United States Government Accountability Office GAO Report to Congressional Requesters September 2012 HEALTH INFORMATION TECHNOLOGY CMS Took Steps to Improve Its Beneficiary Eligibility Verification System GAO-12-973 September 2012 HEALTH INFORMATION TECHNOLOGY CMS Took Steps to Improve Its Beneficiary Eligibility Verification System Highlights of GAO-12-973, a report to congressional requesters Why GAO Did This Study What GAO Found Medicare is a federal program that The Centers for Medicare and Medicaid Services (CMS) currently offers to pays for health care services for Medicare providers and Medicare Administrative Contractors the use of the individuals 65 years and older and Health Insurance Portability and Accountability Act of 1996 (HIPAA) Eligibility certain individuals with disabilities. In Transaction System (HETS) in a real-time data processing environment. HETS is 2011, Medicare covered about 48.4 operational 24 hours a day, 7 days a week, except during regularly scheduled million of these individuals, and total maintenance Monday mornings, from midnight until 5:00 a.m., and when CMS expenditures for this coverage were announces other maintenance periods during one or two weekends each month. approximately $565 billion. CMS, the According to program officials, 244 entities were using HETS in 2012, including agency within the Department of about 130 providers, 104 clearinghouses that provide data exchange services to Health and Human Services that about 400,000 health care providers, and 10 Medicare contractors that help CMS administers Medicare, is responsible for ensuring that proper payments are process claims for services. From January through June 2012, HETS processed made on behalf of the program’s each month an average of 1.7 million to 2.2 million queries per day with most of beneficiaries. In response to HIPAA the queries submitted between the hours of 8:00 a.m. and 4:00 p.m. eastern requirements, CMS developed and time. The users with whom we spoke confirmed that operational problems they implemented an information experienced with the system in 2010 and the first few months of 2011 were technology system to help providers resolved in spring 2011 after CMS implemented several hardware and software determine beneficiaries’ eligibility for replacements and upgrades. System performance reports for the first 6 months Medicare coverage. In May 2005 CMS of 2012 showed that the average response time per transaction was less than 3 began offering automated services seconds. Users described experiences with the system that were consistent with through HETS, a query and response these data. They told us that they are currently satisfied with the operational system that provides data to users status of HETS and that the system provides more complete information and about Medicare beneficiaries and their reliable service than other systems that they use to verify eligibility with eligibility to receive payment for health commercial health insurers. care services and supplies. CMS took steps to ensure users remain satisfied with the system’s performance, Because of the important role that including notifying users in advance of system downtime, providing help desk HETS plays in providers having access support, and monitoring contractors’ performance. The agency had also planned to timely and accurate data to several technical improvements intended to increase HETS’ capacity to process determine eligibility, GAO was asked to a growing number of transactions, which the agency projected to increase at a (1) identify the operational status of rate of about 40 percent each year. These plans include a redesign of the system HETS, (2) identify any steps CMS has taken to ensure users’ satisfaction and and migration to a new database environment that is scalable to accommodate plans to take to ensure the system the projected increase in transaction volume. According to HETS program supports future requirements, and (3) officials, near-term plans also include the implementation of tools to enable describe CMS’s policies, processes, proactive monitoring of system components and additional services intended to and procedures for protecting the enhance production capacity until the planned redesign of the system is privacy of data provided by HETS. complete. To do so, GAO collected and analyzed To help protect the privacy of beneficiary eligibility data provided by HETS, CMS documentation from program officials, established policies, processes, and procedures that are intended to address such as reports on transaction volume principals reflected by the HIPAA Privacy Rule. For example, in its efforts to and response times, agreements with ensure proper uses and disclosures of the data, CMS documented in user users, and CMS’s privacy impact and agreements the authorized and unauthorized purposes for requesting Medicare risk assessments of HETS. GAO also beneficiary eligibility data. Additionally, the agency conducted privacy impact and interviewed program officials and risk assessments of HETS as required by the E-Government Act of 2002. system users. Officials from the Department of Health and Human Services’ Office for Civil Rights stated that no privacy violations had been reported regarding the use of View GAO-12-973. For more information, contact Valerie Melvin at (202) 512-6304 or the protected health data provided by HETS since its implementation in 2005. firstname.lastname@example.org. United States Government Accountability Office Contents Letter 1 Background 3 HETS Is Operational and Provides Responses to Users’ Requests in Real Time 10 CMS Has Taken Steps to Ensure Users’ Satisfaction and Is Making Plans to Implement Improvements to Meet Future Requirements 12 CMS Established Policies and Procedures Intended to Address Privacy Principles and Assessed Impact and Risks of Sharing Data 17 Agency Comments and Our Evaluation 22 Appendix I Objectives, Scope, and Methodology 24 Appendix II HETS Transaction Volumes and Response Times 27 Appendix III Comments from the Department of Health & Human Services 29 Appendix IV GAO Contacts and Staff Acknowledgments 31 Tables Table 1: HETS Transaction Volume 7 Table 2: CMS’s Actions to Address Key HIPAA Privacy Principles 20 Table 3: Average System Response Time from January 2010 through June 2012 27 Page i GAO-12-973 Health Information Technology Abbreviations CMS Centers for Medicare and Medicaid Services HETS HIPAA Eligibility Transaction System HHS Department of Health and Human Services HIPAA Health Insurance Portability and Accountability Act of 1996 MAC Medicare Administrative Contractor OMB Office of Management and Budget This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page ii GAO-12-973 Health Information Technology United States Government Accountability Office Washington, DC 20548 September 12, 2012 The Honorable Orrin Hatch Ranking Member Committee on Finance United States Senate The Honorable Richard M. Burr Ranking Member Subcommittee on Children and Families Committee on Health, Education, Labor, and Pensions United States Senate The Honorable Tom Coburn, M.D. Ranking Member Permanent Subcommittee on Investigations Committee on Homeland Security and Governmental Affairs United States Senate Medicare is a federal program that pays for health care services for individuals 65 years and older, certain individuals with disabilities, and those with end-stage renal disease. It is funded by general revenues; payroll taxes paid by most employees; employers and individuals who are self employed; and beneficiary premiums. In 2011, Medicare covered about 48.4 million of these individuals with a total expenditure of approximately $565 billion. The Centers for Medicare and Medicaid Services (CMS), the agency within the Department of Health and Human Services (HHS) that administers Medicare, is responsible for ensuring that proper payments are made on behalf of its beneficiaries to the doctors, hospitals, visiting nurses, and others who provide health care services and treatment, along with entities that supply medical equipment such as wheelchairs, walkers, and hospital beds to their patients. To avoid risks that they may not be reimbursed for services, these health care providers take steps to determine whether patients and services are covered by entities that pay for health care expenses, such as Medicare. Toward this end, CMS developed and implemented an information technology system to help providers determine Medicare beneficiaries’ eligibility for health care services and supplies in response to Page 1 GAO-12-973 Health Information Technology requirements under the Health Insurance Portability and Accountability Act of 1996, or HIPAA. 1 CMS officials stated that, in accordance with the act, on May 31, 2005, the agency began offering automated services for determining Medicare eligibility for certain beneficiaries through the use of an information technology system called the HIPAA Eligibility Transaction System, or HETS. 2 Five years after its implementation, however, problems with the performance of the system were noted by CMS and its users. Because of the important role that HETS plays in assuring that providers have timely and accurate data to determine Medicare beneficiaries’ eligibility, you requested that we undertake a review of the system. Our specific objectives were to (1) identify the operational status of HETS, (2) identify any steps CMS has taken to ensure users’ satisfaction and plans to take to ensure the performance of the system supports future requirements, and (3) describe CMS’s policies, processes, and procedures for protecting the privacy of beneficiary eligibility data provided by the system. To identify the operational status of HETS, we collected and analyzed documentation from program officials that described daily operations of the system, such as reports on incoming transaction volume, response time, and downtime, along with documents that describe outcomes of the system, including reported problems. We also determined the level of service provided to HETS users by comparing the information we collected to business requirements defined in program and system plans and strategies, and by obtaining users’ views of the extent to which the current implementation of HETS met their needs. To do this, we selected and interviewed representatives of the six highest volume users throughout the United States. These users were identified as those having submitted approximately 35 percent of the total HETS information requests during a week in March 2012, the week selected for our study. To identify the steps that CMS has taken to ensure HETS users are satisfied with the performance of the system, and that the agency plans to 1 Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (codified at 42 U.S.C. §§ 1320d–1320d-8). HIPAA required the adoption of uniform data interchange standards. 2 45 C.F.R. Part 162 sets out that HETS is the electronic data interchange standard for health care eligibility inquiry and response transactions. Page 2 GAO-12-973 Health Information Technology take to ensure the system provides the level of service needed to support future requirements, we reviewed agency documents, interviewed business and system owners knowledgeable of the management of the program, and identified steps CMS took to assess contractors’ performance toward providing efficient and quality service to users of HETS. We also collected and analyzed program planning documentation that described long-term plans for the system and assessed those plans against projections of future requirements and recommendations from independent studies of CMS’s implementation of the system. Finally, to describe the policies, processes, and procedures established by CMS to protect the privacy of beneficiary eligibility data, we evaluated agency documentation such as agreements with users regarding the use of the system and requirements for handling data, and the system’s privacy impact and risk assessments. We compared information discussed in these documents to requirements and practices derived from relevant privacy laws, including the HIPAA Privacy Rule 3 and the Privacy Act of 1974. 4 In conducting our work, we did not review or test controls implemented by the agency to secure the data processed by HETS. More detailed information about our objectives, scope, and methodology is discussed in appendix I. We conducted this performance audit from February 2012 to August 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Medicare consists of four parts—A, B, C, and D. Medicare Part A Background provides payment for inpatient hospital, skilled nursing facility, some home health, and hospice services, while Part B pays for hospital outpatient, physician, some home health, durable medical equipment, and preventive services. In addition, Medicare beneficiaries have an option to 3 Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (codified at 42 U.S.C. §§ 1320d–1320d-8). The HIPAA Privacy Rule was promulgated at 45 C.F.R. Part 160. 4 Title 5 U.S.C. 552a. Page 3 GAO-12-973 Health Information Technology participate in Medicare Advantage, also known as Part C, which pays private health plans to provide the services covered by Medicare Parts A and B. Further, all Medicare beneficiaries may purchase coverage for outpatient prescription drugs under Medicare Part D, and some Medicare Advantage plans also include Part D coverage. The fee-for-service portion of the Medicare program (Parts A and B) processes approximately a billion claims each year from about 1.5 million providers who deliver and bill Medicare for health care services and supplies. In delivering patient care, providers need to not only ensure that claims for services covered by Medicare and other health care insurers are submitted correctly, but to also ensure that beneficiaries receive benefits to which they are entitled. To do this, these providers need access to accurate and timely eligibility information to help them determine whether and how to properly submit claims for payment to Medicare and other insurers on behalf of their patients. Many health care insurers have implemented information technology systems to help providers make this determination at the time services are being delivered—that is, at the point of care—by providing electronic data on a real-time basis regarding patients’ benefits covered by their insurance plans. CMS’s Implementation of To assist providers with verifying beneficiaries’ eligibility for services HETS to Assist Providers under Medicare, and in response to HIPAA requirements, CMS provided an electronic mechanism that allowed providers to access real-time data at the point care is scheduled or delivered. 5 To meet this requirement, CMS officials stated that they implemented the initial version of HETS in May 2005. CMS’s Business Applications Management Group and the Provider Communications Group are the system and business owners of HETS. As such, these groups are responsible for the development, implementation, maintenance, and support of the system, as well as establishing business rules regarding the use of the system application, such as agreements regarding the use and protection of the data provided by HETS. CMS awarded cost-plus-award-fee contracts to two contractors to assist the agency with developing and maintaining HETS, 5 The provisions of the law established requirements for the implementation of standard transactions for the electronic transmission of certain health information, including patients’ eligibility to receive health care services and supplies covered by Medicare. Page 4 GAO-12-973 Health Information Technology performing independent testing, production support, help desk, and project integration services. HETS operates from CMS’s data center in Baltimore, Maryland, and is accessed by users via the CMS extranet. 6 The system is comprised of software that processes query and response transactions, along with hardware, such as servers that support connections with users’ facilities and the internet, and devices that store the data provided by the system. The system software is designed to process transactions according to standards and formats defined by HIPAA. 7 It was designed to allow the release of patients’ data to Medicare providers, or their authorized billing agents, to support their efforts to complete accurate Medicare claims when determining beneficiaries’ liability and eligibility for specific services. 8 CMS officials stated that the agency does not receive any payments for the use of HETS, nor does the agency require Medicare providers to use HETS to verify eligibility prior to filing claims CMS intended for HETS to be used by health care providers; health care clearinghouses, which are entities that provide electronic data exchange services for their customers; 9 and Medicare Administrative Contractors 6 An extranet is a computer network that allows controlled access from outside an organization’s intranet, usually by partners, vendors, and suppliers, in isolation from all other internet users. The CMS extranet is a secure closed private network used for transmission of electronic transactions between CMS and Medicare contractors, providers, or clearinghouses. 7 The Administrative Simplification provisions of HIPAA provided for the establishment of national standards for the electronic transmission of certain health information, such as standards for certain health care transactions conducted electronically and code sets and unique health care identifiers for health care providers and employers. 8 In June 2006, CMS began pilot testing an internet-based user interface system for providers who check Medicare eligibility infrequently. However, an official representing the HETS system owners stated that the HETS User Interface service will likely not continue beyond the pilot initiative, and will probably end in the next 2 years because of the Medicare Administrative Contractors’ expansion of Internet services. 9 Health care clearinghouses are public or private entities, such as billing services, community health information systems, and “value-added” networks and switches, that process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity. Page 5 GAO-12-973 Health Information Technology (MACs) that assist CMS in processing claims. 10 Health care providers may request beneficiary eligibility data from HETS directly via CMS’s extranet or by utilizing the services of clearinghouses. According to clearinghouse officials with whom we spoke, many providers use clearinghouses to conduct transactions with HETS because they may not have the technical capability to connect directly to CMS’s extranet, or they may chose to employ the services of clearinghouses for financial or other reasons. For example, these providers may use clearinghouses to conduct electronic transactions with CMS and other different payers’ systems, and avoid expenses associated with establishing and maintaining the in-house technology and expertise needed to connect with multiple systems. Rather, they can conduct these transactions by establishing one connection with a clearinghouse. However, the MACs access HETS via CMS’s extranet. In all cases, users gain access to the extranet through a vendor-supplied network service. 11 According to documented system descriptions, when requesting information from HETS, a user initiates a transaction by entering data into its workstation using software systems installed within its facility. The end- users’ systems may be developed in-house by individual providers, clearinghouses, or MACs, or by commercial software vendors. The data entered into the workstation identify the provider, beneficiary, and services for which eligibility is to be verified. The data are translated by the end-user software into the standard HIPAA transaction format, then transmitted from the user’s workstation to the HETS system via either the agency’s extranet, or the vendor-supplied network service which connects to the CMS extranet. The system validates the incoming data and, if the request is valid, returns response data back to the user’s workstation. If the request data are not valid, the system responds with error codes that indicate the type of error detected in the request data. Responses are transmitted from HETS in the HIPAA format and translated by the users’ software before being presented. 10 The Medicare Prescription Drug, Improvement and Modernization Act of 2003 required CMS to implement Medicare contracting reform. The act required CMS to select new contracting entities to process medical claims, Medicare Administrative Contractors (MACs). 11 CMS contracts four vendors to provide this service. Users select one of the four to connect with the CMS extranet. Page 6 GAO-12-973 Health Information Technology According to reports provided by program officials, the number of HETS transactions has grown each year since its initial implementation in May 2005. The business and system owners with whom we spoke attributed the growth primarily to increases in the number of new users of HETS, particularly during the first 2 years of implementation, and the growth in the number of Medicare beneficiaries. Nonetheless, while the number of transactions has continued to increase, the annual rate of increase in transaction volume has declined since the system’s initial implementation. Table 1 shows HETS utilization, measured by the number of incoming transactions processed each fiscal year, from its initial implementation in May 2005 through fiscal year 2011. Table 1: HETS Transaction Volume Number % Increase Fiscal year of transactions over prior year 2005 7,063,457 2006 91,892,244 1201 2007 173,562,342 89 2008 247,323,623 42 2009 362,770,998 47 2010 504,534,542 39 2011 669,750,568 33 Source: GAO analysis of CMS data. CMS’s internal operational requirements for HETS established a goal for the system to respond to query transactions in 5 seconds or less. According to program officials, from 2005 to 2010, HETS responded to transaction inquiries well within this goal. However, reports of the system’s performance showed that beginning in January 2010, response times began to exceed 5 seconds and progressively worsened throughout most of the year. CMS attributed this performance degradation to outdated software and increases in the number of eligibility verification transactions submitted to the extent that the volume exceeded the hardware capacity. The business and system owners with whom we spoke stated that in July 2010 they began to implement a series of major improvements to the HETS operating environment and system, including hardware and software upgrades. However, users continued to experience lengthy response and system down times. Program officials stated that in January 2011 they took additional steps to address the slow response and system Page 7 GAO-12-973 Health Information Technology availability problems. In this case, they doubled the hardware capacity, replaced the operating system, and upgraded the system’s software. According to these officials, the revisions, upgrades, and replacements were more complex than expected and were not fully implemented until April 2011. Subsequently, from mid April 2011 to May 2011, CMS conducted a phased migration of HETS users to the upgraded system. Federal Requirements for Because HETS processes and transmits personal information related to Protecting Individually individuals’ Medicare program eligibility, the system is subject to federal Identifiable Health requirements for protecting the personally identifiable health information. In this regard, the Privacy Act of 1974 regulates the collection, Information maintenance, use, and dissemination of personal information by federal government agencies. It also prohibits disclosure of records held by a federal agency or its contractors in a system of records without the consent or request of the individual to whom the information pertains unless the disclosure is permitted by the Privacy Act. 12 The Privacy Act includes medical history in its definition of a record. Other federal laws and regulations further define acceptable use and disclosure activities that can be performed with individually identifiable health information, known as protected health information. 13 These activities include—provided certain conditions are met— treatment, payment, health care operations, and public health or research purposes. For example, HIPAA and its implementing regulations allow the entities they cover to use or disclose protected health information for providing clinical care to a patient. 14 These covered entities and their business associates, such as medical professionals, pharmacies, health 12 The Privacy Act defines a “system of records” as a group of records under the control of any agency that contains information about an individual and from which information is retrieved by the name of the individual or other personal identifier. 13 Protected health information is individually identifiable health information that is transmitted or maintained in any form or medium, and in this report it is used interchangeably with individually identifiable health information. 14 Covered entities are defined under regulations implementing HIPAA as health plans that provide or pay for the medical care of individuals, health care providers that electronically transmit health information in connection with transactions covered by the regulations, and health care clearinghouses that receive health information from other entities and process or facilitate the processing of that information into standard or nonstandard format for those entities (45 C.F.R § 160.103). Page 8 GAO-12-973 Health Information Technology information networks, and pharmacy benefit managers, work together to gather and confirm patients’ electronic health information that is needed to provide treatment, such as a beneficiary’s eligibility, benefits, and medical history. Key privacy and security protections associated with individually identifiable health information, including information needed by providers to verify patients’ eligibility for coverage by Medicare or private health plans, are established under HIPAA. Key privacy principles associated with individually identifiable health information, including information needed by providers to verify patients’ eligibility for coverage by Medicare of private health plans, are reflected in HIPAA. 15 HIPAA’s Administrative Simplification Provisions provided for the establishment of national privacy and security standards, as well as the establishment of civil money and criminal penalties for HIPAA violations. HHS promulgated regulations implementing the act’s provisions through its issuance of the HIPAA rules. Specifically, the HIPAA Privacy Rule regulates covered entities’ use and disclosure of protected health information. Under the Privacy Rule, a covered entity may not use or disclose an individual’s protected health information without the individual’s written authorization, except in certain circumstance expressly permitted by the Privacy Rule. These circumstances include certain treatment, payment, and other health care operations. As such, the disclosure of beneficiary eligibility information by HETS is permitted in accordance with the rule since it is used in making treatment and payment decisions. The HIPAA Privacy Rule reflects basic privacy principles for ensuring the protection of personal health information, such as limiting uses and disclosures to intended purposes, notification of privacy practices, allowing individuals to access their protected health information, securing information from improper use or disclosure, and allowing individuals to request changes to inaccurate or incomplete information. The Privacy Rule generally requires that a covered entity make reasonable efforts to 15 Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (codified at 42 U.S.C. §§ 1320d–1320d-8). The HIPAA Privacy and Security Rules were promulgated at 45 C.F.R. Parts 160 and 164. Page 9 GAO-12-973 Health Information Technology use, disclose, or request only the minimum necessary protected health information to accomplish the intended purpose. 16 In addition to the Privacy Act and the HIPAA Privacy Rule, the E- Government Act of 2002 includes provisions to enhance the protection of personal information in government information systems. 17 To this end, the act requires federal agencies to conduct privacy impact assessments to determine the impact of their information systems on individuals’ privacy. The act also states that the assessment should be completed to analyze how information is to be handled and to evaluate needed protections and alternative processes for handling information in order to mitigate potential privacy risks. After experiencing performance problems throughout 2010, HETS is HETS Is Operational currently operating on a real-time basis and with few user concerns being and Provides noted. As of June 2012, CMS reported that 244 entities were using the system; these included 130 providers, 10 Medicare Administrative Responses to Users’ Contractors, and 104 clearinghouses that conduct query and response Requests in Real Time transactions for about 400,000 providers. 18 The agency further reported that, during the first 6 months of 2012, the system processed more than 380 million transactions from these users. System performance data showed that, since May 2011, HETS has been consistently providing service to its users 24 hours a day, 7 days a week, except during regularly scheduled maintenance periods, which occur on Monday mornings from midnight until 5:00 a.m. (CMS sometimes schedules additional outages for system maintenance and upgrades, usually during one or two weekends each month.) The performance reports showed that from January 2011 through June 2012, the system processed each month an average of 1.7 million to 2.2 million queries per day, with the highest volume of transaction processing 16 There are exceptions to the “minimum necessary” requirement of the Privacy Rule for certain disclosures for treatment and uses and disclosures required by law. 17 E-Government Act of 2002, Pub L. No. 107-347, Dec. 17, 2002, codified at 44 U.S.C. § 3501 note. 18 Within these 244 entities, multiple individuals initiate HETS inquiry transactions. The HETS system reports identify the entities that submit transactions but not individual users. Page 10 GAO-12-973 Health Information Technology occurring between 8:00 a.m. and 4:00 p.m. eastern time, Monday through Friday. About 90 percent of these transactions were initiated by the clearinghouses. Daily reports of system performance that were generated by the system showed that the average response time for 99 percent of the transactions was less than 3 seconds during the first 6 months of 2012. 19 Appendix II provides our detailed analysis of the system’s transaction volumes and response times from January 2010 through June 2012. Users of the system told us that since CMS completed hardware and software improvements in spring 2011, they have been satisfied with its operational status. They stated that they are not currently experiencing operational or communication issues. Records of contacts with CMS’s help desk regarding the operational status of HETS show that the number of calls by users declined from an average of 133 calls per week during the first quarter of 2011 to an average of 64 per week during the second quarter of 2012. The users also stated that health care insurers in the commercial sector conduct electronic eligibility verifications in a manner similar to that of CMS. They told us that, based on their experiences with using those insurers’ systems, HETS provides faster response times as well as more complete information and reliable service than the other beneficiary eligibility verification systems they use. 19 The HETS system owners stated that the agency does not maintain statistics on the number of beneficiaries queried because they have not seen a need to collect this information. Page 11 GAO-12-973 Health Information Technology CMS’s efforts to correct operational problems experienced with HETS in CMS Has Taken Steps 2010 and early 2011 led to improved performance and overall user to Ensure Users’ satisfaction with the system. To ensure that the agency is able to maintain performance that satisfies users and meets goals for response and Satisfaction and Is system availability times, HETS program officials have taken steps to Making Plans to provide ongoing support for users through help desk procedures, system Implement status notifications, and management of contractors based on incentive awards for performance that exceeds contractual requirements. Improvements to Additionally, these officials have begun to plan for improvements and Meet Future enhancements to the system in efforts to position themselves to meet future demands on the system as they projected transaction volume to Requirements increase at a rate of about 40 percent a year. Among other improvements, the officials described plans to redesign the system and upgrade hardware, and to establish service level agreements with HETS users. CMS Has Taken Steps to CMS has taken various steps to improve the operational status of HETS Ensure Users Remain and to ensure user satisfaction with its performance. With regard to Satisfied ensuring the availability of the system, CMS notifies users of the status of operations on a daily basis and whenever a change in status occurs. For example, CMS contractors perform daily health checks each morning to determine the status of HETS. If system performance or availability issues are identified, help desk contractors post messages to that effect on the system website and a trouble ticket is opened. The appropriate staff is assigned to troubleshoot and resolve the issues. Additionally, when users have complaints or issues related to the system’s operations, they are instructed to contact the help desk. Upon receipt of the problem, the help desk staff are to triage the problem and generate a ticket if the problem cannot be resolved at the help desk level. For example, if a user is unable to access the system and contacts the help desk, staff are to determine if the problem is an operational issue or is an issue with the user or another component of the system, such as the network services provided by a vendor. They are to then track the issue until the problem is resolved. According to HETS program officials, problems are generally reported when the system response time begins to slow down. CMS’s help desk contractors who support HETS post announcements on the agency’s website and send e-mails to notify users when the system is to be brought down to allow corrections to system operation problems, or to perform upgrades or maintenance. The contractors post a second Page 12 GAO-12-973 Health Information Technology announcement and send e-mails to notify users when the system becomes available after an outage. The past 6 months’ help desk announcements on the HETS website showed that additional maintenance or system upgrades were performed outside the scheduled maintenance period. Specifically, during this time CMS notified users that maintenance would be performed one to two times per month on weekends, with the system down from as few as 6 hours to as many as 3 days. In most cases, CMS sent a notice to its HETS users 2 weeks in advance of the outages. In discussions with provider, clearinghouse, and MAC users, two of the users expressed concerns with the frequency that CMS conducts maintenance outside the scheduled maintenance time. These users stated that they do not have access to the system for 1 day three to four weekends per month. However, one of these users, a provider, told us that during these times the system was accessible via an alternate portal, which indicated that HETS was operational and likely not a cause of the problem. A clearinghouse user stated that, while these outages are inconvenient, CMS notifies users well in advance of the outages and that there are some times during the announced outages when transactions can be processed. All the users with whom we spoke told us that the CMS help desk notified them in advance of any unscheduled system outages that were planned in addition to the regularly scheduled maintenance downtime. CMS has also taken steps to ensure that its contractors meet quality and service requirements related to the development, maintenance, and support of HETS. Program officials told us that the contractors’ performance is reviewed and evaluated every 6 months in addition to annual evaluations, based on measures for overall technical performance and management. The evaluations identify strengths and weaknesses noted during the evaluation periods. The contractors may be awarded financial incentives for exceeding performance expectations in certain categories, such as software maintenance and support for the system’s operations. For example, a May 2012 report on the results of the most recent 6-month evaluation of the help desk contractor’s performance documented its strengths and weaknesses. The report showed that program officials were satisfied with the contractor’s efforts to meet measures in technical performance and, therefore, provided the full financial incentive. However, they noted weaknesses in one category for which the contractor did not receive the full incentive amount. In this case, the contractor failed to deliver required reports and identify infrastructure Page 13 GAO-12-973 Health Information Technology changes that impacted the implementation of HETS. Additionally, a November 2011 report on the development contractor’s performance showed similar results. In both reports, program officials stated overall satisfaction with the contractors’ performance and noted areas of needed improvements. CMS Is Making Plans to To help ensure the current level of service is sustained during projected Ensure the System increases in transaction volumes, the system owners have initiated Supports Future various activities aimed at helping to prevent operational problems similar to those experienced with the system in 2010 and early 2011. In this Requirements regard, CMS projected the increase in transaction volume to continue at a rate of about 40 percent for the next several years. This increase is expected in part because of the discontinuance of some providers’ use of other means to obtain eligibility information from CMS and the migration of that user population to HETS by the end of March 2013. 20 Program officials also anticipate that more Medicare Administrative Contractors will begin to offer beneficiary eligibility verification services to the providers they support and will use HETS to conduct these verifications. The system and business owners described steps they took in 2011 and 2012 that were intended to help plan for future increases in the number of transactions. • In March 2011, CMS tasked its HETS development contractor to prepare a plan and process for long-term improvements to the system and its operating environment. The agency tasked an additional contractor to evaluate the existing architecture, monitoring tools, and the extent to which the existing system platform could be scaled to meet future requirements. This contractor was also tasked to propose and analyze alternatives for future system implementation and 20 The Common Working File is a data source used by fiscal intermediaries and carriers to verify beneficiary eligibility and conduct prepayment review and approval of claims from a national perspective. However, CMS is in the process of terminating the use of this system for beneficiary eligibility verifications and is migrating these users to HETS for eligibility inquires. According to program officials, CMS is taking this action because the Common Working File was developed prior to the enactment of HIPAA and was not intended for a HIPAA-compliant environment. As such, the system does not conduct beneficiary eligibility transactions that are compliant with the standards and formats defined by HIPAA or one of the HIPAA rules. Page 14 GAO-12-973 Health Information Technology recommend future service levels, monitoring tools, and practices for managing the application. • In July 2011, CMS released a Request for Information to obtain knowledge and information of current marketplace solutions that may meet future needs. As stated in the request, this action was intended to compile information that would assist CMS in the identification of potential options for creating an enterprise-level health care eligibility inquiry system that would support both real-time and batch transaction exchanges. In August 2011, 12 companies responded to the request and provided information on how their existing products could address CMS requirements. CMS analyzed the responses to the Request for Information and concluded that while 3 of the companies provided information that was not useful, others offered a range of products that CMS could consider when they begin to survey the marketplace for viable products and solutions for a future implementation of HETS. In January 2012, the two contractors completed the evaluations that were initiated in March 2011 and submitted reports that included recommendations regarding steps needed to accommodate projected eligibility transaction volumes while maintaining appropriate availability, security, and costs of HETS operations. The first report stated the existing architecture is sufficient to handle current transaction volumes and, with minor changes, should be able to handle transaction volumes anticipated for the next 2 years. The report also included recommendations to address the increases in transaction volume projected beyond the next 2 years. For example, the contractor who conducted the evaluation recommended that CMS reassess and change the architecture as transaction volumes grow, and automate routine processes, including troubleshooting practices and application start-up and shutdown procedures. This contractor also recommended that CMS establish service level agreements with its users to define and agree upon service parameters for HETS, including system availability and performance. The second contractor’s report provided technical evaluations of six commercial-off-the-shelf products that were capable of meeting future estimated transaction volumes and presented recommendations for three alternate solutions, spelling out the strengths and weaknesses of each. Program officials stated that they agree with the recommendations identified in the contractors’ reports and are making plans to address many of them in the near term. Specifically, they are planning to automate Page 15 GAO-12-973 Health Information Technology some processes, such as the application start-up and shutdown procedures. Additionally, HETS business owners stated that they are currently working to establish and document service level agreements with users, as recommended by one of the evaluation contractors. They plan to complete this activity and have agreements in place by January 2013. The officials we spoke with also described several technical improvements they intend to take to increase the system’s capacity to handle growing numbers of transactions, including some consistent with the contractors’ evaluations. For example, according to CMS’s plans for modifying and improving the system through 2015, in fiscal year 2011 CMS began to plan for development of a redesigned system to be completed by the end of June 2014. The agency awarded a contract for defining and writing requirements for the redesigned system in June 2012. Among other capabilities, as part of the system redesign CMS plans to implement batch processing of transactions in addition to the current real-time process. 21 According to HETS business owners, this capability is needed to support users’ needs since some clearinghouses receive batch files from providers and have to convert them for real-time submission. The implementation of batch processing capabilities within the system will remove the need for clearinghouses to take this extra step. Among several other initiatives to be conducted are plans to procure a contract for maintenance of the current system until the redesign is complete. This activity is necessary because the terms of the current contract expire at the end of September 2013 and the system redesign is not planned to be complete until the end of June 2014. CMS’s plans also identified a step to, by the end of August 2012, migrate the current HETS database to a new operating platform that is scalable to accommodate the expected increase in transaction volume. Further, agency officials stated that while they plan to make these improvements to the system over the next 3 years, their ability to conduct the activities they have planned is dependent on the agency’s budget. 21 In batch processing mode, transactions are accumulated throughout a time period, then transmitted at the end of a time period or when a certain number of transactions is reached. Transactions are then submitted together in a “batch.” Real-time transactions are submitted and processed one at a time as they occur. Page 16 GAO-12-973 Health Information Technology These officials stated that, to mitigate risks associated with the level of funding the program receives in the future, they prioritized improvements planned for the existing system and began to implement those that they determined to be the most cost-effective during this and early next fiscal year. Among other things, these include activities to support the current system until the redesigned system is implemented, including development of tools that enable the HETS contractors to proactively monitor system components, additional services to enhance production capacity, and automated processes for starting up and shutting down the application. Program officials stated that they will review and prioritize other activities for improving the system as part of the HETS redesign project. The Privacy Act of 1974 and the HIPAA Privacy Rule protect personally CMS Established identifiable health information, such as Medicare beneficiary information, Policies and to ensure that it is disclosed only under specified conditions and used only for its intended purpose. In accordance with these privacy Procedures Intended protections, the information provided by HETS is to be used only for to Address Privacy confirming eligibility of patients to receive benefits for services provided Principles and under the Medicare fee-for-service program. CMS is governed by the Privacy Act and all covered entities that use HETS—health care Assessed Impact and providers, clearinghouses, and Medicare contractors—are required to Risks of Sharing Data comply with the HIPAA Privacy Rule. In accordance with provisions of the Privacy Rule, the protected health information provided by HETS is to be disclosed and used only for certain activities. Among other activities, these include treatment of patients and payment for services—the activities supported by the use of HETS. CMS has taken actions intended to ensure that the personal health information sent to and from the system is protected from misuse and improper disclosure. For example, CMS documented in the HETS Rules of Behavior that users must adhere to the authorized purposes for requesting Medicare beneficiary eligibility data. Specifically, the rules state that users are authorized to request information to determine whether patients who were determined to be Medicare eligible are covered for specific services that are to be provided at the point of care. However, users are not authorized to request information for the sole purpose of determining whether patients are eligible to receive Medicare benefits. Page 17 GAO-12-973 Health Information Technology According to program officials, CMS enforces its rules of behavior by monitoring inquiries to identify behaviors that may indicate intentional misuse of the data. For example, inquiries from one user that result in high rates of errors or a high ratio of inquiries compared to the number of claims submitted may indicate that a user is searching the system to identify Medicare beneficiaries rather than using HETS for its intended purpose. Users engaging in these types of behavior may be contacted or, when appropriate, referred for investigation for inappropriate use of the data, such as health care identity theft or fraudulent billing practices. Additionally, system documentation described mechanisms that were implemented to prevent access by requesters with invalid provider identifications or certain providers who have been excluded or suspended from participating in the Medicare program. For example, CMS maintains databases of National Provider Identifiers, another HIPAA standard. 22 The eligibility request transactions submitted by HETS users include these identifiers, and, before providing beneficiary data in response to requests, the system validates the identifiers against data stored in an agency database. Additionally, according to the HETS business owners, providers who have been identified by HHS’s Office of Inspector General and the General Services Administration as ones conducting activities intended to defraud Medicare may be included on a “do not pay” list. 23 In this case, providers excluded from the program would not “need to know” information about patients’ personal health, including whether or not they 22 The National Provider Identifier is a unique identification number for covered health care providers who, along with all health plans and health care clearinghouses, must use them in the administrative and financial transactions adopted under HIPAA. Covered providers must also share their National Provider Identifier with other providers, health plans, clearinghouses, and any entity that may need it for billing purposes. 23 The HHS Office of Inspector General List of Excluded Individuals and Entities includes all individuals and entities currently excluded from participating in federally funded health care programs including Medicare and Medicaid. Exclusions are imposed for a number of reasons including: (1) Medicare or Medicaid fraud, as well as any other offenses related to the delivery of items or services under Medicare, Medicaid, the Children’s Health Insurance Program, or other state health care programs; (2) patient abuse or neglect; (3) felony convictions for other health care-related fraud, theft, or other financial misconduct; and (4) felony convictions relating to unlawful manufacture, distribution, prescription, or dispensing of controlled substances. The General Services Administration’s Excluded Parties List System includes information on entities debarred, suspended, proposed for debarment, excluded, or disqualified by federal government agencies from receiving federal contracts or federally approved subcontracts and from certain types of federal financial and nonfinancial assistance and benefits. Page 18 GAO-12-973 Health Information Technology are eligible for Medicare benefits. According to HETS officials, these data are also incorporated into the National Provider Identifier database that is used to validate identifiers submitted to HETS and, as a result, these excluded providers are also not allowed to receive information from the system. HETS system documentation also described mechanisms for securing the data transmitted to and from HETS. For example, access to the system is only allowed through CMS’s secured extranet. To gain access, the providers and clearinghouses must first submit a Trading Partner Agreement. In addition to including information needed to enable CMS and its trading partners, or users, to establish connectivity and define data exchange requirements, the agreement defines responsibilities for securing the data of the entities receiving beneficiary eligibility information from CMS. After users submit the agreement, CMS contacts them to authenticate their identity and, once authentication has been determined, CMS help desk staff provide the requester with a submitter ID that is required to be included on all transactions. Users then may request access to the CMS extranet from one of four network service vendors which establish a secure software connection to the system. 24 The table below summarizes these and other actions CMS described that address key HIPAA privacy principles relevant to the implementation of HETS. 24 While there may be many individual users within each provider, supplier, clearinghouse, and Medicare Administrative Contractors organization who access HETS, we refer to the organizations themselves as the “users.” Page 19 GAO-12-973 Health Information Technology Table 2: CMS’s Actions to Address Key HIPAA Privacy Principles Principles Actions by CMS Uses and Limits the circumstances in which an individual’s Documented in Rules of Behavior the authorized and disclosures protected health information may be used or unauthorized uses and disclosures of data. disclosed by covered entities and provides for To ensure only entitled Medicare providers have access to accounting of certain disclosures; requires covered beneficiary data, designed the system to validate the entities to make reasonable efforts to disclose or National Provider Identifiers included in each request use only the minimum necessary information to transaction to ensure the provider is active and associated accomplish the intended purpose for the uses, with the entity requesting data. disclosures, or requests, with certain exceptions such as for treatment or as required by law. Performed daily reviews to ensure that providers with invalid identifiers or who are excluded from participating in Medicare are not allowed to access beneficiary data through HETS. Monitored the number of error codes that were sent back to requestors in system responses. Officials stated that weekly error reports are reviewed to determine whether the 30 percent threshold for an accepted error rate has been exceeded. If so, CMS will follow up with the submitter and take actions as appropriate. Initially consulted with Medicare Administrative Contractors to determine the minimum amount of protected health information needed to accomplish the requestor’s purpose. Submitters may make recommendations to the help desk on an ongoing basis regarding additional information they would like to receive. Notice Requires most covered entities to provide a notice Informed users of their responsibility to comply with Privacy of their privacy practices including how personal Act and HIPAA requirements through its website and by health information may be used and disclosed. requiring users to agree and comply with requirements outlined in the Trading Partner Agreement and Rules of Behavior. Security Requires covered entities to safeguard protected Secured the data transmitted to and from HETS by only health information from inappropriate use or allowing access to the system through CMS’s secured disclosure. extranet. Authorized users based on their originating internet protocol address and CMS-issued user ID. Required users to protect data from inappropriate use or disclosure. For example, they must provide security measures, including their submitter IDs and passwords, to associate each with the particular personnel who initiated the eligibility inquiry; and must not disclose, lend, or transfer transaction identification numbers or password to other a personnel. Opportunity to Gives individuals the right to request from covered Instructed beneficiaries to contact 1-800-MEDICARE to amend entities changes to inaccurate or incomplete report inaccurate or incomplete information. In addition, protected health information held in a designated beneficiaries are informed they can contact the Social record set. Security Administration to correct their information. Page 20 GAO-12-973 Health Information Technology Principles Actions by CMS Implementation Requires covered entities to analyze their own Required all users to complete a Trading Partner of requirements needs and implement solutions appropriate for their Agreement and make certain assurances. Among other own environment based on a basic set of things, users must: ensure Medicare data are only used to requirements for which they are accountable. conduct Medicare business on behalf of Medicare providers; assume full responsibility for all submitted transactions; not make any disclosure of data that is not specifically authorized; not use data files for private gain or misrepresent themselves or CMS; and not browse or use data files for unauthorized or illegal purposes. Source: GAO analysis of CMS data. a In conducting our work, we did not review or test CMS’s controls for securing HETS data. Further, the E-Government Act of 2002 requires federal agencies to conduct privacy impact assessments, and the Office of Management and Budget (OMB) provides guidance to agencies conducting these assessments. 25 The act and OMB’s implementing guidance require that these assessments address: (1) what information is to be collected; (2) why the information is being collected; (3) the intended use of the information; (4) with whom the information will be shared ; (5) what opportunities individuals have to decline to provide the information or to consent to particular uses of the information, and how individuals can grant consent; (6) how the information will be secured ; and (7) whether a system of records is being created under the Privacy Act. According to the OMB guidance, agencies should conduct a privacy impact assessment before developing or procuring IT systems or projects that collect, maintain, or disseminate information in identifiable form from or about members of the public. Agencies are required to perform an update as necessary when a system change creates new privacy risks. Additionally, in a previous report, 26 we identified the assessment of privacy risks as an important element of the privacy impact assessment process to help officials determine appropriate privacy protection policies and techniques to implement those policies. We noted that a privacy risk analysis should be performed to determine the nature of privacy risks and 25 OMB, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, Memorandum, M-03-22 (Washington, D.C.: Sept. 26, 2003). 26 GAO, OPM Should Better Monitor Implementation of Privacy-Related Policies and Procedures for Background Investigations, GAO-10-849 (Washington, D.C.: September 2010). Page 21 GAO-12-973 Health Information Technology the resulting impact if corrective actions are not in place to mitigate those risks. CMS conducted a privacy impact assessment of HETS as called for by the E-Government Act, and updated the assessment in April 2011. The assessment addressed the seven OMB requirements for implementing privacy provisions. For example, in addressing how HETS information would be secured, it stated that the system is accessible only via the CMS private network to authorized users. The assessment also stated that the intended use of the system is to allow providers to confirm patients’ enrollment in the Medicare program and provide information that is needed to correctly bill for payment of claims. Additionally, as part of a security risk assessment, program officials also completed a privacy risk analysis of the system that addressed several privacy risks. For example, CMS assessed privacy risks related to improper disclosure of the protected health information processed by HETS and determined that the risk level was low to moderate. By establishing practices and procedures intended to protect the privacy of Medicare beneficiaries’ personal health information, and assessing the impact and risks associated with the use of HETS, CMS took required steps to address privacy principles reflected by HIPAA, the HIPAA rules, and the Privacy Act and has acted in accordance with OMB’s guidance for protecting personally identifiable information. According to officials in HHS’s Office for Civil Rights, no violations of the HIPAA Privacy Rule resulting from the use and disclosure of data provided by HETS have been reported since the system was implemented. In written comments on a draft of this report, signed by HHS’s Assistant Agency Comments Secretary for Legislation (and reprinted in appendix III), the department and Our Evaluation stated that it appreciated the opportunity to review the report prior to its publication. The department added that it regretted the poor service that resulted from operational problems in 2010 and early 2011 and that it is continuing to take steps to maintain and improve the performance of the system. The department also provided technical comments, which we incorporated as appropriate. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to interested congressional committees, the Secretary of HHS, the Administrator of CMS, and other Page 22 GAO-12-973 Health Information Technology interested parties. In addition, the report will be available at no charge on the GAO website at http://www.gao.gov. If you or your staff have any questions about this report, please contact me at (202) 512-6304 or by e-mail at email@example.com. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Sincerely yours, Valerie C. Melvin Director Information Management and Technology Resources Issues Page 23 GAO-12-973 Health Information Technology Appendix I: Objectives, Scope, and Appendix I: Objectives, Scope, and Methodology Methodology Our objectives were to (1) identify the operational status of HETS, (2) identify any steps CMS has taken to ensure users’ satisfaction and plans to take to ensure the performance of the system supports future requirements, and (3) describe CMS’s policies, processes, and procedures for protecting the privacy of beneficiary eligibility data provided by the system. To identify the operational status of HETS, we collected and analyzed documentation from program officials that described the use and daily operations of the system, such as reports on incoming transaction volume, response time, and downtime, along with documents that describe outcomes of the system, such as reported problems. To determine whether CMS provided the level of service agreed upon with HETS users, we compared the information we collected to business requirements defined in program and system plans, and to any agreements with users. Additionally, we obtained users’ views of the extent to which the current implementation of HETS satisfied their needs for timely information by holding structured interviews with selected representatives of providers; clearinghouses, which provide services for about 90 percent of Medicare providers; and a Medicare Administrative Contractor who used the system. The selected HETS users included three clearinghouses; two fee-for- service providers, including a visiting nurse agency and a medical equipment supplier; and one Medicare Administrative Contractor. Based on data provided by system performance reports for the week of March 12th through the 18th 2012, we selected the highest volume users among each user type throughout the United States. The selected users submitted about 44 percent of the 14.5 million total transactions processed during the selected period of time. Specifically, the clearinghouses submitted a total of about 40 percent of the transactions, the Medicare contractor submitted about 2 percent, and the provider and supplier submitted less than 1 percent of the transactions, respectively. We discussed with the users their experiences and satisfaction with the level of service the system has provided over the last 2 years, and the results of CMS’s efforts to resolve any problems or system-related issues. In addition, we interviewed program officials knowledgeable of the management of the program to gain additional understanding of the agency’s practices for defining performance requirements for HETS contractors, and for managing and assessing their performance relevant to ensuring efficient operations of HETS. We also discussed with the users their experiences with other automated eligibility verification Page 24 GAO-12-973 Health Information Technology Appendix I: Objectives, Scope, and Methodology systems provided by commercial health insurers. We held these discussions to determine whether these officials could share any lessons that could be beneficial to CMS in operating HETS. To identify the steps that CMS has taken to ensure that HETS users remain satisfied with the performance of the system and that the agency plans to take to ensure the system provides the level of service needed to support future requirements, we reviewed agency documents, such as project timelines and system release notes, and reports of users’ calls to the help desk. These documents described steps taken to address problems reported by users, identified systems modifications to correct problems, and showed patterns in the numbers of help desk calls over the past 2 years. We also identified steps the agency initiated to help alleviate problems introduced by increasing transaction volume as the number of Medicare beneficiaries has increased over the past 2 years. Further, through our review of relevant agency documents, contractors’ performance reports, and discussions with program officials, we identified steps CMS took to assess contractors’ performance toward providing efficient and quality service to users of HETS, and any necessary corrective actions. Additionally, we identified steps the agency plans to take toward defining and addressing future requirements of the system that may be introduced by increasing numbers of verification inquiries, and collected and reviewed documentation that provided information about projected growth in transaction volume as providers were faced with the need to conduct HETS queries of more patients filing Medicare claims. We also collected available program planning documentation that described long-term plans for the system and assessed these plans against projections of future requirements and recommendations from independent studies of CMS’s implementation of HETS. Finally, to describe the policies, processes, and procedures established by CMS to ensure that the privacy of beneficiary eligibility data is protected, we evaluated agency documentation such as HETS privacy impact and risk assessments, and agreements with users that describe CMS’s and users’ responsibilities and requirements for protecting the data processed and provided by the system. We compared the information from these documents to requirements and privacy practices derived from provisions of the Privacy Act and the HIPAA Privacy Rule. We also held a discussion with an official with HHS’s Office for Civil Rights to determine whether any complaints related to the use of HETS Page 25 GAO-12-973 Health Information Technology Appendix I: Objectives, Scope, and Methodology had been noted. In conducting our work, we did not review or test controls implemented by the agency to secure the data processed by HETS. We supplemented data collection for all objectives with interviews of agency officials, including system and business owners, who were knowledgeable of the system’s operations and improvements, contract management and oversight, and requirements and practices for protecting the privacy of personal health information. Among these officials, we held discussions with directors in CMS’s Provider Communications Group and the Business Applications Management Group, Office of Information Services. We used computer-maintained data provided by CMS program officials when addressing our first objective, and we determined the reliability of these data by obtaining corroborating evidence through interviews with agency officials who are knowledgeable of the operations of the system and its user population. We also conducted a reliability assessment of the data provided by CMS. We found the data sufficiently reliable for the purposes of this review. Page 26 GAO-12-973 Health Information Technology Appendix II: HETS Transaction Volumes and Appendix II: HETS Transaction Volumes and Response Times Response Times HETS program officials provided system-generated data that reflected the performance of the system in terms of the numbers of transactions processed each month and the response time in four categories. The data were provided for the time period beginning in January 2010, when the operational problems began to occur, through June 2012. Table 1 shows the percentage of transactions that received responses from HETS in less than 3 seconds increased from 60.8 percent to 99.9 percent during this time period. Table 3: Average System Response Time from January 2010 through June 2012 Average response time 10.00 seconds 0.00 to 2.99 seconds 3.00 to 4.99 seconds 5.00 to 9.99 seconds or greater Total Transaction No. of No. of No. of No. of No. of month transactions Percent transactions Percent transactions Percent transactions Percent transactions Percent JAN2010 22 60.8 5,718,162 15.4 8,463,492 22.8 388,670 1.0 37,142,406 100.0 FEB2010 22 62.6 6,838,862 18.8 6,001,652 16.5 783,358 2.2 36,417,379 100.0 MAR2010 25 59.8 7,920,542 18.6 7,987,584 18.7 1,260,054 3.0 42,671,420 100.0 APR2010 25 65.1 6,093,526 15.3 6,184,566 15.6 1,603,757 4.0 39,737,985 100.0 MAY2010 22 59.3 6,251,411 16.3 6,077,201 15.8 3,294,441 8.6 38,425,237 100.0 JUN2010 23 57.0 6,174,717 15.0 4,630,307 11.3 6,837,504 16.7 41,042,812 100.0 JUL2010 23 56.1 5,517,503 13.2 6,224,177 14.9 6,634,920 15.8 41,878,066 100.0 AUG2010 21 46.6 5,084,218 11.3 6,098,451 13.5 12,910,684 28.6 45,094,278 100.0 SEP2010 20 44.9 6,992,241 15.1 4,409,053 9.5 14,158,528 30.5 46,421,571 100.0 OCT2010 17 38.3 5,425,982 11.6 7,763,758 16.6 15,737,988 33.6 46,895,475 100.0 NOV2010 22 47.9 8,518,739 18.0 9,757,929 20.7 6,328,228 13.4 47,228,391 100.0 DEC2010 26 59.5 8,600,280 19.0 6,806,922 15.0 2,976,122 6.6 45,363,725 100.0 JAN2011 33 59.9 6,843,604 12.3 10,935,377 19.7 4,505,490 8.1 55,551,107 100.0 FEB2011 46 92.7 2,832,250 5.6 657,735 1.3 174,920 0.3 50,436,189 100.0 MAR2011 52 96.3 1,489,091 2.7 522,921 1.0 54,599,967 100.0 APR2011 48 95.7 781,124 1.5 1,027,342 2.0 355,643 0.7 50,406,932 100.0 MAY2011 52 97.6 773,042 1.4 177,683 0.3 355,971 0.7 53,840,105 100.0 JUN2011 52 96.1 1,018,495 1.9 990,908 1.8 139,290 0.3 54,729,824 100.0 JUL2011 51 95.0 454,101 0.8 443,551 0.8 1,835,663 3.4 54,547,111 100.0 AUG2011 60 97.1 662,293 1.1 864,661 1.4 296,853 0.5 62,005,174 100.0 SEP2011 60 98.3 525,761 0.9 368,796 0.6 157,610 0.3 61,816,134 100.0 OCT2011 57 99.0 122,630 0.2 24,304 0.0 407,222 0.7 57,839,549 100.0 NOV2011 54 99.7 163,137 0.3 54,490,041 100.0 DEC2011 56 100.0 56,269,671 100.0 Page 27 GAO-12-973 Health Information Technology Appendix II: HETS Transaction Volumes and Response Times Average response time 10.00 seconds 0.00 to 2.99 seconds 3.00 to 4.99 seconds 5.00 to 9.99 seconds or greater Total Transaction No. of No. of No. of No. of No. of month transactions Percent transactions Percent transactions Percent transactions Percent transactions Percent JAN2012 64 97.8 392,453 0.6 296,591 0.4 773,699 1.2 65,968,034 100.0 FEB2012 62 98.6 141,176 0.2 491,744 0.8 242,493 0.4 63,232,557 100.0 MAR2012 65 98.2 227,841 0.3 278,055 0.4 718,378 1.1 66,683,643 100.0 APR2012 61 99.7 61,172 0.1 24,596 0.0 88,177 0.1 61,989,780 100.0 MAY2012 62 99.9 93,673 0.1 63,065,751 100.0 JUN2012 60 99.9 50,534 0.1 8,499 0.0 60,255,164 100.0 Source: GAO analysis of agency data. Page 28 GAO-12-973 Health Information Technology Appendix III: Comments from the Appendix III: Comments from the Department of Health & Human Services Department of Health & Human Services Page 29 GAO-12-973 Health Information Technology Appendix III: Comments from the Department of Health & Human Services Page 30 GAO-12-973 Health Information Technology Appendix IV: GAO Contacts and Staff Appendix IV: GAO Contacts and Staff Acknowledgments Acknowledgments Valerie C. Melvin, (202) 512-6304 or firstname.lastname@example.org GAO Contacts In addition to the contacts named above, Teresa F. Tucker, Assistant Staff Director; Tonia D. Brown; LaSherri Bush; Sharhonda Deloach; Rebecca Acknowledgments Eyler; and Monica Perez-Nelson made key contributions to this report. (310983) Page 31 GAO-12-973 Health Information Technology GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: email@example.com Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, firstname.lastname@example.org, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, email@example.com, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Health Information Technology: CMS Took Steps to Improve Its Beneficiary Eligibility Verification System
Published by the Government Accountability Office on 2012-09-12.
Below is a raw (and likely hideous) rendition of the original report. (PDF)