors with the attempt to balance the confidentiality of personally identifiable health information; (5) HCFA screens requests for personally identifiable information on Medicare beneficiaries from non-HCFA researchers more thoroughly than requests from HCFA staff who need the data to conduct the agency's business; (6) however, GAO found that HCFA cannot readily provide beneficiaries with an accounting of the disclosures it makes, a capability called for by the Privacy Act; (7) moreover, HCFA has not adequately provided oversight agencies such as the Office of Management and Budget (OMB) with complete information on its Privacy Act activities; (8) HCFA does not always clearly inform Medicare beneficiaries of the purposes for which their information may be disclosed to other organizations, as required by the Privacy Act; (9) to address these issues, HCFA has established a new executive confidentiality board and initiated a number of actions in response to January 1999 OMB guidance to all agencies to review information practices for compliance with the Privacy Act; (10) although few complaints about Privacy Act violations have been made to date, weaknesses in the implementation of HCFA's policies could potentially compromise the confidentiality of health information on Medicare beneficiaries; (11) because HCFA does not routinely monitor contractors and others, such as researchers, who use personally identifiable Medicare information, its ability to prevent unauthorized disclosures or uses and to provide timely corrective action for those that might occur is not assured; (12) some states prohibit the disclosure of sensitive health-related information except for specified purposes; and (13) HCFA officials said that HCFA's policy is to respect state laws regarding sensitive health information that are more restrictive than federal requirements.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The HIPAA Privacy Rule requires each covered entity to develop and provide a plain language notice that describes its legal duties, the uses and disclosures of protected health information that it may make, and individual rights and how to exercise them. CMS developed a Notice of Privacy Practices, effective on April 14, 2003, for Medicare beneficiaries. Medicare's privacy notice was provided to beneficiaries for the first time in the 2003 Medicare & You handbook, that was mailed beginning in October 2002.

    Recommendation: To improve HCFA's protection of the confidentiality of personally identifiable Medicare beneficiary information, the Administrator, HCFA, should ensure that all agency Privacy Act notifications convey the information required by the Act in a manner that is clear and informative to beneficiaries.

    Agency Affected: Department of Health and Human Services: Health Care Financing Administration

  2. Status: Closed - Implemented

    Comments: CMS maintains a process for ensuring compliance with the terms for closing out data use agreements (DUA). Upon completion of project and/or expiration of the DUA, the data must be returned to CMS or destroyed, and a statement certifying this action sent to CMS. The Division of Privacy Compliance Data Development contacts each requestor prior to the DUA expiration date to obtain a letter on the organization's letterhead certifying that no data are retained when the file(s) are returned or destroyed or, if the project is still active, to grant an extension of the requestor's DUA. The CMS Privacy officer reported that, to date, no violations of DUA provisions for protection of Medicare data set files have been identified.

    Recommendation: To improve HCFA's protection of the confidentiality of personally identifiable Medicare beneficiary information, the Administrator, HCFA, should develop a system to routinely monitor other organizations that have received personally identifiable information on Medicare beneficiaries to help ensure that information is used only as approved and to identify instances of misuse.

    Agency Affected: Department of Health and Human Services: Health Care Financing Administration

  3. Status: Closed - Implemented

    Comments: The fiscal year (FY) 2002, OIG CFO audit identified weaknesses at Medicare contractors in a variety of general controls. The access control weaknesses, including configuration of access control software, procedures for reviewing suspected access violations, consistency of security controls, and physical access to data centers, were reported to "represent a significant risk to the Medicare program." In late FY 2002, CMS provided funding to Medicare contractors to address gaps in access controls. Also, in revisions to Medicare Manual System dated February 7, 2003, CMS added a control objective that contractors perform certain regularly scheduled processes required to minimize the impact of threats to data, facilities or equipment.

    Recommendation: To improve HCFA's protection of the confidentiality of personally identifiable Medicare beneficiary information, the Administrator, HCFA, should systematically monitor contractors' safeguards for protecting confidential information.

    Agency Affected: Department of Health and Human Services: Health Care Financing Administration

  4. Status: Closed - Not Implemented

    Comments: In fiscal year (FY) 2002, CMS made progress in addressing weaknesses in its automated processing systems. However, the FY 2002, OIG CFO review of Medicare information systems controls continued to find weaknesses in general and application controls at Medicare contractors, data centers, entities sharing system software, and CMS central office. Although no individual weakness was determined to be material, taken together, these vulnerabilities were deemed material weaknesses. GAO is closing this recommendation, but believes continued efforts are needed to address this issue.

    Recommendation: To improve HCFA's protection of the confidentiality of personally identifiable Medicare beneficiary information, the Administrator, HCFA, should correct the vulnerabilities identified in its information management systems by the Office of the Inspector General.

    Agency Affected: Department of Health and Human Services: Health Care Financing Administration

  5. Status: Closed - Implemented

    Comments: In general, the Privacy Rule gives beneficiaries the right to receive an accounting of certain disclosures of protected health information made by CMS. Exceptions to this accounting requirement include disclosures of a limited data set to researchers with a data use agreement. For disclosures of protected health information for research purposes without the beneficiary's authorization and that involve at least 50 records, CMS may provide individuals with a list of all protocols for which the patient's protected health information may have been disclosed, as well as the researcher's name and contact information.

    Recommendation: To improve HCFA's protection of the confidentiality of personally identifiable Medicare beneficiary information, the Administrator, HCFA, should implement a system that would permit HCFA to respond in a timely fashion to beneficiary inquiries about the disclosure of their information to others outside HCFA as well as to provide information on Privacy Act activities to OMB and others.

    Agency Affected: Department of Health and Human Services: Health Care Financing Administration

 

Explore the full database of GAO's Open Recommendations »

Sep 29, 2016

Sep 28, 2016

Sep 15, 2016

Sep 14, 2016

Sep 12, 2016

Sep 9, 2016

Sep 6, 2016

Looking for more? Browse all our products here