oversight

Health Information Technology: CMS Took Steps to Improve Its Beneficiary Eligibility Verification System

Published by the Government Accountability Office on 2012-09-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States Government Accountability Office

GAO              Report to Congressional Requesters




September 2012
                 HEALTH
                 INFORMATION
                 TECHNOLOGY
                 CMS Took Steps to
                 Improve Its
                 Beneficiary Eligibility
                 Verification System




GAO-12-973
                                              September 2012

                                              HEALTH INFORMATION TECHNOLOGY
                                              CMS Took Steps to Improve Its Beneficiary
                                              Eligibility Verification System
Highlights of GAO-12-973, a report to
congressional requesters




Why GAO Did This Study                        What GAO Found
Medicare is a federal program that            The Centers for Medicare and Medicaid Services (CMS) currently offers to
pays for health care services for             Medicare providers and Medicare Administrative Contractors the use of the
individuals 65 years and older and            Health Insurance Portability and Accountability Act of 1996 (HIPAA) Eligibility
certain individuals with disabilities. In     Transaction System (HETS) in a real-time data processing environment. HETS is
2011, Medicare covered about 48.4             operational 24 hours a day, 7 days a week, except during regularly scheduled
million of these individuals, and total       maintenance Monday mornings, from midnight until 5:00 a.m., and when CMS
expenditures for this coverage were           announces other maintenance periods during one or two weekends each month.
approximately $565 billion. CMS, the          According to program officials, 244 entities were using HETS in 2012, including
agency within the Department of
                                              about 130 providers, 104 clearinghouses that provide data exchange services to
Health and Human Services that
                                              about 400,000 health care providers, and 10 Medicare contractors that help CMS
administers Medicare, is responsible
for ensuring that proper payments are
                                              process claims for services. From January through June 2012, HETS processed
made on behalf of the program’s               each month an average of 1.7 million to 2.2 million queries per day with most of
beneficiaries. In response to HIPAA           the queries submitted between the hours of 8:00 a.m. and 4:00 p.m. eastern
requirements, CMS developed and               time. The users with whom we spoke confirmed that operational problems they
implemented an information                    experienced with the system in 2010 and the first few months of 2011 were
technology system to help providers           resolved in spring 2011 after CMS implemented several hardware and software
determine beneficiaries’ eligibility for      replacements and upgrades. System performance reports for the first 6 months
Medicare coverage. In May 2005 CMS            of 2012 showed that the average response time per transaction was less than 3
began offering automated services             seconds. Users described experiences with the system that were consistent with
through HETS, a query and response            these data. They told us that they are currently satisfied with the operational
system that provides data to users            status of HETS and that the system provides more complete information and
about Medicare beneficiaries and their        reliable service than other systems that they use to verify eligibility with
eligibility to receive payment for health     commercial health insurers.
care services and supplies.
                                              CMS took steps to ensure users remain satisfied with the system’s performance,
Because of the important role that            including notifying users in advance of system downtime, providing help desk
HETS plays in providers having access         support, and monitoring contractors’ performance. The agency had also planned
to timely and accurate data to                several technical improvements intended to increase HETS’ capacity to process
determine eligibility, GAO was asked to
                                              a growing number of transactions, which the agency projected to increase at a
(1) identify the operational status of
                                              rate of about 40 percent each year. These plans include a redesign of the system
HETS, (2) identify any steps CMS has
taken to ensure users’ satisfaction and       and migration to a new database environment that is scalable to accommodate
plans to take to ensure the system            the projected increase in transaction volume. According to HETS program
supports future requirements, and (3)         officials, near-term plans also include the implementation of tools to enable
describe CMS’s policies, processes,           proactive monitoring of system components and additional services intended to
and procedures for protecting the             enhance production capacity until the planned redesign of the system is
privacy of data provided by HETS.             complete.
To do so, GAO collected and analyzed          To help protect the privacy of beneficiary eligibility data provided by HETS, CMS
documentation from program officials,         established policies, processes, and procedures that are intended to address
such as reports on transaction volume         principals reflected by the HIPAA Privacy Rule. For example, in its efforts to
and response times, agreements with           ensure proper uses and disclosures of the data, CMS documented in user
users, and CMS’s privacy impact and           agreements the authorized and unauthorized purposes for requesting Medicare
risk assessments of HETS. GAO also            beneficiary eligibility data. Additionally, the agency conducted privacy impact and
interviewed program officials and             risk assessments of HETS as required by the E-Government Act of 2002.
system users.                                 Officials from the Department of Health and Human Services’ Office for Civil
                                              Rights stated that no privacy violations had been reported regarding the use of
View GAO-12-973. For more information,
contact Valerie Melvin at (202) 512-6304 or   the protected health data provided by HETS since its implementation in 2005.
melvinv@gao.gov.

                                                                                      United States Government Accountability Office
Contents


Letter                                                                                     1
               Background                                                                  3
               HETS Is Operational and Provides Responses to Users’ Requests in
                 Real Time                                                               10
               CMS Has Taken Steps to Ensure Users’ Satisfaction and Is Making
                 Plans to Implement Improvements to Meet Future Requirements             12
               CMS Established Policies and Procedures Intended to Address
                 Privacy Principles and Assessed Impact and Risks of Sharing
                 Data                                                                    17
               Agency Comments and Our Evaluation                                        22

Appendix I     Objectives, Scope, and Methodology                                        24



Appendix II    HETS Transaction Volumes and Response Times                               27



Appendix III   Comments from the Department of Health & Human Services                   29



Appendix IV    GAO Contacts and Staff Acknowledgments                                    31



Tables
               Table 1: HETS Transaction Volume                                           7
               Table 2: CMS’s Actions to Address Key HIPAA Privacy Principles            20
               Table 3: Average System Response Time from January 2010
                        through June 2012                                                27




               Page i                                GAO-12-973 Health Information Technology
Abbreviations

CMS               Centers for Medicare and Medicaid Services
HETS              HIPAA Eligibility Transaction System
HHS               Department of Health and Human Services
HIPAA             Health Insurance Portability and Accountability Act of 1996
MAC               Medicare Administrative Contractor
OMB               Office of Management and Budget

This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.




Page ii                                         GAO-12-973 Health Information Technology
United States Government Accountability Office
Washington, DC 20548




                                   September 12, 2012

                                   The Honorable Orrin Hatch
                                   Ranking Member
                                   Committee on Finance
                                   United States Senate

                                   The Honorable Richard M. Burr
                                   Ranking Member
                                   Subcommittee on Children and Families
                                   Committee on Health, Education, Labor, and Pensions
                                   United States Senate

                                   The Honorable Tom Coburn, M.D.
                                   Ranking Member
                                   Permanent Subcommittee on Investigations
                                   Committee on Homeland Security and Governmental Affairs
                                   United States Senate

                                   Medicare is a federal program that pays for health care services for
                                   individuals 65 years and older, certain individuals with disabilities, and
                                   those with end-stage renal disease. It is funded by general revenues;
                                   payroll taxes paid by most employees; employers and individuals who are
                                   self employed; and beneficiary premiums. In 2011, Medicare covered
                                   about 48.4 million of these individuals with a total expenditure of
                                   approximately $565 billion. The Centers for Medicare and Medicaid
                                   Services (CMS), the agency within the Department of Health and Human
                                   Services (HHS) that administers Medicare, is responsible for ensuring
                                   that proper payments are made on behalf of its beneficiaries to the
                                   doctors, hospitals, visiting nurses, and others who provide health care
                                   services and treatment, along with entities that supply medical equipment
                                   such as wheelchairs, walkers, and hospital beds to their patients.

                                   To avoid risks that they may not be reimbursed for services, these health
                                   care providers take steps to determine whether patients and services are
                                   covered by entities that pay for health care expenses, such as Medicare.
                                   Toward this end, CMS developed and implemented an information
                                   technology system to help providers determine Medicare beneficiaries’
                                   eligibility for health care services and supplies in response to




                                   Page 1                                 GAO-12-973 Health Information Technology
requirements under the Health Insurance Portability and Accountability
Act of 1996, or HIPAA. 1 CMS officials stated that, in accordance with the
act, on May 31, 2005, the agency began offering automated services for
determining Medicare eligibility for certain beneficiaries through the use of
an information technology system called the HIPAA Eligibility Transaction
System, or HETS. 2 Five years after its implementation, however,
problems with the performance of the system were noted by CMS and its
users.

Because of the important role that HETS plays in assuring that providers
have timely and accurate data to determine Medicare beneficiaries’
eligibility, you requested that we undertake a review of the system. Our
specific objectives were to (1) identify the operational status of HETS, (2)
identify any steps CMS has taken to ensure users’ satisfaction and plans
to take to ensure the performance of the system supports future
requirements, and (3) describe CMS’s policies, processes, and
procedures for protecting the privacy of beneficiary eligibility data
provided by the system.

To identify the operational status of HETS, we collected and analyzed
documentation from program officials that described daily operations of
the system, such as reports on incoming transaction volume, response
time, and downtime, along with documents that describe outcomes of the
system, including reported problems. We also determined the level of
service provided to HETS users by comparing the information we
collected to business requirements defined in program and system plans
and strategies, and by obtaining users’ views of the extent to which the
current implementation of HETS met their needs. To do this, we selected
and interviewed representatives of the six highest volume users
throughout the United States. These users were identified as those
having submitted approximately 35 percent of the total HETS information
requests during a week in March 2012, the week selected for our study.

To identify the steps that CMS has taken to ensure HETS users are
satisfied with the performance of the system, and that the agency plans to



1
 Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (codified at 42 U.S.C. §§
1320d–1320d-8). HIPAA required the adoption of uniform data interchange standards.
2
 45 C.F.R. Part 162 sets out that HETS is the electronic data interchange standard for
health care eligibility inquiry and response transactions.




Page 2                                           GAO-12-973 Health Information Technology
             take to ensure the system provides the level of service needed to support
             future requirements, we reviewed agency documents, interviewed
             business and system owners knowledgeable of the management of the
             program, and identified steps CMS took to assess contractors’
             performance toward providing efficient and quality service to users of
             HETS. We also collected and analyzed program planning documentation
             that described long-term plans for the system and assessed those plans
             against projections of future requirements and recommendations from
             independent studies of CMS’s implementation of the system.

             Finally, to describe the policies, processes, and procedures established
             by CMS to protect the privacy of beneficiary eligibility data, we evaluated
             agency documentation such as agreements with users regarding the use
             of the system and requirements for handling data, and the system’s
             privacy impact and risk assessments. We compared information
             discussed in these documents to requirements and practices derived from
             relevant privacy laws, including the HIPAA Privacy Rule 3 and the Privacy
             Act of 1974. 4 In conducting our work, we did not review or test controls
             implemented by the agency to secure the data processed by HETS. More
             detailed information about our objectives, scope, and methodology is
             discussed in appendix I.

             We conducted this performance audit from February 2012 to August 2012
             in accordance with generally accepted government auditing standards.
             Those standards require that we plan and perform the audit to obtain
             sufficient, appropriate evidence to provide a reasonable basis for our
             findings and conclusions based on our audit objectives. We believe that
             the evidence obtained provides a reasonable basis for our findings and
             conclusions based on our audit objectives.


             Medicare consists of four parts—A, B, C, and D. Medicare Part A
Background   provides payment for inpatient hospital, skilled nursing facility, some
             home health, and hospice services, while Part B pays for hospital
             outpatient, physician, some home health, durable medical equipment, and
             preventive services. In addition, Medicare beneficiaries have an option to


             3
              Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (codified at 42 U.S.C. §§
             1320d–1320d-8). The HIPAA Privacy Rule was promulgated at 45 C.F.R. Part 160.
             4
             Title 5 U.S.C. 552a.




             Page 3                                           GAO-12-973 Health Information Technology
                           participate in Medicare Advantage, also known as Part C, which pays
                           private health plans to provide the services covered by Medicare Parts A
                           and B. Further, all Medicare beneficiaries may purchase coverage for
                           outpatient prescription drugs under Medicare Part D, and some Medicare
                           Advantage plans also include Part D coverage. The fee-for-service
                           portion of the Medicare program (Parts A and B) processes approximately
                           a billion claims each year from about 1.5 million providers who deliver and
                           bill Medicare for health care services and supplies.

                           In delivering patient care, providers need to not only ensure that claims
                           for services covered by Medicare and other health care insurers are
                           submitted correctly, but to also ensure that beneficiaries receive benefits
                           to which they are entitled. To do this, these providers need access to
                           accurate and timely eligibility information to help them determine whether
                           and how to properly submit claims for payment to Medicare and other
                           insurers on behalf of their patients. Many health care insurers have
                           implemented information technology systems to help providers make this
                           determination at the time services are being delivered—that is, at the
                           point of care—by providing electronic data on a real-time basis regarding
                           patients’ benefits covered by their insurance plans.


CMS’s Implementation of    To assist providers with verifying beneficiaries’ eligibility for services
HETS to Assist Providers   under Medicare, and in response to HIPAA requirements, CMS provided
                           an electronic mechanism that allowed providers to access real-time data
                           at the point care is scheduled or delivered. 5 To meet this requirement,
                           CMS officials stated that they implemented the initial version of HETS in
                           May 2005.

                           CMS’s Business Applications Management Group and the Provider
                           Communications Group are the system and business owners of HETS.
                           As such, these groups are responsible for the development,
                           implementation, maintenance, and support of the system, as well as
                           establishing business rules regarding the use of the system application,
                           such as agreements regarding the use and protection of the data
                           provided by HETS. CMS awarded cost-plus-award-fee contracts to two
                           contractors to assist the agency with developing and maintaining HETS,


                           5
                            The provisions of the law established requirements for the implementation of standard
                           transactions for the electronic transmission of certain health information, including
                           patients’ eligibility to receive health care services and supplies covered by Medicare.




                           Page 4                                          GAO-12-973 Health Information Technology
performing independent testing, production support, help desk, and
project integration services.

HETS operates from CMS’s data center in Baltimore, Maryland, and is
accessed by users via the CMS extranet. 6 The system is comprised of
software that processes query and response transactions, along with
hardware, such as servers that support connections with users’ facilities
and the internet, and devices that store the data provided by the system.
The system software is designed to process transactions according to
standards and formats defined by HIPAA. 7 It was designed to allow the
release of patients’ data to Medicare providers, or their authorized billing
agents, to support their efforts to complete accurate Medicare claims
when determining beneficiaries’ liability and eligibility for specific
services. 8 CMS officials stated that the agency does not receive any
payments for the use of HETS, nor does the agency require Medicare
providers to use HETS to verify eligibility prior to filing claims

CMS intended for HETS to be used by health care providers; health care
clearinghouses, which are entities that provide electronic data exchange
services for their customers; 9 and Medicare Administrative Contractors



6
 An extranet is a computer network that allows controlled access from outside an
organization’s intranet, usually by partners, vendors, and suppliers, in isolation from all
other internet users. The CMS extranet is a secure closed private network used for
transmission of electronic transactions between CMS and Medicare contractors,
providers, or clearinghouses.
7
 The Administrative Simplification provisions of HIPAA provided for the establishment of
national standards for the electronic transmission of certain health information, such as
standards for certain health care transactions conducted electronically and code sets and
unique health care identifiers for health care providers and employers.
8
 In June 2006, CMS began pilot testing an internet-based user interface system for
providers who check Medicare eligibility infrequently. However, an official representing the
HETS system owners stated that the HETS User Interface service will likely not continue
beyond the pilot initiative, and will probably end in the next 2 years because of the
Medicare Administrative Contractors’ expansion of Internet services.
9
 Health care clearinghouses are public or private entities, such as billing services,
community health information systems, and “value-added” networks and switches, that
process or facilitate the processing of health information received from another entity in a
nonstandard format or containing nonstandard data content into standard data elements
or a standard transaction, or receives a standard transaction from another entity and
processes or facilitates the processing of health information into nonstandard format or
nonstandard data content for the receiving entity.




Page 5                                            GAO-12-973 Health Information Technology
(MACs) that assist CMS in processing claims. 10 Health care providers
may request beneficiary eligibility data from HETS directly via CMS’s
extranet or by utilizing the services of clearinghouses. According to
clearinghouse officials with whom we spoke, many providers use
clearinghouses to conduct transactions with HETS because they may not
have the technical capability to connect directly to CMS’s extranet, or they
may chose to employ the services of clearinghouses for financial or other
reasons. For example, these providers may use clearinghouses to
conduct electronic transactions with CMS and other different payers’
systems, and avoid expenses associated with establishing and
maintaining the in-house technology and expertise needed to connect
with multiple systems. Rather, they can conduct these transactions by
establishing one connection with a clearinghouse. However, the MACs
access HETS via CMS’s extranet. In all cases, users gain access to the
extranet through a vendor-supplied network service. 11

According to documented system descriptions, when requesting
information from HETS, a user initiates a transaction by entering data into
its workstation using software systems installed within its facility. The end-
users’ systems may be developed in-house by individual providers,
clearinghouses, or MACs, or by commercial software vendors. The data
entered into the workstation identify the provider, beneficiary, and
services for which eligibility is to be verified. The data are translated by
the end-user software into the standard HIPAA transaction format, then
transmitted from the user’s workstation to the HETS system via either the
agency’s extranet, or the vendor-supplied network service which connects
to the CMS extranet. The system validates the incoming data and, if the
request is valid, returns response data back to the user’s workstation. If
the request data are not valid, the system responds with error codes that
indicate the type of error detected in the request data. Responses are
transmitted from HETS in the HIPAA format and translated by the users’
software before being presented.




10
  The Medicare Prescription Drug, Improvement and Modernization Act of 2003 required
CMS to implement Medicare contracting reform. The act required CMS to select new
contracting entities to process medical claims, Medicare Administrative Contractors
(MACs).
11
  CMS contracts four vendors to provide this service. Users select one of the four to
connect with the CMS extranet.




Page 6                                          GAO-12-973 Health Information Technology
According to reports provided by program officials, the number of HETS
transactions has grown each year since its initial implementation in May
2005. The business and system owners with whom we spoke attributed
the growth primarily to increases in the number of new users of HETS,
particularly during the first 2 years of implementation, and the growth in
the number of Medicare beneficiaries. Nonetheless, while the number of
transactions has continued to increase, the annual rate of increase in
transaction volume has declined since the system’s initial implementation.
Table 1 shows HETS utilization, measured by the number of incoming
transactions processed each fiscal year, from its initial implementation in
May 2005 through fiscal year 2011.

Table 1: HETS Transaction Volume

                                            Number                       % Increase
 Fiscal year                        of transactions                   over prior year
 2005                                    7,063,457
 2006                                   91,892,244                              1201
 2007                                  173,562,342                                 89
 2008                                  247,323,623                                 42
 2009                                  362,770,998                                 47
 2010                                  504,534,542                                 39
 2011                                  669,750,568                                 33
Source: GAO analysis of CMS data.



CMS’s internal operational requirements for HETS established a goal for
the system to respond to query transactions in 5 seconds or less.
According to program officials, from 2005 to 2010, HETS responded to
transaction inquiries well within this goal. However, reports of the
system’s performance showed that beginning in January 2010, response
times began to exceed 5 seconds and progressively worsened throughout
most of the year. CMS attributed this performance degradation to
outdated software and increases in the number of eligibility verification
transactions submitted to the extent that the volume exceeded the
hardware capacity.

The business and system owners with whom we spoke stated that in July
2010 they began to implement a series of major improvements to the
HETS operating environment and system, including hardware and
software upgrades. However, users continued to experience lengthy
response and system down times. Program officials stated that in January
2011 they took additional steps to address the slow response and system



Page 7                                        GAO-12-973 Health Information Technology
                           availability problems. In this case, they doubled the hardware capacity,
                           replaced the operating system, and upgraded the system’s software.
                           According to these officials, the revisions, upgrades, and replacements
                           were more complex than expected and were not fully implemented until
                           April 2011. Subsequently, from mid April 2011 to May 2011, CMS
                           conducted a phased migration of HETS users to the upgraded system.


Federal Requirements for   Because HETS processes and transmits personal information related to
Protecting Individually    individuals’ Medicare program eligibility, the system is subject to federal
Identifiable Health        requirements for protecting the personally identifiable health information.
                           In this regard, the Privacy Act of 1974 regulates the collection,
Information                maintenance, use, and dissemination of personal information by federal
                           government agencies. It also prohibits disclosure of records held by a
                           federal agency or its contractors in a system of records without the
                           consent or request of the individual to whom the information pertains
                           unless the disclosure is permitted by the Privacy Act. 12 The Privacy Act
                           includes medical history in its definition of a record.

                           Other federal laws and regulations further define acceptable use and
                           disclosure activities that can be performed with individually identifiable
                           health information, known as protected health information. 13 These
                           activities include—provided certain conditions are met— treatment,
                           payment, health care operations, and public health or research purposes.
                           For example, HIPAA and its implementing regulations allow the entities
                           they cover to use or disclose protected health information for providing
                           clinical care to a patient. 14 These covered entities and their business
                           associates, such as medical professionals, pharmacies, health



                           12
                             The Privacy Act defines a “system of records” as a group of records under the control of
                           any agency that contains information about an individual and from which information is
                           retrieved by the name of the individual or other personal identifier.
                           13
                             Protected health information is individually identifiable health information that is
                           transmitted or maintained in any form or medium, and in this report it is used
                           interchangeably with individually identifiable health information.
                           14
                             Covered entities are defined under regulations implementing HIPAA as health plans that
                           provide or pay for the medical care of individuals, health care providers that electronically
                           transmit health information in connection with transactions covered by the regulations, and
                           health care clearinghouses that receive health information from other entities and process
                           or facilitate the processing of that information into standard or nonstandard format for
                           those entities (45 C.F.R § 160.103).




                           Page 8                                             GAO-12-973 Health Information Technology
information networks, and pharmacy benefit managers, work together to
gather and confirm patients’ electronic health information that is needed
to provide treatment, such as a beneficiary’s eligibility, benefits, and
medical history. Key privacy and security protections associated with
individually identifiable health information, including information needed
by providers to verify patients’ eligibility for coverage by Medicare or
private health plans, are established under HIPAA.

Key privacy principles associated with individually identifiable health
information, including information needed by providers to verify patients’
eligibility for coverage by Medicare of private health plans, are reflected in
HIPAA. 15 HIPAA’s Administrative Simplification Provisions provided for
the establishment of national privacy and security standards, as well as
the establishment of civil money and criminal penalties for HIPAA
violations. HHS promulgated regulations implementing the act’s
provisions through its issuance of the HIPAA rules. Specifically, the
HIPAA Privacy Rule regulates covered entities’ use and disclosure of
protected health information. Under the Privacy Rule, a covered entity
may not use or disclose an individual’s protected health information
without the individual’s written authorization, except in certain
circumstance expressly permitted by the Privacy Rule. These
circumstances include certain treatment, payment, and other health care
operations. As such, the disclosure of beneficiary eligibility information by
HETS is permitted in accordance with the rule since it is used in making
treatment and payment decisions.

The HIPAA Privacy Rule reflects basic privacy principles for ensuring the
protection of personal health information, such as limiting uses and
disclosures to intended purposes, notification of privacy practices,
allowing individuals to access their protected health information, securing
information from improper use or disclosure, and allowing individuals to
request changes to inaccurate or incomplete information. The Privacy
Rule generally requires that a covered entity make reasonable efforts to




15
  Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (codified at 42 U.S.C. §§
1320d–1320d-8). The HIPAA Privacy and Security Rules were promulgated at 45 C.F.R.
Parts 160 and 164.




Page 9                                           GAO-12-973 Health Information Technology
                        use, disclose, or request only the minimum necessary protected health
                        information to accomplish the intended purpose. 16

                        In addition to the Privacy Act and the HIPAA Privacy Rule, the E-
                        Government Act of 2002 includes provisions to enhance the protection of
                        personal information in government information systems. 17 To this end,
                        the act requires federal agencies to conduct privacy impact assessments
                        to determine the impact of their information systems on individuals’
                        privacy. The act also states that the assessment should be completed to
                        analyze how information is to be handled and to evaluate needed
                        protections and alternative processes for handling information in order to
                        mitigate potential privacy risks.


                        After experiencing performance problems throughout 2010, HETS is
HETS Is Operational     currently operating on a real-time basis and with few user concerns being
and Provides            noted. As of June 2012, CMS reported that 244 entities were using the
                        system; these included 130 providers, 10 Medicare Administrative
Responses to Users’     Contractors, and 104 clearinghouses that conduct query and response
Requests in Real Time   transactions for about 400,000 providers. 18 The agency further reported
                        that, during the first 6 months of 2012, the system processed more than
                        380 million transactions from these users.

                        System performance data showed that, since May 2011, HETS has been
                        consistently providing service to its users 24 hours a day, 7 days a week,
                        except during regularly scheduled maintenance periods, which occur on
                        Monday mornings from midnight until 5:00 a.m. (CMS sometimes
                        schedules additional outages for system maintenance and upgrades,
                        usually during one or two weekends each month.)

                        The performance reports showed that from January 2011 through June
                        2012, the system processed each month an average of 1.7 million to 2.2
                        million queries per day, with the highest volume of transaction processing


                        16
                          There are exceptions to the “minimum necessary” requirement of the Privacy Rule for
                        certain disclosures for treatment and uses and disclosures required by law.
                        17
                          E-Government Act of 2002, Pub L. No. 107-347, Dec. 17, 2002, codified at 44 U.S.C. §
                        3501 note.
                        18
                         Within these 244 entities, multiple individuals initiate HETS inquiry transactions. The
                        HETS system reports identify the entities that submit transactions but not individual users.




                        Page 10                                          GAO-12-973 Health Information Technology
occurring between 8:00 a.m. and 4:00 p.m. eastern time, Monday through
Friday. About 90 percent of these transactions were initiated by the
clearinghouses. Daily reports of system performance that were generated
by the system showed that the average response time for 99 percent of
the transactions was less than 3 seconds during the first 6 months of
2012. 19 Appendix II provides our detailed analysis of the system’s
transaction volumes and response times from January 2010 through June
2012.

Users of the system told us that since CMS completed hardware and
software improvements in spring 2011, they have been satisfied with its
operational status. They stated that they are not currently experiencing
operational or communication issues. Records of contacts with CMS’s
help desk regarding the operational status of HETS show that the number
of calls by users declined from an average of 133 calls per week during
the first quarter of 2011 to an average of 64 per week during the second
quarter of 2012.

The users also stated that health care insurers in the commercial sector
conduct electronic eligibility verifications in a manner similar to that of
CMS. They told us that, based on their experiences with using those
insurers’ systems, HETS provides faster response times as well as more
complete information and reliable service than the other beneficiary
eligibility verification systems they use.




19
  The HETS system owners stated that the agency does not maintain statistics on the
number of beneficiaries queried because they have not seen a need to collect this
information.




Page 11                                       GAO-12-973 Health Information Technology
                         CMS’s efforts to correct operational problems experienced with HETS in
CMS Has Taken Steps      2010 and early 2011 led to improved performance and overall user
to Ensure Users’         satisfaction with the system. To ensure that the agency is able to maintain
                         performance that satisfies users and meets goals for response and
Satisfaction and Is      system availability times, HETS program officials have taken steps to
Making Plans to          provide ongoing support for users through help desk procedures, system
Implement                status notifications, and management of contractors based on incentive
                         awards for performance that exceeds contractual requirements.
Improvements to          Additionally, these officials have begun to plan for improvements and
Meet Future              enhancements to the system in efforts to position themselves to meet
                         future demands on the system as they projected transaction volume to
Requirements             increase at a rate of about 40 percent a year. Among other
                         improvements, the officials described plans to redesign the system and
                         upgrade hardware, and to establish service level agreements with HETS
                         users.


CMS Has Taken Steps to   CMS has taken various steps to improve the operational status of HETS
Ensure Users Remain      and to ensure user satisfaction with its performance. With regard to
Satisfied                ensuring the availability of the system, CMS notifies users of the status of
                         operations on a daily basis and whenever a change in status occurs. For
                         example, CMS contractors perform daily health checks each morning to
                         determine the status of HETS. If system performance or availability
                         issues are identified, help desk contractors post messages to that effect
                         on the system website and a trouble ticket is opened. The appropriate
                         staff is assigned to troubleshoot and resolve the issues.

                         Additionally, when users have complaints or issues related to the
                         system’s operations, they are instructed to contact the help desk. Upon
                         receipt of the problem, the help desk staff are to triage the problem and
                         generate a ticket if the problem cannot be resolved at the help desk level.
                         For example, if a user is unable to access the system and contacts the
                         help desk, staff are to determine if the problem is an operational issue or
                         is an issue with the user or another component of the system, such as the
                         network services provided by a vendor. They are to then track the issue
                         until the problem is resolved. According to HETS program officials,
                         problems are generally reported when the system response time begins
                         to slow down.

                         CMS’s help desk contractors who support HETS post announcements on
                         the agency’s website and send e-mails to notify users when the system is
                         to be brought down to allow corrections to system operation problems, or
                         to perform upgrades or maintenance. The contractors post a second


                         Page 12                                 GAO-12-973 Health Information Technology
announcement and send e-mails to notify users when the system
becomes available after an outage.

The past 6 months’ help desk announcements on the HETS website
showed that additional maintenance or system upgrades were performed
outside the scheduled maintenance period. Specifically, during this time
CMS notified users that maintenance would be performed one to two
times per month on weekends, with the system down from as few as 6
hours to as many as 3 days. In most cases, CMS sent a notice to its
HETS users 2 weeks in advance of the outages.

In discussions with provider, clearinghouse, and MAC users, two of the
users expressed concerns with the frequency that CMS conducts
maintenance outside the scheduled maintenance time. These users
stated that they do not have access to the system for 1 day three to four
weekends per month. However, one of these users, a provider, told us
that during these times the system was accessible via an alternate portal,
which indicated that HETS was operational and likely not a cause of the
problem. A clearinghouse user stated that, while these outages are
inconvenient, CMS notifies users well in advance of the outages and that
there are some times during the announced outages when transactions
can be processed. All the users with whom we spoke told us that the
CMS help desk notified them in advance of any unscheduled system
outages that were planned in addition to the regularly scheduled
maintenance downtime.

CMS has also taken steps to ensure that its contractors meet quality and
service requirements related to the development, maintenance, and
support of HETS. Program officials told us that the contractors’
performance is reviewed and evaluated every 6 months in addition to
annual evaluations, based on measures for overall technical performance
and management. The evaluations identify strengths and weaknesses
noted during the evaluation periods. The contractors may be awarded
financial incentives for exceeding performance expectations in certain
categories, such as software maintenance and support for the system’s
operations. For example, a May 2012 report on the results of the most
recent 6-month evaluation of the help desk contractor’s performance
documented its strengths and weaknesses. The report showed that
program officials were satisfied with the contractor’s efforts to meet
measures in technical performance and, therefore, provided the full
financial incentive. However, they noted weaknesses in one category for
which the contractor did not receive the full incentive amount. In this case,
the contractor failed to deliver required reports and identify infrastructure


Page 13                                  GAO-12-973 Health Information Technology
                         changes that impacted the implementation of HETS. Additionally, a
                         November 2011 report on the development contractor’s performance
                         showed similar results. In both reports, program officials stated overall
                         satisfaction with the contractors’ performance and noted areas of needed
                         improvements.


CMS Is Making Plans to   To help ensure the current level of service is sustained during projected
Ensure the System        increases in transaction volumes, the system owners have initiated
Supports Future          various activities aimed at helping to prevent operational problems similar
                         to those experienced with the system in 2010 and early 2011. In this
Requirements             regard, CMS projected the increase in transaction volume to continue at a
                         rate of about 40 percent for the next several years. This increase is
                         expected in part because of the discontinuance of some providers’ use of
                         other means to obtain eligibility information from CMS and the migration
                         of that user population to HETS by the end of March 2013. 20 Program
                         officials also anticipate that more Medicare Administrative Contractors will
                         begin to offer beneficiary eligibility verification services to the providers
                         they support and will use HETS to conduct these verifications.

                         The system and business owners described steps they took in 2011 and
                         2012 that were intended to help plan for future increases in the number of
                         transactions.

                         •    In March 2011, CMS tasked its HETS development contractor to
                              prepare a plan and process for long-term improvements to the system
                              and its operating environment. The agency tasked an additional
                              contractor to evaluate the existing architecture, monitoring tools, and
                              the extent to which the existing system platform could be scaled to
                              meet future requirements. This contractor was also tasked to propose
                              and analyze alternatives for future system implementation and




                         20
                           The Common Working File is a data source used by fiscal intermediaries and carriers to
                         verify beneficiary eligibility and conduct prepayment review and approval of claims from a
                         national perspective. However, CMS is in the process of terminating the use of this system
                         for beneficiary eligibility verifications and is migrating these users to HETS for eligibility
                         inquires. According to program officials, CMS is taking this action because the Common
                         Working File was developed prior to the enactment of HIPAA and was not intended for a
                         HIPAA-compliant environment. As such, the system does not conduct beneficiary eligibility
                         transactions that are compliant with the standards and formats defined by HIPAA or one of
                         the HIPAA rules.




                         Page 14                                           GAO-12-973 Health Information Technology
    recommend future service levels, monitoring tools, and practices for
    managing the application.

•   In July 2011, CMS released a Request for Information to obtain
    knowledge and information of current marketplace solutions that may
    meet future needs. As stated in the request, this action was intended
    to compile information that would assist CMS in the identification of
    potential options for creating an enterprise-level health care eligibility
    inquiry system that would support both real-time and batch transaction
    exchanges. In August 2011, 12 companies responded to the request
    and provided information on how their existing products could address
    CMS requirements. CMS analyzed the responses to the Request for
    Information and concluded that while 3 of the companies provided
    information that was not useful, others offered a range of products
    that CMS could consider when they begin to survey the marketplace
    for viable products and solutions for a future implementation of HETS.

In January 2012, the two contractors completed the evaluations that were
initiated in March 2011 and submitted reports that included
recommendations regarding steps needed to accommodate projected
eligibility transaction volumes while maintaining appropriate availability,
security, and costs of HETS operations. The first report stated the existing
architecture is sufficient to handle current transaction volumes and, with
minor changes, should be able to handle transaction volumes anticipated
for the next 2 years.

The report also included recommendations to address the increases in
transaction volume projected beyond the next 2 years. For example, the
contractor who conducted the evaluation recommended that CMS
reassess and change the architecture as transaction volumes grow, and
automate routine processes, including troubleshooting practices and
application start-up and shutdown procedures. This contractor also
recommended that CMS establish service level agreements with its users
to define and agree upon service parameters for HETS, including system
availability and performance. The second contractor’s report provided
technical evaluations of six commercial-off-the-shelf products that were
capable of meeting future estimated transaction volumes and presented
recommendations for three alternate solutions, spelling out the strengths
and weaknesses of each.

Program officials stated that they agree with the recommendations
identified in the contractors’ reports and are making plans to address
many of them in the near term. Specifically, they are planning to automate



Page 15                                  GAO-12-973 Health Information Technology
some processes, such as the application start-up and shutdown
procedures. Additionally, HETS business owners stated that they are
currently working to establish and document service level agreements
with users, as recommended by one of the evaluation contractors. They
plan to complete this activity and have agreements in place by January
2013.

The officials we spoke with also described several technical
improvements they intend to take to increase the system’s capacity to
handle growing numbers of transactions, including some consistent with
the contractors’ evaluations. For example, according to CMS’s plans for
modifying and improving the system through 2015, in fiscal year 2011
CMS began to plan for development of a redesigned system to be
completed by the end of June 2014. The agency awarded a contract for
defining and writing requirements for the redesigned system in June
2012. Among other capabilities, as part of the system redesign CMS
plans to implement batch processing of transactions in addition to the
current real-time process. 21 According to HETS business owners, this
capability is needed to support users’ needs since some clearinghouses
receive batch files from providers and have to convert them for real-time
submission. The implementation of batch processing capabilities within
the system will remove the need for clearinghouses to take this extra
step.

Among several other initiatives to be conducted are plans to procure a
contract for maintenance of the current system until the redesign is
complete. This activity is necessary because the terms of the current
contract expire at the end of September 2013 and the system redesign is
not planned to be complete until the end of June 2014. CMS’s plans also
identified a step to, by the end of August 2012, migrate the current HETS
database to a new operating platform that is scalable to accommodate
the expected increase in transaction volume.

Further, agency officials stated that while they plan to make these
improvements to the system over the next 3 years, their ability to conduct
the activities they have planned is dependent on the agency’s budget.


21
  In batch processing mode, transactions are accumulated throughout a time period, then
transmitted at the end of a time period or when a certain number of transactions is
reached. Transactions are then submitted together in a “batch.” Real-time transactions are
submitted and processed one at a time as they occur.




Page 16                                         GAO-12-973 Health Information Technology
                        These officials stated that, to mitigate risks associated with the level of
                        funding the program receives in the future, they prioritized improvements
                        planned for the existing system and began to implement those that they
                        determined to be the most cost-effective during this and early next fiscal
                        year. Among other things, these include activities to support the current
                        system until the redesigned system is implemented, including
                        development of tools that enable the HETS contractors to proactively
                        monitor system components, additional services to enhance production
                        capacity, and automated processes for starting up and shutting down the
                        application. Program officials stated that they will review and prioritize
                        other activities for improving the system as part of the HETS redesign
                        project.


                        The Privacy Act of 1974 and the HIPAA Privacy Rule protect personally
CMS Established         identifiable health information, such as Medicare beneficiary information,
Policies and            to ensure that it is disclosed only under specified conditions and used
                        only for its intended purpose. In accordance with these privacy
Procedures Intended     protections, the information provided by HETS is to be used only for
to Address Privacy      confirming eligibility of patients to receive benefits for services provided
Principles and          under the Medicare fee-for-service program. CMS is governed by the
                        Privacy Act and all covered entities that use HETS—health care
Assessed Impact and     providers, clearinghouses, and Medicare contractors—are required to
Risks of Sharing Data   comply with the HIPAA Privacy Rule.

                        In accordance with provisions of the Privacy Rule, the protected health
                        information provided by HETS is to be disclosed and used only for certain
                        activities. Among other activities, these include treatment of patients and
                        payment for services—the activities supported by the use of HETS.

                        CMS has taken actions intended to ensure that the personal health
                        information sent to and from the system is protected from misuse and
                        improper disclosure. For example, CMS documented in the HETS Rules
                        of Behavior that users must adhere to the authorized purposes for
                        requesting Medicare beneficiary eligibility data. Specifically, the rules
                        state that users are authorized to request information to determine
                        whether patients who were determined to be Medicare eligible are
                        covered for specific services that are to be provided at the point of care.
                        However, users are not authorized to request information for the sole
                        purpose of determining whether patients are eligible to receive Medicare
                        benefits.




                        Page 17                                  GAO-12-973 Health Information Technology
According to program officials, CMS enforces its rules of behavior by
monitoring inquiries to identify behaviors that may indicate intentional
misuse of the data. For example, inquiries from one user that result in
high rates of errors or a high ratio of inquiries compared to the number of
claims submitted may indicate that a user is searching the system to
identify Medicare beneficiaries rather than using HETS for its intended
purpose. Users engaging in these types of behavior may be contacted or,
when appropriate, referred for investigation for inappropriate use of the
data, such as health care identity theft or fraudulent billing practices.

Additionally, system documentation described mechanisms that were
implemented to prevent access by requesters with invalid provider
identifications or certain providers who have been excluded or suspended
from participating in the Medicare program. For example, CMS maintains
databases of National Provider Identifiers, another HIPAA standard. 22 The
eligibility request transactions submitted by HETS users include these
identifiers, and, before providing beneficiary data in response to requests,
the system validates the identifiers against data stored in an agency
database. Additionally, according to the HETS business owners,
providers who have been identified by HHS’s Office of Inspector General
and the General Services Administration as ones conducting activities
intended to defraud Medicare may be included on a “do not pay” list. 23 In
this case, providers excluded from the program would not “need to know”
information about patients’ personal health, including whether or not they



22
  The National Provider Identifier is a unique identification number for covered health care
providers who, along with all health plans and health care clearinghouses, must use them
in the administrative and financial transactions adopted under HIPAA. Covered providers
must also share their National Provider Identifier with other providers, health plans,
clearinghouses, and any entity that may need it for billing purposes.
23
   The HHS Office of Inspector General List of Excluded Individuals and Entities includes
all individuals and entities currently excluded from participating in federally funded health
care programs including Medicare and Medicaid. Exclusions are imposed for a number of
reasons including: (1) Medicare or Medicaid fraud, as well as any other offenses related to
the delivery of items or services under Medicare, Medicaid, the Children’s Health
Insurance Program, or other state health care programs; (2) patient abuse or neglect; (3)
felony convictions for other health care-related fraud, theft, or other financial misconduct;
and (4) felony convictions relating to unlawful manufacture, distribution, prescription, or
dispensing of controlled substances. The General Services Administration’s Excluded
Parties List System includes information on entities debarred, suspended, proposed for
debarment, excluded, or disqualified by federal government agencies from receiving
federal contracts or federally approved subcontracts and from certain types of federal
financial and nonfinancial assistance and benefits.




Page 18                                          GAO-12-973 Health Information Technology
are eligible for Medicare benefits. According to HETS officials, these data
are also incorporated into the National Provider Identifier database that is
used to validate identifiers submitted to HETS and, as a result, these
excluded providers are also not allowed to receive information from the
system.

HETS system documentation also described mechanisms for securing
the data transmitted to and from HETS. For example, access to the
system is only allowed through CMS’s secured extranet. To gain access,
the providers and clearinghouses must first submit a Trading Partner
Agreement. In addition to including information needed to enable CMS
and its trading partners, or users, to establish connectivity and define data
exchange requirements, the agreement defines responsibilities for
securing the data of the entities receiving beneficiary eligibility information
from CMS. After users submit the agreement, CMS contacts them to
authenticate their identity and, once authentication has been determined,
CMS help desk staff provide the requester with a submitter ID that is
required to be included on all transactions. Users then may request
access to the CMS extranet from one of four network service vendors
which establish a secure software connection to the system. 24

The table below summarizes these and other actions CMS described that
address key HIPAA privacy principles relevant to the implementation of
HETS.




24
  While there may be many individual users within each provider, supplier, clearinghouse,
and Medicare Administrative Contractors organization who access HETS, we refer to the
organizations themselves as the “users.”




Page 19                                        GAO-12-973 Health Information Technology
Table 2: CMS’s Actions to Address Key HIPAA Privacy Principles

Principles                                                              Actions by CMS
Uses and          Limits the circumstances in which an individual’s     Documented in Rules of Behavior the authorized and
disclosures       protected health information may be used or           unauthorized uses and disclosures of data.
                  disclosed by covered entities and provides for        To ensure only entitled Medicare providers have access to
                  accounting of certain disclosures; requires covered   beneficiary data, designed the system to validate the
                  entities to make reasonable efforts to disclose or    National Provider Identifiers included in each request
                  use only the minimum necessary information to         transaction to ensure the provider is active and associated
                  accomplish the intended purpose for the uses,         with the entity requesting data.
                  disclosures, or requests, with certain exceptions
                  such as for treatment or as required by law.          Performed daily reviews to ensure that providers with
                                                                        invalid identifiers or who are excluded from participating in
                                                                        Medicare are not allowed to access beneficiary data
                                                                        through HETS.
                                                                        Monitored the number of error codes that were sent back to
                                                                        requestors in system responses. Officials stated that
                                                                        weekly error reports are reviewed to determine whether the
                                                                        30 percent threshold for an accepted error rate has been
                                                                        exceeded. If so, CMS will follow up with the submitter and
                                                                        take actions as appropriate.
                                                                        Initially consulted with Medicare Administrative Contractors
                                                                        to determine the minimum amount of protected health
                                                                        information needed to accomplish the requestor’s purpose.
                                                                        Submitters may make recommendations to the help desk
                                                                        on an ongoing basis regarding additional information they
                                                                        would like to receive.
Notice            Requires most covered entities to provide a notice    Informed users of their responsibility to comply with Privacy
                  of their privacy practices including how personal     Act and HIPAA requirements through its website and by
                  health information may be used and disclosed.         requiring users to agree and comply with requirements
                                                                        outlined in the Trading Partner Agreement and Rules of
                                                                        Behavior.
Security          Requires covered entities to safeguard protected      Secured the data transmitted to and from HETS by only
                  health information from inappropriate use or          allowing access to the system through CMS’s secured
                  disclosure.                                           extranet.
                                                                        Authorized users based on their originating internet protocol
                                                                        address and CMS-issued user ID.
                                                                        Required users to protect data from inappropriate use or
                                                                        disclosure. For example, they must provide security
                                                                        measures, including their submitter IDs and passwords, to
                                                                        associate each with the particular personnel who initiated
                                                                        the eligibility inquiry; and must not disclose, lend, or transfer
                                                                        transaction identification numbers or password to other
                                                                                     a
                                                                        personnel.
Opportunity to    Gives individuals the right to request from covered   Instructed beneficiaries to contact 1-800-MEDICARE to
amend             entities changes to inaccurate or incomplete          report inaccurate or incomplete information. In addition,
                  protected health information held in a designated     beneficiaries are informed they can contact the Social
                  record set.                                           Security Administration to correct their information.




                                          Page 20                                          GAO-12-973 Health Information Technology
Principles                                                                   Actions by CMS
Implementation    Requires covered entities to analyze their own             Required all users to complete a Trading Partner
of requirements   needs and implement solutions appropriate for their        Agreement and make certain assurances. Among other
                  own environment based on a basic set of                    things, users must: ensure Medicare data are only used to
                  requirements for which they are accountable.               conduct Medicare business on behalf of Medicare
                                                                             providers; assume full responsibility for all submitted
                                                                             transactions; not make any disclosure of data that is not
                                                                             specifically authorized; not use data files for private gain or
                                                                             misrepresent themselves or CMS; and not browse or use
                                                                             data files for unauthorized or illegal purposes.
                                         Source: GAO analysis of CMS data.
                                         a
                                          In conducting our work, we did not review or test CMS’s controls for securing HETS data.


                                         Further, the E-Government Act of 2002 requires federal agencies to
                                         conduct privacy impact assessments, and the Office of Management and
                                         Budget (OMB) provides guidance to agencies conducting these
                                         assessments. 25 The act and OMB’s implementing guidance require that
                                         these assessments address: (1) what information is to be collected; (2)
                                         why the information is being collected; (3) the intended use of the
                                         information; (4) with whom the information will be shared ; (5) what
                                         opportunities individuals have to decline to provide the information or to
                                         consent to particular uses of the information, and how individuals can
                                         grant consent; (6) how the information will be secured ; and (7) whether a
                                         system of records is being created under the Privacy Act.

                                         According to the OMB guidance, agencies should conduct a privacy
                                         impact assessment before developing or procuring IT systems or projects
                                         that collect, maintain, or disseminate information in identifiable form from
                                         or about members of the public. Agencies are required to perform an
                                         update as necessary when a system change creates new privacy risks.
                                         Additionally, in a previous report, 26 we identified the assessment of
                                         privacy risks as an important element of the privacy impact assessment
                                         process to help officials determine appropriate privacy protection policies
                                         and techniques to implement those policies. We noted that a privacy risk
                                         analysis should be performed to determine the nature of privacy risks and



                                         25
                                           OMB, Guidance for Implementing the Privacy Provisions of the E-Government Act of
                                         2002, Memorandum, M-03-22 (Washington, D.C.: Sept. 26, 2003).
                                         26
                                           GAO, OPM Should Better Monitor Implementation of Privacy-Related Policies and
                                         Procedures for Background Investigations, GAO-10-849 (Washington, D.C.: September
                                         2010).




                                         Page 21                                                GAO-12-973 Health Information Technology
                     the resulting impact if corrective actions are not in place to mitigate those
                     risks.

                     CMS conducted a privacy impact assessment of HETS as called for by
                     the E-Government Act, and updated the assessment in April 2011. The
                     assessment addressed the seven OMB requirements for implementing
                     privacy provisions. For example, in addressing how HETS information
                     would be secured, it stated that the system is accessible only via the
                     CMS private network to authorized users. The assessment also stated
                     that the intended use of the system is to allow providers to confirm
                     patients’ enrollment in the Medicare program and provide information that
                     is needed to correctly bill for payment of claims. Additionally, as part of a
                     security risk assessment, program officials also completed a privacy risk
                     analysis of the system that addressed several privacy risks. For example,
                     CMS assessed privacy risks related to improper disclosure of the
                     protected health information processed by HETS and determined that the
                     risk level was low to moderate.

                     By establishing practices and procedures intended to protect the privacy
                     of Medicare beneficiaries’ personal health information, and assessing the
                     impact and risks associated with the use of HETS, CMS took required
                     steps to address privacy principles reflected by HIPAA, the HIPAA rules,
                     and the Privacy Act and has acted in accordance with OMB’s guidance
                     for protecting personally identifiable information. According to officials in
                     HHS’s Office for Civil Rights, no violations of the HIPAA Privacy Rule
                     resulting from the use and disclosure of data provided by HETS have
                     been reported since the system was implemented.


                     In written comments on a draft of this report, signed by HHS’s Assistant
Agency Comments      Secretary for Legislation (and reprinted in appendix III), the department
and Our Evaluation   stated that it appreciated the opportunity to review the report prior to its
                     publication. The department added that it regretted the poor service that
                     resulted from operational problems in 2010 and early 2011 and that it is
                     continuing to take steps to maintain and improve the performance of the
                     system. The department also provided technical comments, which we
                     incorporated as appropriate.


                     As agreed with your offices, unless you publicly announce the contents of
                     this report earlier, we plan no further distribution until 30 days from the
                     report date. At that time, we will send copies to interested congressional
                     committees, the Secretary of HHS, the Administrator of CMS, and other


                     Page 22                                  GAO-12-973 Health Information Technology
interested parties. In addition, the report will be available at no charge on
the GAO website at http://www.gao.gov. If you or your staff have any
questions about this report, please contact me at (202) 512-6304 or by
e-mail at melvinv@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this report. GAO staff who made key contributions to this report are
listed in appendix IV.

Sincerely yours,




Valerie C. Melvin
Director
Information Management and Technology Resources Issues




Page 23                                  GAO-12-973 Health Information Technology
Appendix I: Objectives, Scope, and
              Appendix I: Objectives, Scope, and
              Methodology



Methodology

              Our objectives were to (1) identify the operational status of HETS, (2)
              identify any steps CMS has taken to ensure users’ satisfaction and plans
              to take to ensure the performance of the system supports future
              requirements, and (3) describe CMS’s policies, processes, and
              procedures for protecting the privacy of beneficiary eligibility data
              provided by the system.

              To identify the operational status of HETS, we collected and analyzed
              documentation from program officials that described the use and daily
              operations of the system, such as reports on incoming transaction
              volume, response time, and downtime, along with documents that
              describe outcomes of the system, such as reported problems. To
              determine whether CMS provided the level of service agreed upon with
              HETS users, we compared the information we collected to business
              requirements defined in program and system plans, and to any
              agreements with users. Additionally, we obtained users’ views of the
              extent to which the current implementation of HETS satisfied their needs
              for timely information by holding structured interviews with selected
              representatives of providers; clearinghouses, which provide services for
              about 90 percent of Medicare providers; and a Medicare Administrative
              Contractor who used the system.

              The selected HETS users included three clearinghouses; two fee-for-
              service providers, including a visiting nurse agency and a medical
              equipment supplier; and one Medicare Administrative Contractor. Based
              on data provided by system performance reports for the week of March
              12th through the 18th 2012, we selected the highest volume users among
              each user type throughout the United States. The selected users
              submitted about 44 percent of the 14.5 million total transactions
              processed during the selected period of time. Specifically, the
              clearinghouses submitted a total of about 40 percent of the transactions,
              the Medicare contractor submitted about 2 percent, and the provider and
              supplier submitted less than 1 percent of the transactions, respectively.

              We discussed with the users their experiences and satisfaction with the
              level of service the system has provided over the last 2 years, and the
              results of CMS’s efforts to resolve any problems or system-related issues.
              In addition, we interviewed program officials knowledgeable of the
              management of the program to gain additional understanding of the
              agency’s practices for defining performance requirements for HETS
              contractors, and for managing and assessing their performance relevant
              to ensuring efficient operations of HETS. We also discussed with the
              users their experiences with other automated eligibility verification


              Page 24                                GAO-12-973 Health Information Technology
Appendix I: Objectives, Scope, and
Methodology




systems provided by commercial health insurers. We held these
discussions to determine whether these officials could share any lessons
that could be beneficial to CMS in operating HETS.

To identify the steps that CMS has taken to ensure that HETS users
remain satisfied with the performance of the system and that the agency
plans to take to ensure the system provides the level of service needed to
support future requirements, we reviewed agency documents, such as
project timelines and system release notes, and reports of users’ calls to
the help desk. These documents described steps taken to address
problems reported by users, identified systems modifications to correct
problems, and showed patterns in the numbers of help desk calls over the
past 2 years. We also identified steps the agency initiated to help alleviate
problems introduced by increasing transaction volume as the number of
Medicare beneficiaries has increased over the past 2 years. Further,
through our review of relevant agency documents, contractors’
performance reports, and discussions with program officials, we identified
steps CMS took to assess contractors’ performance toward providing
efficient and quality service to users of HETS, and any necessary
corrective actions.

Additionally, we identified steps the agency plans to take toward defining
and addressing future requirements of the system that may be introduced
by increasing numbers of verification inquiries, and collected and
reviewed documentation that provided information about projected growth
in transaction volume as providers were faced with the need to conduct
HETS queries of more patients filing Medicare claims. We also collected
available program planning documentation that described long-term plans
for the system and assessed these plans against projections of future
requirements and recommendations from independent studies of CMS’s
implementation of HETS.

Finally, to describe the policies, processes, and procedures established
by CMS to ensure that the privacy of beneficiary eligibility data is
protected, we evaluated agency documentation such as HETS privacy
impact and risk assessments, and agreements with users that describe
CMS’s and users’ responsibilities and requirements for protecting the
data processed and provided by the system. We compared the
information from these documents to requirements and privacy practices
derived from provisions of the Privacy Act and the HIPAA Privacy Rule.
We also held a discussion with an official with HHS’s Office for Civil
Rights to determine whether any complaints related to the use of HETS



Page 25                                  GAO-12-973 Health Information Technology
Appendix I: Objectives, Scope, and
Methodology




had been noted. In conducting our work, we did not review or test controls
implemented by the agency to secure the data processed by HETS.

We supplemented data collection for all objectives with interviews of
agency officials, including system and business owners, who were
knowledgeable of the system’s operations and improvements, contract
management and oversight, and requirements and practices for
protecting the privacy of personal health information. Among these
officials, we held discussions with directors in CMS’s Provider
Communications Group and the Business Applications Management
Group, Office of Information Services. We used computer-maintained
data provided by CMS program officials when addressing our first
objective, and we determined the reliability of these data by obtaining
corroborating evidence through interviews with agency officials who are
knowledgeable of the operations of the system and its user population.
We also conducted a reliability assessment of the data provided by CMS.
We found the data sufficiently reliable for the purposes of this review.




Page 26                                GAO-12-973 Health Information Technology
Appendix II: HETS Transaction Volumes and
                                          Appendix II: HETS Transaction Volumes and
                                          Response Times



Response Times

                                          HETS program officials provided system-generated data that reflected the
                                          performance of the system in terms of the numbers of transactions
                                          processed each month and the response time in four categories. The
                                          data were provided for the time period beginning in January 2010, when
                                          the operational problems began to occur, through June 2012. Table 1
                                          shows the percentage of transactions that received responses from HETS
                                          in less than 3 seconds increased from 60.8 percent to 99.9 percent during
                                          this time period.

Table 3: Average System Response Time from January 2010 through June 2012

                                                   Average response time
                                                                                          10.00 seconds
              0.00 to 2.99 seconds   3.00 to 4.99 seconds      5.00 to 9.99 seconds         or greater                 Total
Transaction         No. of                 No. of                    No. of                  No. of                   No. of
month         transactions Percent   transactions Percent      transactions Percent    transactions Percent     transactions Percent
JAN2010                22     60.8     5,718,162       15.4       8,463,492     22.8       388,670        1.0    37,142,406    100.0
FEB2010                22     62.6     6,838,862       18.8       6,001,652     16.5       783,358        2.2    36,417,379    100.0
MAR2010                25     59.8     7,920,542       18.6       7,987,584     18.7     1,260,054        3.0    42,671,420    100.0
APR2010                25     65.1     6,093,526       15.3       6,184,566     15.6     1,603,757        4.0    39,737,985    100.0
MAY2010                22     59.3     6,251,411       16.3       6,077,201     15.8     3,294,441        8.6    38,425,237    100.0
JUN2010                23     57.0     6,174,717       15.0       4,630,307     11.3     6,837,504     16.7      41,042,812    100.0
JUL2010                23     56.1     5,517,503       13.2       6,224,177     14.9     6,634,920     15.8      41,878,066    100.0
AUG2010                21     46.6     5,084,218       11.3       6,098,451     13.5    12,910,684     28.6      45,094,278    100.0
SEP2010                20     44.9     6,992,241       15.1       4,409,053      9.5    14,158,528     30.5      46,421,571    100.0
OCT2010                17     38.3     5,425,982       11.6       7,763,758     16.6    15,737,988     33.6      46,895,475    100.0
NOV2010                22     47.9     8,518,739       18.0       9,757,929     20.7     6,328,228     13.4      47,228,391    100.0
DEC2010                26     59.5     8,600,280       19.0       6,806,922     15.0     2,976,122        6.6    45,363,725    100.0
JAN2011                33     59.9     6,843,604       12.3      10,935,377     19.7     4,505,490        8.1    55,551,107    100.0
FEB2011                46     92.7     2,832,250        5.6         657,735      1.3       174,920        0.3    50,436,189    100.0
MAR2011                52     96.3     1,489,091        2.7         522,921      1.0                             54,599,967    100.0
APR2011                48     95.7       781,124        1.5       1,027,342      2.0       355,643        0.7    50,406,932    100.0
MAY2011                52     97.6       773,042        1.4         177,683      0.3       355,971        0.7    53,840,105    100.0
JUN2011                52     96.1     1,018,495        1.9         990,908      1.8       139,290        0.3    54,729,824    100.0
JUL2011                51     95.0       454,101        0.8         443,551      0.8     1,835,663        3.4    54,547,111    100.0
AUG2011                60     97.1       662,293        1.1         864,661      1.4       296,853        0.5    62,005,174    100.0
SEP2011                60     98.3       525,761        0.9         368,796      0.6       157,610        0.3    61,816,134    100.0
OCT2011                57     99.0       122,630        0.2          24,304      0.0       407,222        0.7    57,839,549    100.0
NOV2011                54     99.7       163,137        0.3                                                      54,490,041    100.0
DEC2011                56    100.0                                                                               56,269,671    100.0




                                          Page 27                                         GAO-12-973 Health Information Technology
                                          Appendix II: HETS Transaction Volumes and
                                          Response Times




                                                   Average response time
                                                                                                   10.00 seconds
              0.00 to 2.99 seconds   3.00 to 4.99 seconds             5.00 to 9.99 seconds           or greater                 Total
Transaction         No. of                 No. of                           No. of                    No. of                   No. of
month         transactions Percent   transactions Percent             transactions Percent      transactions Percent     transactions Percent
JAN2012                64     97.8       392,453           0.6              296,591       0.4       773,699        1.2    65,968,034    100.0
FEB2012                62     98.6       141,176           0.2              491,744       0.8       242,493        0.4    63,232,557    100.0
MAR2012                65     98.2       227,841           0.3              278,055       0.4       718,378        1.1    66,683,643    100.0
APR2012                61     99.7        61,172           0.1                   24,596   0.0        88,177        0.1    61,989,780    100.0
MAY2012                62     99.9                                                                   93,673        0.1    63,065,751    100.0
JUN2012                60     99.9                                               50,534   0.1         8,499        0.0    60,255,164    100.0
                                          Source: GAO analysis of agency data.




                                          Page 28                                                  GAO-12-973 Health Information Technology
Appendix III: Comments from the
             Appendix III: Comments from the Department
             of Health & Human Services



Department of Health & Human Services




             Page 29                                      GAO-12-973 Health Information Technology
Appendix III: Comments from the Department
of Health & Human Services




Page 30                                      GAO-12-973 Health Information Technology
Appendix IV: GAO Contacts and Staff
                  Appendix IV: GAO Contacts and Staff
                  Acknowledgments



Acknowledgments

                  Valerie C. Melvin, (202) 512-6304 or melvinv@gao.gov
GAO Contacts
                  In addition to the contacts named above, Teresa F. Tucker, Assistant
Staff             Director; Tonia D. Brown; LaSherri Bush; Sharhonda Deloach; Rebecca
Acknowledgments   Eyler; and Monica Perez-Nelson made key contributions to this report.




(310983)
                  Page 31                               GAO-12-973 Health Information Technology
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.