HCFA Needs to Better Protect Beneficiaries' Confidential Health Information
T-HEHS-99-172: Published: Jul 20, 1999. Publicly Released: Jul 20, 1999.
Pursuant to a congressional request, GAO discussed how the Health Care Financing Administration (HCFA) protects personally identifiable health information on Medicare beneficiaries, focusing on: (1) HCFA's need for personally identifiable health information to manage the Medicare program; (2) HCFA's policies and practices regarding disclosure of information on Medicare beneficiaries to other organizations; (3) the adequacy of HCFA's safeguards for protecting the confidentiality of electronic information and its monitoring of other organizations that obtain information on Medicare beneficiaries; and (4) the effect on HCFA of state restrictions on the disclosure of confidential health information.
GAO noted that: (1) personally identifiable information on Medicare beneficiaries is vital to the operation of the Medicare program, and that HCFA can disclose such information to other organizations consistent with provisions of the Privacy Act; (2) HCFA has policies and procedures for evaluating requests for disclosure of personally identifiable health information, but HCFA's confidentiality practices have a number of weaknesses; (3) these weaknesses include HCFA's inability to easily provide beneficiaries with an accounting of disclosures made of their personal information and failure to always give them clear notification of the purposes for which their personal information may be disclosed outside of HCFA as required by the Privacy Act; (4) although few complaints of violations have been reported to date, the Department of Health and Human Services Office of the Inspector General also continues to report vulnerabilities in HCFA's safeguards for confidentiality of electronic information; (5) these vulnerabilities could lead to unauthorized individuals reading, disclosing, or altering confidential information; (6) potential conflicts exist between HCFA and state laws regarding the disclosure of sensitive health information; (7) to date, conflicts have been minimal and the administration of Medicare has not been hindered, according to HCFA officials, because all states permit release of information for health care treatment and payment; and (8) however, if the same data elements were not available from all states, it might compromise HCFA's ability to conduct research and analysis to improve Medicare policies.