oversight

Medicare: Improvements Needed to Enhance Protection of Confidential Health Information

Published by the Government Accountability Office on 1999-07-20.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                  United States General Accounting Office

GAO               Report to the Chairman, Subcommittee
                  on Health, Committee on Ways and
                  Means, House of Representatives


July 1999
                  MEDICARE
                  Improvements Needed
                  to Enhance Protection
                  of Confidential Health
                  Information




GAO/HEHS-99-140
      United States
GAO   General Accounting Office
      Washington, D.C. 20548

      Health, Education, and
      Human Services Division

      B-282540

      July 20, 1999

      The Honorable Bill Thomas
      Chairman, Subcommittee on Health
      Committee on Ways and Means
      House of Representatives

      Dear Mr. Chairman:

      The Health Care Financing Administration (HCFA) in the Department of
      Health and Human Services (HHS) processes the nation’s largest collection
      of health care data, with information on 39 million Medicare beneficiaries.
      To discharge its responsibilities, HCFA must collect personally identifiable
      health information on Medicare beneficiaries. Such information includes
      names, addresses, and health insurance claim numbers as well as various
      diagnoses and types of treatment received by beneficiaries. This
      information is used by HCFA for a variety of purposes, including the
      payment of approximately 900 million Medicare claims annually and the
      conduct of research to evaluate policy, adjust payment rates, improve
      program operations, improve health care quality, and make
      recommendations for legislative changes to the Medicare program.

      The personally identifiable information that HCFA collects on Medicare
      beneficiaries is protected by the Privacy Act of 1974. This law, which
      governs the collection, maintenance, and disclosure of federal agency
      records, balances the government’s need to maintain information about
      individuals with their right to be protected against unwarranted invasions
      of their privacy. State laws also protect the privacy of certain personally
      identifiable medical information, but these laws vary significantly in their
      scope and the specific protections they afford. To create a more uniform
      set of protections that would affect all users of confidential medical
      information, the Health Insurance Portability and Accountability Act of
      1996 (HIPAA) requires that, unless the Congress enacts a health privacy law
      establishing standards for the electronic exchange of health information
      by August 21, 1999, HHS must promulgate such standards by regulation
      within the following 6 months.

      In response to your request, we are reporting on four areas related to
      HCFA’s use of personally identifiable health information: (1) HCFA’s need for
      personally identifiable health information to manage the Medicare
      program and accomplish other purposes; (2) HCFA’s policies and practices
      regarding disclosure of information on Medicare beneficiaries; (3) the




      Page 1                        GAO/HEHS-99-140 Confidentiality of Health Information
                   B-282540




                   adequacy of HCFA’s safeguards for protecting the confidentiality of
                   electronic information and HCFA’s monitoring of others’ protection of
                   beneficiary information; and (4) the effect on HCFA of state restrictions on
                   the disclosure of confidential health information. Appendix I contains a
                   discussion of our scope and methodology. We conducted our work from
                   April through June 1999 in accordance with generally accepted
                   government auditing standards.


                   To carry out its legislated responsibilities, HCFA needs to collect and
Results in Brief   maintain personally identifiable health information on its 39 million
                   Medicare beneficiaries. For example, it needs personally identifiable
                   information about beneficiaries’ demographics, enrollment, and utilization
                   of health care services to pay claims; determine the initial and ongoing
                   eligibility of beneficiaries; and review the care beneficiaries receive in
                   terms of access, appropriateness, and quality. HCFA also uses this
                   information in essential research activities that can lead to improvements
                   in rate-setting, services provided, and quality of care.

                   HCFA’s policies and practices regarding disclosure of personally
                   identifiable health information are generally consistent with the provisions
                   of the Privacy Act. For example, HCFA may disclose information without an
                   individual’s consent under certain circumstances, such as for research
                   purposes or authorized civil and criminal law enforcement activities. In
                   accordance with the Privacy Act, when determining whether to disclose
                   information, HCFA officials attempt to balance the information needs of
                   data requestors with the need to protect the confidentiality of personally
                   identifiable health information. HCFA screens requests for personally
                   identifiable information on Medicare beneficiaries from non-HCFA
                   researchers more thoroughly than requests from HCFA staff who need the
                   data to conduct the agency’s business. For example, non-HCFA researchers,
                   such as those funded by private foundations, must agree to a set of
                   conditions specifying how they will use the data and protect beneficiaries’
                   confidentiality, as well as provide details on how the disclosure of
                   information will address the goals of HCFA’s research program. However,
                   we found that HCFA cannot readily provide beneficiaries with an
                   accounting of the disclosures it makes, a capability called for by the
                   Privacy Act. Moreover, HCFA has not adequately provided oversight
                   agencies such as the Office of Management and Budget (OMB) with
                   complete information on its Privacy Act activities. In addition, HCFA does
                   not always clearly inform Medicare beneficiaries of the purposes for
                   which their information may be disclosed to other organizations, as



                   Page 2                        GAO/HEHS-99-140 Confidentiality of Health Information
B-282540




required by the Privacy Act. To address these issues, HCFA has established
a new executive Beneficiary Confidentiality Board and initiated a number
of actions in response to January 1999 OMB guidance to all agencies to
review information practices for compliance with the Privacy Act.

Although few complaints about Privacy Act violations have been made to
date, weaknesses in the implementation of HCFA’s policies could
potentially compromise the confidentiality of health information on
Medicare beneficiaries. Specifically, HHS’ Office of the Inspector General
(OIG) continues to find vulnerabilities in HCFA’s and its contractors’
management of electronic information that could lead to unauthorized
individuals reading, disclosing, or tampering with confidential information.
In addition, because HCFA does not routinely monitor contractors and
others, such as researchers, who use personally identifiable Medicare
information, its ability to prevent unauthorized disclosures or uses and to
provide timely corrective action for those that might occur is not assured.
HCFA officials told us they are in the process of addressing the OIG’s
findings. However, its ability to make progress in this area is currently
affected by the agency’s efforts to direct resources to address computer
requirements for the Year 2000 so that there will be no interruption of
services and claims payments for beneficiaries and providers.

Some states prohibit the disclosure of sensitive health-related information,
such as human immunodeficiency virus (HIV) status, except for specified
purposes. HCFA officials said that HCFA’s policy is to respect state laws
regarding sensitive health information that are more restrictive than
federal requirements, so HCFA has allowed states to withhold information
on HIV, acquired immunodeficiency syndrome (AIDS), and sexually
transmitted diseases (STD) for certain surveys of nursing home patients.
HCFA officials told us that these state laws have not prevented the agency
from receiving information necessary for paying claims. However, HCFA
may change its policy of allowing states to withhold this information as the
agency develops and implements payment systems that depend on
diagnostic information. If HCFA were restricted from receiving uniform
health information from across the country, its ability to set rates, monitor
quality, and conduct or support health-related research could be adversely
affected.

This report makes recommendations to HCFA to improve the protection of
confidential information on Medicare beneficiaries.




Page 3                       GAO/HEHS-99-140 Confidentiality of Health Information
             B-282540




             The Medicare program, created by the Social Security Amendments of
Background   1965 and administered by HCFA, was initially established to provide health
             insurance for most persons aged 65 or older. In 1972, the program was
             broadened to cover the disabled and patients with end-stage renal disease
             (ESRD) who require dialysis or kidney transplants. Medicare consists of two
             programs, each with its own enrollment, coverage, and
             financing—Hospital Insurance (commonly referred to as Part A) and
             Supplemental Medical Insurance (commonly referred to as Part B).
             Medicare Part A helps pay for hospital care, hospice care, and
             post-hospital care in skilled nursing facilities and by home health agencies.
             Medicare Part B helps pay for doctors, outpatient hospital care, home
             health care not covered under Part A, and other medical services such as
             the services of physical and occupational therapists. In addition, the
             Balanced Budget Act of 1997 created a new Part C, establishing
             Medicare+Choice which includes expansion of health plan options.

             In protecting the confidentiality of health information of its beneficiaries,
             HCFA’s activities, like those of other federal agencies, are governed by the
             Privacy Act of 1974. The Privacy Act requires that agencies limit their
             maintenance of individually identifiable records to those that are relevant
             and necessary to accomplish an agency’s purpose. Federal agencies store
             personally identifiable information in systems of records. A system of
             records is a group of records, under the control of a federal agency, from
             which information can be retrieved by the name of an individual or an
             identifier such as a number assigned to the individual. The Privacy Act
             defines a record as any item, collection, or grouping of information
             maintained by an agency that contains an individual’s name or other
             identifying information; for example, it could include information on
             education, financial transactions, and medical history. Under the Privacy
             Act, federal agencies must inform the public through publication in the
             Federal Register of any establishment or revision of a system of records.
             In the case of HCFA, 62 of its 81 systems of records relate directly to
             Medicare beneficiaries.1 HCFA’s systems of records contain information
             stored in electronic and paper form. HCFA stores personally identifiable
             data on a Medicare beneficiary’s enrollment and entitlement to benefits;
             demographic information such as age, race, ethnicity, and language
             preference; and diagnoses and utilization of medical services.

             The Privacy Act generally prohibits the disclosure of individuals’ records
             without their consent. However, it allows the disclosure of information

             1
             Its other systems of records contain information on Medicaid recipients, health care providers, and
             HCFA employees.



             Page 4                                 GAO/HEHS-99-140 Confidentiality of Health Information
                          B-282540




                          without an individual’s consent under 12 circumstances called conditions
                          of disclosure, such as disclosure by a federal agency to its employees
                          based on their need for records to perform their duties. Another condition
                          of disclosure allows an agency to establish routine uses. These are uses of
                          the information determined by the agency to be compatible with the
                          purposes for which it is collected and which are published in the Federal
                          Register. Personally identifiable information can be disclosed when the
                          agency determines that the disclosure is for an established routine use.
                          While the Privacy Act permits agencies to disclose information, it does not
                          require that they do so; they can, for example, determine that in a
                          particular case the privacy interest outweighs the public interest in
                          disclosure. However, an agency must always disclose information
                          maintained about an individual to that individual at his or her request.

                          A beneficiary may bring a civil action against HCFA for alleged Privacy Act
                          violations. These violations may include failure to grant an individual
                          access to his or her record, amend a record as requested, or properly
                          maintain an individual’s record with adverse consequences resulting for
                          the individual. Respective remedies include granting access to the record,
                          amending the record, and awarding a minimum of $1,000 in damages. In all
                          cases, successful plaintiffs also can be awarded attorney fees and litigation
                          costs.

                          Criminal penalties up to $5,000 may be assessed against an agency official
                          or employee who willfully discloses material to an agency or individual not
                          entitled to receive it, or willfully maintains a system of records without
                          meeting the notice requirements of the Act. Such penalties may also be
                          assessed against anyone who knowingly and willfully requests or obtains
                          agency records about an individual under false pretenses.


                          For HCFA, personally identifiable health information is essential to the
HCFA Needs                day-to-day administration of the Medicare program. Of most significance,
Personally Identifiable   HCFA and its contractors need to use personally identifiable information on

Information on            patients and their diagnoses and treatments to pay approximately
                          900 million fee-for-service claims annually from providers, suppliers, and
Medicare                  others. HCFA also uses personally identifiable information to determine the
Beneficiaries             initial and ongoing eligibility of Medicare beneficiaries, determine
                          risk-adjusted payments, make monthly payments to more than 390
                          Medicare managed care plans, and track which managed care plans have
                          been selected by over 6 million Medicare beneficiaries.




                          Page 5                        GAO/HEHS-99-140 Confidentiality of Health Information
                              B-282540




                              HCFA and its contractors also use data containing personally identifiable
                              information to carry out essential program integrity activities by profiling
                              patients and providers to identify inappropriate claims and inappropriate
                              use of services, to prevent fraud and abuse, and to carry out investigations,
                              as well as for other purposes. Other HCFA activities that rely on personally
                              identifiable information include coordinating with insurers, employers,
                              and others in administering the Medicare Secondary Payer program;2
                              developing fee schedules and payment rates used in fee-for-service claims
                              processing; reviewing the access to, appropriateness of, and quality of care
                              received by beneficiaries; and conducting research and demonstrations
                              including the development and implementation of new health care
                              payment approaches and financing policies, and evaluating the effect of
                              HCFA’s programs on beneficiaries’ health status.


                              An example of how HCFA uses personally identifiable information to
                              improve the health of Medicare beneficiaries is the agency’s ongoing
                              campaign to increase influenza vaccination rates. Using individual
                              identifiers, HCFA links the bills it receives to its eligibility files to determine
                              age, gender, race, and geographic location of beneficiaries who have not
                              received influenza vaccinations. HCFA then works with community groups
                              to reach out to the specific groups and areas with low immunization rates.
                              HCFA staff told us that this outreach is helping the agency make progress
                              on meeting the Healthy People 2000 goals for immunization set by HHS.


                              When screening requests for identifiable information, HCFA determines
HCFA Discloses                whether disclosure is authorized by the Privacy Act. It also uses different
Information About             levels of review depending upon the type of organization making a request
Medicare                      for information. HCFA’s policy and practice generally are to limit
                              disclosures to information needed to accomplish the requestor’s purposes.
Beneficiaries for             However, we have found weaknesses in its recordkeeping system for
Authorized Purposes           tracking and reporting on disclosures and its notices to beneficiaries that
                              their information could be disclosed.


HCFA Screens Requests         In making decisions about whether to disclose information, HCFA’s primary
for Personally Identifiable   criterion is whether the disclosure is permitted under one of the 12
Information                   conditions of disclosure in the Privacy Act. HCFA officials view the

                              2
                               The Medicare Secondary Payer provision limits payment under Medicare if that payment has been
                              made or can reasonably be expected to be made from another source such as under a workmen’s
                              compensation law, automobile or liability insurance policy, or certain health plans. In such cases,
                              Medicare payments for items or services are conditional payments, and Medicare is entitled to
                              reimbursement from the other sources for the full amount of Medicare payments.



                              Page 6                                  GAO/HEHS-99-140 Confidentiality of Health Information
B-282540




establishment of routine uses for each of its systems of records as a key
protection of personally identifiable information that could be disclosed to
federal agencies other than HHS or organizations outside of the federal
government. In screening requests for personally identifiable information
on beneficiaries, HCFA officials attempt to balance the information needs of
data requestors with the need to protect the confidentiality of
beneficiaries’ health information. HCFA can disclose information to publicly
and privately funded researchers and to public agencies such as the
Agency for Health Care Policy and Research and the Department of
Veterans Affairs for health services research projects; to qualified state
agencies for the purposes of determining, evaluating, or assessing cost,
effectiveness, or quality of health care services provided in a state; to
insurers, underwriters, employers who self-insure, and others for
coordination of benefits with the Medicare Secondary Payer program; to
the Bureau of the Census for census-taking purposes such as assuring an
accurate count of the aged; and to congressional offices acting on behalf
of beneficiaries.3

HCFA has different levels of review, depending upon the type of
organization making a request for information. According to HCFA policy,
HCFA employees and claims administration contractors are provided access
to personally identifiable information on Medicare beneficiaries only when
the use of such information is integral to the completion of their official
duties. The decision to permit access by HCFA staff is made by officials
throughout the agency who are responsible for various information
systems.

HCFA places additional requirements on other HHS employees and
contractors.4 They must submit written requests and signed data use
agreements to HCFA’s Office of Information Services indicating their
understanding of the confidentiality requirements of the Privacy Act and
HCFA’s data release policies and procedures. These policies and procedures
include a requirement that the data user will not publish or release
information that could permit deduction of a beneficiary’s identity.

Other federal agencies and nonfederal organizations, such as law
enforcement agencies and state governments, that seek information on
Medicare beneficiaries must meet another level of requirements. HCFA staff

3
 GAO also receives personally identifiable information from HCFA. GAO’s right to receive such
information from federal agencies is not restricted by the Privacy Act. Federal law requires GAO to
maintain the same level of confidentiality for this information as is required of the source agency.
4
 Although HHS’ OIG does not follow all HCFA disclosure policies, it abides by the Privacy Act and has
voluntarily signed a data use agreement with HCFA.



Page 7                                  GAO/HEHS-99-140 Confidentiality of Health Information
B-282540




in the Office of Information Services first determine whether the request
appears to fall within a routine use for that system of records or other
condition of disclosure as allowed by the Privacy Act. If so, they determine
whether the use is compatible with the purpose for which the information
was originally collected or is otherwise authorized. They also review the
request to ensure that all Privacy Act requirements and HCFA’s data release
policies are met. HCFA officials told us that they rely on the requesting
organization to provide the initial certification that its activities require the
personally identifiable information it is seeking. HCFA requires that the
organization submit a request on its letterhead providing the purpose for
which the data are needed, a description of the methodology or the project
in which the data will be used, the specific files being requested, the
criteria for data selections or searches, and a signed data use agreement.5
For civil or criminal law enforcement activities, HCFA requires a written
request from the head of the law enforcement agency or delegated official
which references the law to be enforced and the civil or criminal court
case number. When information is requested pursuant to a court order,
HCFA requires a copy of the court order and guidance from HCFA’s Office of
General Counsel.

In screening requests for outside research projects, HCFA imposes yet
another level of requirements. When research requests are received from
researchers not funded by an HHS agency, HCFA officials told us that they
not only conduct a review to determine whether disclosure would be
permitted under the Privacy Act, but they also evaluate the requests to
determine if the purpose (1) requires the use of identifiable data, (2) is of
sufficient importance to warrant the risk to the individual that additional
exposure of the record might bring, and (3) is likely to be accomplished
because the project is soundly designed and properly financed. HCFA
officials review a detailed protocol or study design to evaluate whether the
proposed research will address the goals of HCFA’s own research program
and thus further knowledge of health care access, cost, quality, service
delivery, or financing. In the case of research funded by other HHS
agencies, HCFA requires, but does not itself review, a copy of the study
protocol approved by project officers in agencies such as the National
Institutes of Health and the Agency for Health Care Policy and Research.

Approval by the HCFA Administrator is required when researchers request
the names and addresses of Medicare beneficiaries from whom they wish
to collect new data. If the project is approved, the researcher must send


5
 In the case of some organizations, such as the Medicare Payment Advisory Commission and GAO, a
data use agreement is requested, but not required.



Page 8                                GAO/HEHS-99-140 Confidentiality of Health Information
                             B-282540




                             potential participants a special notification letter, signed by the HCFA
                             Administrator, indicating that HCFA is cooperating with the researcher by
                             providing a list of potential participants for the study. The letter indicates
                             that the beneficiaries are not required to participate in the research project
                             and that their Medicare benefits will not be affected by their decision.
                             Seven to 10 days after the HCFA letter is mailed, the researcher can contact
                             the beneficiaries directly to see if they wish to participate. In a recent
                             example, the HCFA Administrator approved a request from a university
                             researcher for a names and addresses file of Medicare beneficiaries in two
                             Pennsylvania cities for a study entitled, “Keeping Older Community
                             Members Safe in Their Homes.” This study, funded by the state of
                             Pennsylvania, consists of surveys and in-home interviews and is being
                             conducted to improve the in-home health and safety of the Medicare
                             beneficiary population by developing community action programs in the
                             two cities.


HCFA Generally Limits        HCFA officials told us their practice is to disclose the least amount of
Disclosures to Information   personally identifiable information that will accomplish the requestor’s
Needed to Accomplish         purpose. HCFA generally provides one of three types of data files:
                             public-use files, which are stripped of identifying information on
Purposes                     beneficiaries; beneficiary-encrypted files, in which information is encoded
                             or redacted; and files which contain explicitly identifiable information,
                             such as health insurance claim numbers.6 HCFA officials told us that they
                             direct requestors whenever possible to either public-use files or to
                             beneficiary-encrypted files rather than to the files containing more
                             identifiable beneficiary information. HCFA does not generally customize
                             data files by removing elements for the specific purpose of reducing the
                             amount of personally identifiable information disclosed. HCFA officials told
                             us that removing elements is resource-intensive, but they are developing
                             software that would permit them to easily customize by data element.

                             Public-use files include some of the most frequently requested HCFA data
                             used for analyzing health care spending trends and formulating programs
                             to improve the quality and effectiveness of health care. Data elements that
                             can directly identify an individual and elements or combinations of
                             elements from which an individual’s identity can be deduced have been
                             removed from or summarized in these files. For example, date of birth may
                             be converted to an element containing 5-year age groups.

                             6
                              A health insurance claim number consists of the Social Security number of the primary Medicare
                             subscriber followed by a letter indicating whether the number belongs to the primary holder or the
                             spouse, as well as certain other information such as whether the beneficiary qualifies because of age
                             or disability.



                             Page 9                                  GAO/HEHS-99-140 Confidentiality of Health Information
                           B-282540




                           HCFA staff said that beneficiary-encrypted files may meet requestors’ needs
                           when public-use files are not adequate. In beneficiary-encrypted files, HCFA
                           has encoded or removed the health insurance claim number, date of
                           service, beneficiary name, beneficiary zip code, provider information, or
                           other such elements. For example, a beneficiary’s health insurance claim
                           number would be redacted or encrypted. HCFA defines these files as
                           “implicitly” identifiable because they contain data elements that could be
                           combined or linked with other available information to deduce a
                           beneficiary’s identity.

                           Requestors may make a case to HCFA that they need files with explicitly
                           identifiable information such as names, addresses, or health insurance
                           claim numbers. As mentioned previously, HCFA officials have approved the
                           disclosure of files with the names and addresses of Medicare beneficiaries.
                           HCFA has provided researchers with data files containing health insurance
                           claim numbers. For example, HCFA recently approved research requests for
                           data from the Surveillance, Epidemiology, and End Results joint project
                           conducted by HCFA and the National Cancer Institute, the ESRD file on
                           patients receiving treatment for renal disease, and a variety of standard
                           analytical files describing inpatient and other types of care received by
                           Medicare beneficiaries.

                           Before HCFA discloses implicitly or explicitly identifiable information to
                           other organizations, it generally requires the requestors to sign a data use
                           agreement. By signing, a requestor agrees to abide by HCFA’s confidentiality
                           requirements including safeguarding the data, prohibiting subsequent use
                           of the data for a different purpose, and destroying or returning the data
                           within a specified time period. For implicitly identifiable data
                           (beneficiary-encrypted files), requestors also must agree that they will not
                           attempt to identify any specific individual whose record is included in the
                           file. Recipients of public-use files are not required to sign data use
                           agreements because these files do not contain personally identifiable
                           health information.


HCFA’s Recordkeeping       HCFA is unable to readily fulfill the Privacy Act’s requirement to provide
System for Tracking and    beneficiaries with an accounting of the disclosures made of their
Reporting Has Weaknesses   personally identifiable information. In addition, the agency is unable to
                           give oversight agencies information on related Privacy Act activities.
                           HCFA’s establishment of an executive-level beneficiary confidentiality
                           board in May 1999 and actions it is taking in response to January 1999
                           guidance from OMB may help address these issues.



                           Page 10                       GAO/HEHS-99-140 Confidentiality of Health Information
B-282540




Although Medicare beneficiaries have the right under the Privacy Act to
ask for and receive an accounting of disclosures of their personally
identifiable information and to examine or amend their individual records,
HCFA’s recordkeeping system is incapable of readily providing an
accounting of disclosures to beneficiaries. The Privacy Act requires that
this accounting include information on the nature and purpose of the
disclosure and the name and address of the person or organization to
whom the disclosure was made. HCFA staff told us that the agency’s
computerized system for tracking disclosures cannot easily generate
information for an individual beneficiary on disclosures made from HCFA’s
systems of records. HCFA’s primary method of accounting for disclosures
involves tracking data use agreements, which are filed by the names of
requestors and not by HCFA’s systems of records. However, HCFA officials
told us that they were not aware of requests from any beneficiaries for
information about disclosures involving their personally identifiable
information.

In addition, HCFA officials told us that they are developing a system that
will more easily meet current OMB requirements and better account for
disclosures of personally identifiable information made to other
organizations. HCFA officials told us that, as directed by OMB, they have
begun reviewing their recordkeeping of activities involving the Privacy
Act. As a result of a May 14, 1998, presidential memorandum directing
each agency to review its information practices to ensure compliance with
the Privacy Act, OMB issued guidance in January 1999 stating that agencies
can protect privacy by limiting the amount of information they maintain
about individuals and ensuring that such information is relevant and
necessary to accomplish an agency purpose. OMB has asked agencies to
reevaluate the relevance and necessity of maintaining personally
identifiable information on individuals, the appropriateness of current
safeguards, and the continuing justification to disclose personally
identifiable information for routine uses. OMB has also asked agencies to
review their procedures for accounting for disclosures to improve
individuals’ ability to determine who has seen their records, and when.
HCFA has begun to address OMB’s guidance and officials told us they are
reviewing routine uses permissible for HCFA’s systems of records.

In May 1999, HCFA also established a Beneficiary Confidentiality Board to
review issues relating to the protection of confidential information,
including HCFA’s policies and procedures for disclosing personally
identifiable information. The Board will consist of selected members from
HCFA’s executive council and will review strategic issues relating to the




Page 11                      GAO/HEHS-99-140 Confidentiality of Health Information
                           B-282540




                           protection of confidential patient information. It will focus on balancing
                           the privacy interests of Medicare beneficiaries with the public interest of
                           HCFA’s need to collect and release individually identifiable information.


                           Weaknesses in HCFA’s recordkeeping system also affect its ability to report
                           on its Privacy Act activities. The Privacy Act requires the President to
                           make a biennial report to the Congress on the Privacy Act activities of the
                           executive branch. To implement this provision of the Privacy Act, OMB
                           requires executive branch agencies to report the number of individuals
                           who have requested access to their files or have requested that the agency
                           amend the information maintained in their files. However, HCFA officials
                           told us they did not give HHS adequate information about Medicare
                           beneficiaries for eventual submission to OMB. As a result of our discussions
                           with them, HCFA officials have begun to revamp their information system to
                           more effectively report on their Privacy Act activities in 2000, when the
                           next biennial report is due.


Notifications to           The Privacy Act requires federal agencies to permit individuals to
Beneficiaries That Their   determine what records pertaining to them are collected, maintained,
Information Could Be       used, or disseminated by federal agencies. The Privacy Act requires an
                           agency to notify individuals of the following when it collects information:
Disclosed Are Not Always   (1) the authority under which the agency is collecting the information,
Clear or Comprehensive     (2) the principal purpose for which the information is intended to be used,
                           (3) routine uses that may be made of the information, and (4) whether the
                           individual is required to supply the information and the effects on the
                           individual of not providing it.7 Although we found that some of HCFA’s
                           Privacy Act notifications provide beneficiaries with all the information
                           required by the Privacy Act, we found others to be deficient.

                           HCFA  officials told us they use more than a dozen different Privacy Act
                           notifications when collecting information from beneficiaries. Individuals
                           are first exposed to a Medicare-related Privacy Act notice when they apply
                           for Social Security retirement benefits and receive a multi-page Privacy
                           Act notice. At age 65, approved Social Security retirement benefit
                           applicants are automatically enrolled in Medicare and should receive other
                           Privacy Act notifications whenever the agency collects information about
                           them—such as when they separately enroll in Medicare Part B, receive
                           medical care, participate in a survey, or enroll in a demonstration testing a
                           new delivery or payment system. Health care providers must obtain and

                           7
                            The Privacy Act also requires a federal agency to permit individuals to gain access to information
                           pertaining to them in the agency’s records, to have a copy made of the record, and to seek correction
                           or amendment of the record.



                           Page 12                                 GAO/HEHS-99-140 Confidentiality of Health Information
                   B-282540




                   keep on file beneficiaries’ signatures attesting that they have been advised
                   of the collection and use of their information. In the case of physician
                   services, this is usually done the first time the beneficiary sees the
                   physician. In the case of other services, such as a hospitalization,
                   signatures are obtained at each encounter. However, HCFA officials told us
                   that the agency does not require managed care plans to provide a Privacy
                   Act notification for the 15 percent of Medicare beneficiaries enrolled in
                   them. HCFA officials told us that, since all Medicare+Choice beneficiaries
                   must also be enrolled in Medicare Parts A and B, HCFA relies on the
                   Medicare Parts A and B enrollment notices as the primary vehicles
                   through which these beneficiaries learn about Privacy Act requirements.

                   Some of the HCFA Privacy Act notification forms we reviewed contain the
                   required information; others do not tell beneficiaries the purposes for
                   which their information may be disclosed outside of HCFA, or do so in an
                   unclear fashion. For example, a form for beneficiaries receiving services in
                   skilled nursing facilities provided the required information by advising
                   beneficiaries why the information was being collected, and when the
                   personally identifiable information could be disclosed outside the agency
                   under the Privacy Act’s routine uses provision. It clearly advised that the
                   information collected during a nursing home stay would be used to track
                   changes in health and functional status over time to evaluate and improve
                   the quality of care provided by nursing homes that participate in Medicare.
                   In contrast, we found that the wording of the Privacy Act notice for the
                   Medicare Enrollment Form for Part B services was cursory at best. The
                   Part B form did not identify the routine uses that would be made of the
                   beneficiary’s information. It provided only a vague reference to the
                   Federal Register as a source for such information, and failed to provide
                   specifics to help beneficiaries locate relevant sections of the Federal
                   Register. We also found problems in a form used to collect information on
                   ESRD beneficiaries; this form did not mention routine uses for the
                   information collected and did not refer beneficiaries to sources that could
                   provide this information.


                   HCFA’s safeguards for protecting the confidentiality of Medicare
Inadequate HCFA    beneficiaries’ health information are inadequate. Several audits conducted
Safeguards Could   by the OIG point out weaknesses in how HCFA safeguards electronic
Compromise         information. In addition, HCFA has conducted only limited reviews of
                   safeguards used by carriers and fiscal intermediaries in the last 2 years,
Confidentiality    and does not routinely monitor the confidentiality protections of other
                   organizations receiving personally identifiable Medicare information. HCFA



                   Page 13                      GAO/HEHS-99-140 Confidentiality of Health Information
                           B-282540




                           officials told us they are in the process of taking action to correct the
                           weaknesses identified by the OIG. However, consistent with priorities
                           established by OMB, HCFA has a moratorium on software and hardware
                           changes until it is compliant with Year 2000 computer requirements.


HCFA Systems Security      Under the Privacy Act, HCFA must establish appropriate administrative,
Manual Generally Follows   technical, and physical safeguards to ensure the security and
OMB Guidance for           confidentiality of records. OMB Circular A-130 provides agencies with
                           guidance for safeguarding federal information resources, including paper
Safeguarding Electronic    and electronic records. Appendix III of the 1996 Circular provides detailed
Information                guidance on safeguarding electronic records and on management controls,
                           such as assignment of responsibility for security, the development of a
                           security plan, and ongoing review of security controls. It notes that a
                           security plan should include mandatory periodic training in computer
                           security and restricting users to the minimum access or type of access
                           necessary to perform their jobs. A security plan is also expected to outline
                           techniques for safeguarding the security of information and to establish a
                           formal mechanism for responding to intruders or other incidents that can
                           compromise the security of a computer system. HCFA’s systems security
                           manual generally adheres to OMB’s guidance for safeguarding electronic
                           information. In addition, HCFA’s policy for Internet usage requires
                           encryption to protect data. It calls for authentication or identification
                           procedures to ensure that both the sender and the recipient are known to
                           each other and are authorized to receive and decrypt such information.


Problems With HCFA         HHS’ OIG has identified control weaknesses in HCFA’s safeguarding of
Safeguards Over            confidential information.8 The OIG’s audits of fiscal years 1997 and 1998
Electronic Information     financial statement audits identified a variety of problems with safeguards
                           for electronic information at HCFA’s central office and for selected
                           Medicare contractors. The OIG reported that HCFA needs to implement an
                           overall security structure to achieve security program objectives and
                           discussed weaknesses in computer access controls (techniques to ensure
                           that only authorized persons access the computer system), segregation of

                           8
                            HHS/OIG, Report on the Financial Statement Audit of the Health Care Financing Administration for
                           Fiscal Year 1996 (CIN: A-17-95-00096, July 17, 1997); HHS/OIG, Report on the Financial Statement
                           Audit of the Health Care Financing Administration for Fiscal Year 1997 (CIN: A-17-97-00097, Apr. 24,
                           1998); and HHS/OIG, Report on the Financial Statement Audit of the Health Care Financing
                           Administration for Fiscal Year 1998 (CIN: A-17-98-00098, Feb. 26, 1999). See also Information Security:
                           Serious Weaknesses Place Critical Federal Operations and Assets at Risk (GAO/AIMD-98-92, Sept. 23,
                           1998). In February 1997, we designated information security as a high risk government operation.
                           Government operations have been identified as high risk because of their greater vulnerabilities to
                           waste, fraud, abuse, and mismanagement. See also High-Risk Series, An Update (GAO/HR-99-1,
                           Jan. 1999).



                           Page 14                                 GAO/HEHS-99-140 Confidentiality of Health Information
B-282540




duties (the division of steps among different individuals to reduce the risk
that a single individual could compromise security), and service continuity
(the ability to recover from a security violation and provide service
sufficient to meet the minimal needs of users of the system). The OIG also
reported problems with controls over operating system software integrity
and application development and change controls. System software
controls are critical in preventing unauthorized and authorized users from
circumventing security controls that permit an organization to monitor
access to systems programs and files. Application development and
change controls ensure that only authorized programs and modifications
are implemented. Without proper controls, there is a risk that security
features could be omitted or turned off—either inadvertently or
deliberately.

As part of its work at 12 Medicare contractors for the fiscal year 1998
financial statement audit, the OIG noted that auditors were able to
penetrate security and obtain access to sensitive Medicare data at five
Medicare contractors. The auditors’ ability to do so without using their
formal access privileges is of particular concern because unauthorized
users can exploit this security weakness and compromise confidential
medical data in several ways—for example, unauthorized individuals
could be reading confidential data, disclosing it to others, and tampering
with it.9

HCFA officials told us that they are in the process of taking actions to
address the OIG’s financial statement audit findings. However, HCFA’s ability
to make progress is currently affected by the agency’s efforts to address
Year 2000 computer requirements so that there will be no interruption of
services and claims payments for beneficiaries and providers. To be
consistent with priorities established by OMB, HCFA has established a
moratorium on software and hardware changes because of the need for
compliance with Year 2000 requirements.10 During its fiscal year 1999
financial statement audit, the OIG will evaluate the effectiveness of any
corrective actions HCFA is able to implement.




9
See also Financial Audit: 1998 Financial Report of the United States Government (GAO/AIMD-99-130,
Mar. 31, 1999) and Auditing the Nation’s Finances: Fiscal Year 1998 Results Highlight Major Issues
Needing Resolution (GAO/T-AIMD-99-131, Mar. 31, 1999).
10
 See Year 2000 Computing Challenge: Estimated Costs, Planned Uses of Emergency Funding, and
Future Implications (GAO/T-AIMD-99-214, June 22, 1999) and Year 2000 Computing Crisis: Readiness
Improving But Much Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, Jan. 20, 1999).



Page 15                               GAO/HEHS-99-140 Confidentiality of Health Information
                            B-282540




HCFA Does Not               Although HCFA has a process for monitoring systems security at its claims
Systematically Monitor      administration contractors (carriers and fiscal intermediaries), HCFA
How Organizations Protect   officials told us that competing demands and resource constraints have
                            prevented them from monitoring whether these organizations follow OMB
Data Confidentiality        guidance for protecting the confidentiality of information. In addition,
                            HCFA officials told us that they do not check whether organizations outside
                            of HCFA are complying with the requirements of their data use agreements
                            to protect the confidentiality of personally identifiable information.

                            HCFA’s regional offices have oversight responsibility for Medicare
                            contractors. These offices are required to designate Systems Security
                            Coordinators who (1) provide contractors with technical guidance as
                            needed, (2) monitor compliance with systems security requirements,
                            (3) report systems security problems and activities to the central office as
                            needed, and (4) coordinate external audits and respond to findings. In
                            addition, regional offices could potentially evaluate systems security
                            through the Contractor Performance Evaluation (CPE) review process. CPE
                            reviews are intended to evaluate Medicare contractors’ compliance with
                            Medicare laws and regulations.

                            HCFA officials told us that, other than OIG reviews, there were no explicit
                            onsite reviews of contractors’ security protections in fiscal years 1997 and
                            1998 because of resource constraints and the assignment of regional staff
                            to assess contractor compliance with Year 2000 computer requirements.
                            HCFA officials told us that they initiated reviews of network security in 1998
                            for 12 Medicare contracts at 4 of its 60 claims processing contractors.

                            HCFA  officials also told us that they do not have a system for monitoring
                            whether organizations outside of HCFA have established safeguards for
                            personally identifiable health information received from the agency. When
                            organizations sign data use agreements with HCFA, they agree to establish
                            appropriate administrative, technical, and physical safeguards providing a
                            level and scope of security not less than the level and scope of security
                            established by OMB. HCFA relies on organizations to monitor their own
                            compliance with the data use agreements.

                            Data use agreements include a requirement that those receiving
                            information from HCFA use it only for its approved purpose. Researchers
                            are not allowed to make subsequent use of data for a different purpose
                            without obtaining new approval. An important provision of data use
                            agreements requires the return or destruction of data upon completion of
                            each project. HCFA officials told us that, in the past, they tracked the



                            Page 16                       GAO/HEHS-99-140 Confidentiality of Health Information
                            B-282540




                            expiration date of data use agreements to determine whether to follow up
                            on the disposition of the data. HCFA officials stated that due to resource
                            constraints, there is a backlog of about 1,400 expired data use agreements;
                            users have not been contacted to establish whether they will return the
                            data to HCFA or destroy them. HCFA officials said they plan to reduce the
                            backlog by one-half by September 30, 1999, and continue to make progress
                            on it thereafter. Although HCFA does not systematically monitor
                            compliance with its data use agreements, HCFA officials told us that they
                            scan Internet web sites to see if information is being disseminated without
                            HCFA approval. In addition, they said HCFA staff review research journals
                            and publications to determine if researchers have used HCFA data without
                            appropriate authorization. However, such methods only identify problems
                            after sensitive data have been inappropriately used, and do not assure
                            comprehensive oversight of the use of these data. The lack of HCFA
                            monitoring of contractors and others who use personally identifiable
                            Medicare information hampers HCFA’s ability to prevent the occurrence of
                            problems and provide timely identification and corrective action for those
                            that have occurred.


Few Complaints of Privacy   HCFA said it has received and resolved 7 complaints of potential Privacy
Act Violations Reported     Act violations in the past 4 years. Six of the complaints involved
                            contractors conducting research for HCFA, health data organizations, and
                            individual researchers. The complaints were made by similar organizations
                            or other researchers and involved potentially identifiable Medicare billing
                            information posted on an Internet web site, data obtained for one research
                            project used and published for a second without authorization from HCFA,
                            and offers to share Medicare files at a national research conference. In
                            these cases, HCFA provided direction to those involved to clarify and
                            further sensitize researchers to Privacy Act requirements.

                            The seventh complaint was brought against HCFA and an individual
                            researcher by a Medicare beneficiary. The Secretary of HHS received a
                            complaint letter from an attorney representing a Medicare beneficiary who
                            objected to two letters sent to her by a researcher from a major university
                            medical school. The letters asked her to participate in a followup study of
                            Medicare patients who had undergone a particular surgical treatment for
                            heart disease. The beneficiary believed that the letters implied she was
                            under an obligation to participate in the study and wanted to know how
                            her medical history had been shared with the researcher. HCFA determined
                            that its data on this beneficiary and others had been released to the
                            researcher. While HCFA determined that appropriate data use agreements



                            Page 17                      GAO/HEHS-99-140 Confidentiality of Health Information
B-282540




had been signed for both sets of data, the investigation also showed that
the letters sent by the researcher may have been worded too strongly. In
addition, the researcher failed to follow the HCFA notification procedure;
instead of sending out the HCFA Administrator’s letter in advance of his
own mailing, he merely attached it to his first letter to the beneficiary.
HCFA sent a letter to the beneficiary’s attorney to explain the legal basis for
the disclosure of the beneficiary’s information and to advise that
participation in such research is completely voluntary. The letter also
indicated that HCFA had taken steps to ensure that the beneficiary would
not be contacted for further studies. HCFA received no further
correspondence from the beneficiary or her attorney on this matter.

We found no lawsuits related to the Privacy Act brought by Medicare
beneficiaries against HCFA, nor from our discussions with HCFA officials are
we aware of any cases settled prior to or during litigation. Similarly, we
found no evidence of criminal prosecutions for Privacy Act violations at
HCFA.


HCFA  reports that only one internal disciplinary action related to violations
of HCFA’s confidentiality policies has occurred during the past 5 years. The
incident involved an agency employee who was accessing beneficiary files
more frequently than appeared necessary for performing his job functions.
The employee admitted to looking at the files of famous people and was
placed on administrative leave. He eventually signed an affidavit stating
that the files had not been sold or shared with other persons and he was
accordingly allowed to resign.

HCFA  staff stated that HCFA has never terminated or modified a contract in
response to a claims administration contractor’s breach of Privacy Act
standards. However, HCFA officials reported that, in 1997, it received a
report from one of its contractors that the contractor’s director of
Medicare payment safeguards had taken a file from the workplace and
shared it with her spouse, a doctor employed by the contractor as part of
its private line of business. The file concerned an active fraud investigation
of another doctor. According to HCFA, the contractor issued a letter of
corrective action to remain in the employee’s record for 1 year.




Page 18                        GAO/HEHS-99-140 Confidentiality of Health Information
                         B-282540




                         In its oversight of the Medicare program, HCFA necessarily deals with
Some States Restrict     beneficiaries and providers from every state. The states have laws
Disclosure of            governing the confidentiality of health information which vary
Sensitive Confidential   significantly, resulting in what has been called a patchwork system of
                         protections. For example, in Minnesota, health records generally may not
Information              be disclosed by a provider without a patient’s consent. While an exception
                         is made for records used in research, any release for research purposes
                         requires, among other things, that the provider attempt to acquire a
                         patient’s consent and determine that individually identifiable records are
                         necessary, the researcher’s safeguards are adequate, and the researcher
                         will not use the records for purposes other than the original request
                         without the patient’s consent. In Florida, mental health records are
                         confidential and may be disclosed only under limited circumstances. In
                         Vermont, all individually identifiable information reported to the state’s
                         cancer registry, used in cancer morbidity and mortality studies, is
                         confidential and privileged and may be used only for the purposes of these
                         studies.

                         In an effort to establish some degree of national uniformity, HIPAA requires
                         that, unless the Congress enacts a health privacy law establishing
                         standards for the electronic exchange of information by August 21, 1999,
                         the Secretary of HHS must promulgate such standards by regulation within
                         the following 6 months. The proposals Congress is considering differ in
                         the extent to which federal privacy protections would preempt state laws.

                         Conflicts between HCFA and the states involving medical record
                         disclosures have been minimal, according to HCFA officials, and HCFA’s
                         administration of the Medicare program has not been hindered because
                         HCFA officials believe all states permit information to be released as
                         needed for health care treatment and payment. If a state law prohibited
                         disclosure of information to HCFA that was critical for treatment or
                         payment purposes, and a federal statute required such disclosure, HCFA
                         officials told us that it would rely on the Supremacy Clause of the U.S.
                         Constitution11 and its express statutory authority to obtain the necessary
                         records.

                         If information is not critical to HCFA operations, HCFA officials told us, HCFA
                         policy is to respect and abide by state laws that provide greater protection
                         for records than federal law or regulation. For example, when the states of

                         11
                           U.S. Const. art. VI, cl. 2. The Supreme Court has construed the Supremacy Clause of the U.S.
                         Constitution to hold that federal law preempts state law where, for example (1) the state law directly
                         conflicts with federal law, (2) the federal legislative scheme leaves no room for state regulation, or
                         (3) the state statute frustrates or conflicts with the purposes of the federal law.



                         Page 19                                 GAO/HEHS-99-140 Confidentiality of Health Information
              B-282540




              California and Washington notified HCFA that their state laws did not
              authorize the disclosure of diagnostic information related to HIV/AIDS and
              STDs, HCFA changed the system used to collect and analyze certain nursing
              home information by allowing states to withhold diagnostic information
              collected about their nursing home patients concerning HIV/AIDS and STDs.12
               HCFA officials told us that 15 states have exercised this option by blanking
              out HIV/AIDS or STD identifiable codes before submitting the requisite
              information to HCFA.

              According to HCFA officials, the deletion of diagnostic information
              collected about nursing home patients concerning HIV/AIDS and STDs has
              not generally affected its operations. They said that when the agency
              developed its prospective payment system for skilled nursing facilities, it
              did not use data on beneficiaries with HIV/AIDS and STDs in nursing homes
              to set nursing home payment rates. Since HCFA began phasing in the skilled
              nursing facility prospective payment system in 1998, however, it has
              received requests for additional payment from providers who care for
              HIV/AIDS patients. HCFA officials acknowledge that it now needs better
              information on this population as it refines the new payment system for
              skilled nursing facilities to ensure that beneficiaries with HIV/AIDS receive
              the level of care required and that rates are adequate to provide for that
              care. Similarly, HCFA officials told us that the agency will require diagnostic
              information as it refines its other payment systems.


              In its role as administrator and overseer of the nation’s Medicare program,
Conclusions   HCFA must collect and maintain personally identifiable information on
              millions of beneficiaries to effectively operate and manage the program. In
              addition, HCFA and others require this information for essential research
              activities that can lead to improvements in the nation’s health care access,
              financing, and quality. As the steward of this confidential information,
              HCFA must balance privacy concerns of beneficiaries with its need to
              effectively manage the program. It must protect individuals’ health
              information from inappropriate disclosure.

              In carrying out this responsibility, HCFA has policies and practices that are
              generally consistent with the Privacy Act and OMB guidance to reduce the
              likelihood of inappropriate or inadvertent disclosures. In addition, HCFA’s
              protections may be strengthened by its recent establishment of a
              Beneficiary Confidentiality Board and actions taken in response to OMB

              12
                The information is used by HCFA to track changes in health and functional status of nursing home
              residents. The information system is known as the National Minimum Data Set (Resident Assessment
              Instrument) repository.



              Page 20                               GAO/HEHS-99-140 Confidentiality of Health Information
                  B-282540




                  guidance to reevaluate the relevance and necessity of maintaining
                  personally identifiable information. However, as the OIG reported, HCFA’s
                  information management systems continue to have vulnerabilities. In
                  addition, HCFA has not consistently monitored its contractors’ safeguards
                  for protecting confidential information. As a result, even though few
                  complaints have been made to date, confidential medical information may
                  be at risk. To be consistent with priorities set by OMB, HCFA has focused its
                  resources on ensuring that the agency and its contractors are compliant
                  with year 2000 computer requirements. Nonetheless, we believe that
                  reducing the vulnerabilities in its information systems and contractor
                  monitoring are important concerns that HCFA must address.

                  HCFA  cannot readily provide beneficiaries with an accounting of
                  disclosures of information about them. The agency is also unable to
                  inform oversight agencies about certain Privacy Act activities. In addition,
                  HCFA does not have a formal system for monitoring organizations to whom
                  it discloses personally identifiable information. As a result, after data are
                  released to an organization, HCFA is unable to systematically reduce the
                  likelihood of inappropriate data use or identify instances of such misuse.

                  HCFA  can also do a better job of informing beneficiaries that their
                  information could be disclosed. In addition, the agency should be better
                  able to track and report disclosures of Medicare records. Notification is
                  also inadequate. When new information is collected from beneficiaries and
                  they are notified of their rights under the Privacy Act, some of HCFA’s
                  notifications do not clearly tell Medicare beneficiaries the purposes for
                  which their information may be disclosed outside of HCFA.

                  If HCFA were restricted from receiving uniform health information from
                  across the country, internal operations such as rate-setting and monitoring
                  for quality assurance could be adversely affected. It could also affect the
                  ability of analysts in HCFA, other federal agencies, and nongovernmental
                  organizations to conduct policy analysis and health services research
                  because of the difficulty of complying with varying state laws. If the same
                  data elements and health information were not available from all states,
                  HCFA’s ability to conduct research and analysis to improve Medicare
                  policies may be compromised.


                  To improve HCFA’s protection of the confidentiality of personally
Recommendations   identifiable Medicare beneficiary information, we recommend that the
                  Administrator (1) correct the vulnerabilities identified in its information



                  Page 21                       GAO/HEHS-99-140 Confidentiality of Health Information
                  B-282540




                  management systems by the OIG; (2) systematically monitor contractors’
                  safeguards for protecting confidential information; (3) develop a system to
                  routinely monitor other organizations that have received personally
                  identifiable information on Medicare beneficiaries to help ensure that
                  information is used only as approved and to identify instances of misuse;
                  (4) ensure that all agency Privacy Act notifications convey the information
                  required by the Act in a manner that is clear and informative to
                  beneficiaries; and (5) implement a system that would permit HCFA to
                  respond in a timely fashion to beneficiary inquiries about the disclosure of
                  their information to others outside HCFA as well as to provide information
                  on Privacy Act activities to OMB and others.


                  In a July 16, 1999, letter in response to a draft of this report, HCFA
Agency Comments   concurred with our recommendations (see appendix II). HCFA said that it
                  recognizes its responsibility to protect the confidentiality of beneficiary
                  information and that it has policies and procedures to comply with the
                  provisions of the Privacy Act. However, it added that it could improve the
                  existing mechanisms for ensuring confidentiality. HCFA said that its
                  recently established Beneficiary Confidentiality Board is charged with
                  reviewing all existing HCFA policies and procedures governing the release
                  of Medicare data and developing new policies and procedures, where
                  necessary, to ensure the confidentiality of patient-identifiable health
                  information.

                  Specifically, HCFA concurred with our recommendations to correct the
                  vulnerabilities identified by the OIG in its information management system
                  and to systematically monitor contractors’ safeguards for protecting
                  confidential information. HCFA identified initiatives it has undertaken,
                  stated that progress has been made in many areas, and said that it will
                  intensify its efforts to put in place a comprehensive security initiative
                  when resources are freed from its efforts to address year 2000 computer
                  requirements. It also said that it is planning to incorporate security
                  oversight into its contractor performance evaluation efforts. While we
                  support all of these actions, we believe it is essential that HCFA evaluate the
                  effectiveness of any corrective actions it is able to implement.

                  HCFA also concurred with our recommendation to develop a system to
                  routinely monitor other organizations that have received personally
                  identifiable information to help ensure that information is used only as
                  approved and to identify instances of misuse. HCFA identified steps it is
                  taking to improve the process for monitoring how other entities use



                  Page 22                       GAO/HEHS-99-140 Confidentiality of Health Information
B-282540




confidential Medicare information. It said it is reviewing all of its data
disclosure procedures, exploring best practices of other agencies, and
developing recommendations to expand the role of the data custodian
within the organization that receives confidential information. In addition,
it is reviewing the feasibility of annually renewing data use agreements
and increasing its follow-up effort with researchers to verify they have
complied with data use agreements. We support all of these initiatives.
However, we believe HCFA should also examine the feasibility of expanding
its verification of compliance with data use agreements to all organizations
receiving confidential Medicare information and not limit its verification to
research organizations.

In regard to Privacy Act notifications, HCFA concurred with our
recommendation that the notifications contain the information required by
the Act in a manner that is clear and informative to beneficiaries. It said
that improving the forms will be a priority and it has begun action to
improve existing notices and ensure that new notices contain the required
Privacy Act information in a form understandable to beneficiaries. We
believe that implementation of these actions may better ensure that
Medicare beneficiaries understand how their personal health care
information might be used.

HCFA  also concurred with our recommendation to implement a system that
would permit it to respond in a timely fashion to beneficiary inquiries
about the disclosure of their information to others outside of HCFA as well
as to provide information on Privacy Act activities to OMB. HCFA said it will
develop a system to respond to beneficiaries’ requests about the disclosure
of their information. It also said that it is developing a new tracking system
to create reports responsive to OMB and Privacy Act reporting
requirements.

HCFAalso provided technical comments, which we incorporated where
appropriate.


We are sending copies of this report to other interested congressional
committees, the Honorable Donna E. Shalala, Secretary of Health and
Human Services; the Honorable Nancy-Ann Min DeParle, Administrator of
HCFA; and other interested parties. We will also make copies available to
others upon request.




Page 23                       GAO/HEHS-99-140 Confidentiality of Health Information
B-282540




Please contact me at (312) 220-7600 if you or your staff have any questions
concerning this report. Staff contacts and other contributors are listed in
appendix III.

Sincerely yours,




Leslie G. Aronovitz
Associate Director
  Health Financing and Public Health Issues




Page 24                      GAO/HEHS-99-140 Confidentiality of Health Information
Page 25   GAO/HEHS-99-140 Confidentiality of Health Information
Contents



Letter                                                                                                1


Appendix I                                                                                           28

Scope and
Methodology
Appendix II                                                                                          29

Comments From the
Health Care Financing
Administration
Appendix III                                                                                         35

GAO Contacts and
Staff
Acknowledgments
Related GAO Products                                                                                 36




                        Abbreviations

                        AIDS      acquired immunodeficiency syndrome
                        CPE       Contractor Performance Evaluation
                        ESRD      end-stage renal disease
                        HCFA      Health Care Financing Administration
                        HHS       Department of Health and Human Services
                        HIPAA     Health Insurance Portability and Accountability Act of 1996
                        HIV       human immunodeficiency virus
                        OIG       Office of Inspector General
                        OMB       Office of Management and Budget
                        STD       sexually transmitted disease


                        Page 26                    GAO/HEHS-99-140 Confidentiality of Health Information
Page 27   GAO/HEHS-99-140 Confidentiality of Health Information
Appendix I

Scope and Methodology


             We focused our work at HCFA on controls over the disclosure of personally
             identifiable information involving Medicare beneficiaries. We interviewed
             agency officials and reviewed documents they provided, including HCFA
             policies and procedures related to safeguarding and disclosing personally
             identifiable health information. We also reviewed OMB guidance related to
             the Privacy Act. We reviewed financial statement audits of HCFA from HHS’
             OIG, the HHS financial management fiscal year 1998 status report and 5-year
             plan, and court cases related to the Privacy Act. In addition, we examined
             the privacy protections of selected state laws and obtained comments
             from agency officials about the current and future effect of such laws on
             HCFA’s management of the Medicare program. We conducted our work
             from April through June 1999 in accordance with generally accepted
             government auditing standards.




             Page 28                      GAO/HEHS-99-140 Confidentiality of Health Information
Appendix II

Comments From the Health Care Financing
Administration




              Page 29   GAO/HEHS-99-140 Confidentiality of Health Information
Appendix II
Comments From the Health Care Financing
Administration




Page 30                         GAO/HEHS-99-140 Confidentiality of Health Information
Appendix II
Comments From the Health Care Financing
Administration




Page 31                         GAO/HEHS-99-140 Confidentiality of Health Information
Appendix II
Comments From the Health Care Financing
Administration




Page 32                         GAO/HEHS-99-140 Confidentiality of Health Information
Appendix II
Comments From the Health Care Financing
Administration




Page 33                         GAO/HEHS-99-140 Confidentiality of Health Information
Appendix II
Comments From the Health Care Financing
Administration




Page 34                         GAO/HEHS-99-140 Confidentiality of Health Information
Appendix III

GAO Contacts and Staff Acknowledgments


                  Leslie G. Aronovitz, (312) 220-7600
GAO Contacts      Bruce D. Layton, (202) 512-6837


                  In addition to those named above, Nancy Donovan, Bonnie L. Brown, Nila
Staff             Garces-Osorio, Julian Klazkin, Mary Reich, and Craig Winslow made key
Acknowledgments   contributions to this report.




                  Page 35                      GAO/HEHS-99-140 Confidentiality of Health Information
Related GAO Products


              Year 2000 Computing Challenge: Estimated Costs, Planned Uses of
              Emergency Funding, and Future Implications (GAO/T-AIMD-99-214, June 22,
              1999).

              Year 2000 Computing Crisis: Readiness of Medicare and the Health Care
              Sector (GAO/T-AIMD-99-160, Apr. 27, 1999).

              Financial Audit: 1998 Financial Report of the United States Government
              (GAO/AIMD-99-130, Mar. 31, 1999).

              Auditing the Nation’s Finances: Fiscal Year 1998 Results Highlight Major
              Issues Needing Resolution (GAO/T-AIMD-99-131, Mar. 31, 1999).

              Medical Records Privacy: Access Needed for Health Research, but
              Oversight of Privacy Protections Is Limited (GAO/HEHS-99-55, Feb. 24, 1999).

              Year 2000 Computing Crisis: Readiness Improving, but Much Work
              Remains to Avoid Major Disruptions (GAO/T-AIMD-50, Jan. 20, 1999).

              Major Management Challenges and Program Risks: Department of Health
              and Human Services (GAO/OGC-99-7, Jan. 1999).

              Medicare Computer Systems: Year 2000 Challenges Put Benefits and
              Services in Jeopardy (GAO/AIMD-98-284, Sept. 28, 1998).

              Information Security: Serious Weaknesses Place Critical Federal
              Operations and Assets at Risk (GAO/AIMD-98-92, Sept. 23, 1998).




(101816)      Page 36                       GAO/HEHS-99-140 Confidentiality of Health Information
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested