oversight

Medicare: HCFA Needs to Better Protect Beneficiaries' Confidential Health Information

Published by the Government Accountability Office on 1999-07-20.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Health, Committee on Ways
                          and Means, House of Representatives




For Release on Delivery
Expected at 3:00 p.m.
Tuesday, July 20, 1999
                          MEDICARE

                          HCFA Needs to Better
                          Protect Beneficiaries’
                          Confidential Health
                          Information
                          Statement of Leslie G. Aronovitz, Associate Director
                          Health Financing and Public Health Issues
                          Health, Education, and Human Services Division




GAO/T-HEHS-99-172
Medicare: HCFA Needs to Better Protect
Beneficiaries’ Confidential Health
Information
                 Mr. Chairman and Members of the Subcommittee:

                 We are pleased to be here today to discuss how the Health Care Financing
                 Administration (HCFA) protects personally identifiable health information
                 on Medicare beneficiaries. HCFA, an agency of the Department of Health
                 and Human Services (HHS), possesses the nation’s largest collection of
                 health care data, with information on 39 million Medicare beneficiaries. To
                 operate the Medicare program, HCFA must collect personally identifiable
                 information on Medicare beneficiaries, such as their names, addresses,
                 and health insurance claims numbers, as well as their diagnostic and
                 treatment information. HCFA uses this information for a variety of
                 purposes, including paying approximately 900 million Medicare claims
                 annually and conducting health-related research to improve quality of
                 care. When a person signs up for Medicare, he or she might not realize the
                 variety of uses HCFA makes of his or her personally identifiable information
                 or that this personal information may legitimately be disclosed by HCFA
                 outside the agency.

                 The personally identifiable information that HCFA collects on Medicare
                 beneficiaries is protected by the Privacy Act of 1974. This law, which
                 governs the collection, maintenance, and disclosure of federal agency
                 records, balances the government’s need to maintain information about
                 individuals with their right to be protected against unwarranted invasions
                 of their privacy. State laws also protect the privacy of certain personally
                 identifiable medical information, and vary significantly in their scope and
                 specific provisions. To create a more uniform set of protections, the
                 Health Insurance Portability and Accountability Act of 1996 (HIPAA)
                 requires that, unless Congress enacts a health privacy law establishing
                 standards for the electronic exchange of health information by August 21,
                 1999, HHS must promulgate such standards within the following 6 months.

                 Today, we are releasing a report you requested that focuses on four areas
                 related to HCFA’s use of personally identifiable information.1 They are:

             •   HCFA’s need for personally identifiable health information to manage the
                 Medicare program;
             •   HCFA’s policies and practices regarding disclosure of information on
                 Medicare beneficiaries to other organizations;




                 1
                  MEDICARE: Improvements Needed to Enhance Protection of Confidential Health Information
                 (GAO/HEHS-99-140, July 20, 1999).



                 Page 1                                                                   GAO/T-HEHS-99-172
                 Medicare: HCFA Needs to Better Protect
                 Beneficiaries’ Confidential Health
                 Information




             •   The adequacy of HCFA’s safeguards for protecting the confidentiality of
                 electronic information and its monitoring of other organizations that
                 obtain information on Medicare beneficiaries; and
             •   The effect on HCFA of state restrictions on the disclosure of confidential
                 health information.

                 To develop our findings, we interviewed HCFA officials and reviewed
                 documents HCFA provided on its confidentiality policies and procedures.
                 We also reviewed guidance from the Office of Management and Budget
                 (OMB) related to the Privacy Act, financial statement audits of HCFA from
                 the HHS Office of the Inspector General (OIG), and HCFA’s plan for
                 addressing problems identified in the OIG audits. In addition, we examined
                 the privacy protections of a number of state laws and obtained comments
                 from HCFA officials about the effects of such laws on the management of
                 the Medicare program.

                 In summary, we found that personally identifiable information on
                 Medicare beneficiaries is vital to the operation of the Medicare program,
                 and that HCFA can disclose such information to other organizations
                 consistent with provisions of the Privacy Act. HCFA has policies and
                 procedures for evaluating requests for disclosure of personally identifiable
                 health information, but HCFA’s confidentiality practices have a number of
                 weaknesses. These weaknesses include HCFA’s inability to easily provide
                 beneficiaries with an accounting of disclosures made of their personal
                 information and failure to always give them clear notification of the
                 purposes for which their personal information may be disclosed outside of
                 HCFA as required by the Privacy Act. Although few complaints of violations
                 have been reported to date, the OIG also continues to report vulnerabilities
                 in HCFA’s safeguards for confidentiality of electronic information. These
                 vulnerabilities could lead to unauthorized individuals reading, disclosing,
                 or altering confidential information. Finally, potential conflicts exist
                 between HCFA and state laws regarding the disclosure of sensitive health
                 information. To date, conflicts have been minimal and the administration
                 of Medicare has not been hindered, according to HCFA officials, because all
                 states permit release of information for health care treatment and
                 payment. However, if the same data elements were not available from all
                 states, it might compromise HCFA’s ability to conduct research and analysis
                 to improve Medicare policies.


                 In protecting the confidentiality of beneficiaries’ health information, HCFA’s
Background       activities, like those of other federal agencies, are governed by the Privacy



                 Page 2                                                      GAO/T-HEHS-99-172
Medicare: HCFA Needs to Better Protect
Beneficiaries’ Confidential Health
Information




Act of 1974. The Privacy Act requires that agencies limit their maintenance
of individually identifiable records to those that are relevant and necessary
to accomplish an agency’s mission. Federal agencies store personally
identifiable information in systems of records. A system of records is a
group of records under the control of a federal agency from which
information can be retrieved using the name of an individual or an
identifier such as a number assigned to the individual. The Privacy Act
defines a record as any item, collection, or grouping of information
maintained by an agency that contains an individual’s name or other
identifying information. A record, for example, could include information
on education, financial transactions, or medical history. Under the Privacy
Act, federal agencies must inform the public when they create a new
system of records or revise an existing system. This is done through
publication in the Federal Register. A new system of records is announced
when an agency wishes to collect new data. Sixty-two of HCFA’s 81 systems
of records relate directly to Medicare beneficiaries and include personally
identifiable data on a Medicare beneficiary’s enrollment and entitlement to
benefits; demographic information such as age, race, ethnicity, and
language preference; and diagnostic and treatment information. HCFA’s
systems of records contain information stored in electronic and paper
forms.

The Privacy Act generally prohibits the disclosure of individuals’ records
without their consent. However, it allows the disclosure of information
without an individual’s consent under 12 circumstances called conditions
of disclosure. One example is disclosure by a federal agency to its
employees based on their need for the records to perform their duties.
Another condition of disclosure allows an agency to establish routine uses
under which information can be disclosed to a data requestor. One routine
use, for example, could be disclosure to an individual or organization for a
research project related to an agency objective, such as prevention of
disease or disability in HCFA’s case. To establish a routine use, the agency
must determine that a use is compatible with the purposes for which the
information was collected and they must publish the notice of the routine
use in the Federal Register. While the Privacy Act permits agencies to
disclose information, it does not require that they do so; they can, for
example, determine that in a particular case, the individual’s privacy
interest outweighs the public interest in disclosure.




Page 3                                                     GAO/T-HEHS-99-172
                              Medicare: HCFA Needs to Better Protect
                              Beneficiaries’ Confidential Health
                              Information




                              Personally identifiable information is essential to HCFA’s day-to-day
HCFA Needs                    administration of the Medicare program. Of primary importance is the
Personally Identifiable       need of the agency and its contractors to use personally identifiable
Information on                information on Medicare patients to pay approximately 900 million
                              fee-for-service claims annually. HCFA also uses this information to
Medicare                      determine the initial and ongoing eligibility of Medicare beneficiaries,
Beneficiaries                 determine risk-adjusted payments, make monthly payments to about 400
                              Medicare managed care plans, and track which managed care plans have
                              been selected by over 6 million Medicare beneficiaries. HCFA and its
                              contractors use beneficiary claims data containing personally identifiable
                              information to prevent fraud and abuse; administer the Medicare
                              Secondary Payer program;2 develop fee schedules and payment rates used
                              in fee-for-service claims processing; review the access, appropriateness,
                              and quality of care received by beneficiaries; and conduct research and
                              demonstrations including the development and implementation of new
                              health care payment approaches and financing policies.


                              In screening requests for identifiable information, HCFA determines
HCFA Discloses                whether disclosure is authorized by the Privacy Act. It also has different
Information About             levels of review depending upon the type of organization making a request
Beneficiaries for             for information. HCFA’s policy and practice is generally to limit disclosures
                              to information needed to accomplish the requestor’s purposes. However,
Authorized Purposes           we found weaknesses in its recordkeeping system for tracking and
                              reporting on disclosures and its notices to beneficiaries that their
                              information could be disclosed.


HCFA Screens Requests         In making decisions about whether to disclose information, HCFA’s primary
for Personally Identifiable   criterion is whether the disclosure is permitted under a routine use or one
Information                   of the 11 other Privacy Act conditions of disclosure. HCFA can disclose
                              information under routine uses to publicly and privately funded
                              researchers and to public agencies such as the Agency for Health Care
                              Policy and Research for health services research projects; to qualified
                              state agencies for the purposes of determining, evaluating, or assessing
                              cost, effectiveness, or quality of health care services provided in a state;



                              2
                               The Medicare Secondary Payer provision limits payment under Medicare for otherwise covered items
                              or services if that payment has been made or can be reasonably expected to be made from another
                              source such as under a workmen’s compensation law, automobile or liability insurance policy, or
                              certain health plans. In such cases, Medicare payments for items or services are conditional payments
                              and Medicare is entitled to reimbursement from the other sources for the full amount of Medicare
                              payments.



                              Page 4                                                                         GAO/T-HEHS-99-172
                             Medicare: HCFA Needs to Better Protect
                             Beneficiaries’ Confidential Health
                             Information




                             and to insurers, underwriters, employers who self-insure, and others for
                             coordination of benefits with the Medicare Secondary Payer program.

                             When deciding whether to disclose personally identifiable information,
                             HCFA has different levels of review depending on the type of organization
                             making a request for information. According to HCFA policy, HCFA
                             employees and claims administration contractors are provided access to
                             personally identifiable information only when they require such
                             information to perform their official duties. Other federal agencies and
                             organizations, such as state governments and law enforcement agencies
                             seeking information on Medicare beneficiaries, must submit
                             documentation, such as a signed data use agreement that indicates their
                             acceptance of the confidentiality requirements of the Privacy Act and
                             HCFA’s data use policies and procedures. These policies and procedures
                             include a requirement that the data user will not publish or release
                             information that could allow deduction of a beneficiary’s identity. When
                             reviewing documentation from requestors, HCFA determines whether the
                             disclosure is permitted under a routine use for a system of records or
                             other condition of disclosure, as allowed by the Privacy Act. In screening
                             requests from outside researchers, HCFA also requires the submission of a
                             detailed study protocol. Further, researchers must receive approval from
                             the HCFA Administrator when they request the names and addresses of
                             Medicare beneficiaries they intend to contact to collect new data.


HCFA Generally Limits        HCFA  officials told us their practice is to disclose the least amount of
Disclosures to Information   personally identifiable information that will accomplish the purpose of the
Needed to Accomplish         individual or organization making the request. HCFA generally provides one
                             of three types of data files—public-use files, beneficiary-encrypted files,
Purposes                     and files which contain explicitly identifiable information. Public-use files
                             are stripped of identifying information on beneficiaries and usually are
                             summarized data. Beneficiary-encrypted files are data sets in which HCFA
                             has encoded or removed the health insurance claim number, date of
                             service, beneficiary name, or beneficiary zip code. Explicitly identifiable
                             files contain such information as beneficiary names, addresses, and health
                             insurance claim numbers. HCFA officials said they direct requestors
                             whenever possible to either public-use files or to beneficiary-encrypted
                             files rather than to the files containing more identifiable beneficiary
                             information. However, when HCFA does disclose data files with personally
                             identifiable information, it generally does not customize them for the
                             specific purpose of reducing the amount of information disclosed. HCFA
                             officials told us that to do so would be a resource-intensive process;



                             Page 5                                                      GAO/T-HEHS-99-172
                           Medicare: HCFA Needs to Better Protect
                           Beneficiaries’ Confidential Health
                           Information




                           however, they are now developing software that will permit them to easily
                           customize data elements in the future.


HCFA’s Recordkeeping       Although Medicare beneficiaries have the right under the Privacy Act to
System for Tracking and    ask for and receive an accounting of disclosures of their personally
Reporting Has Weaknesses   identifiable information and to examine or amend their individual records,
                           HCFA’s recordkeeping system is incapable of readily providing an
                           accounting of disclosures to beneficiaries. The Act requires that the
                           accounting include information on the nature and purpose of the
                           disclosure and the name and address of the person or organization to
                           whom the disclosure was made. HCFA officials told us that the agency’s
                           computerized system for tracking disclosures cannot easily generate
                           information for an individual beneficiary on disclosures made from HCFA’s
                           system of records. Weaknesses in HCFA’s recordkeeping system also affect
                           its ability to report on its Privacy Act activities to oversight agencies such
                           as OMB.

                           HCFA  officials also told us that they are working on improving their
                           recordkeeping system to better account for disclosures of personally
                           identifiable information made by the agency. HCFA officials said that, as
                           directed by OMB, they have begun reviewing their recordkeeping for
                           Privacy Act activities. In January 1999, OMB released guidance based on a
                           May 14, 1998, presidential memorandum directing each agency to review
                           its information practices to ensure compliance with the Privacy Act. HCFA
                           has begun to address OMB guidance and officials told us that they are
                           reviewing routine uses that allow disclosure of Medicare beneficiaries’
                           information. In May 1999, HCFA established an executive-level Beneficiary
                           Confidentiality Board to review strategic confidentiality issues including
                           HCFA’s policies and procedures for disclosing personally identifiable
                           information.


Weaknesses Exist in        The Privacy Act requires federal agencies to permit an individual to find
Notifications to           out what records pertaining to him or her are collected, maintained, used,
Beneficiaries That Their   or disseminated by the agencies. The Act requires an agency to notify
                           individuals of the following when it collects information: (1) the authority
Information Could Be       under which the agency is collecting the information, (2) the principal
Disclosed                  purpose for the information, (3) routine uses that may be made of the
                           information, and (4) whether the individual is required to supply the
                           information and the effects on the individual of not providing it.




                           Page 6                                                       GAO/T-HEHS-99-172
                   Medicare: HCFA Needs to Better Protect
                   Beneficiaries’ Confidential Health
                   Information




                   HCFA  officials told us they use more than a dozen different Privacy Act
                   notifications when collecting information from beneficiaries. Individuals’
                   first exposure to a Medicare-related Privacy Act notice is usually at the
                   time of their application for Social Security retirement benefits, when they
                   are provided with a multi-page Privacy Act notice. Approved Social
                   Security retirement benefit applicants are automatically enrolled in
                   Medicare at age 65. Beneficiaries should receive other Privacy Act
                   notifications whenever HCFA collects information about them—for
                   example, if they separately enroll in Supplemental Medical Insurance
                   (Medicare Part B), receive medical care, or participate in a survey or a
                   demonstration project.3

                   While some of the HCFA Privacy Act notification forms we reviewed
                   contain the required information, we found that others do not tell
                   beneficiaries the purposes for which their information may be disclosed
                   outside of HCFA, or they do so in an unclear fashion. For example, a form
                   for beneficiaries receiving services in skilled nursing facilities provided the
                   required information, but the Privacy Act notice for Medicare Part B
                   enrollment did not identify the routine uses that would be made of the
                   beneficiary’s information and provided only a vague reference to the
                   Federal Register as a source for such information. We found similar
                   problems in a form used to collect information on end-stage renal disease
                   beneficiaries.


                   Although the procedures specified in HCFA’s systems security manual
Inadequate HCFA    generally adhere to OMB’s guidance for safeguarding electronic
Safeguards Could   information, the OIG has identified serious control weaknesses with HCFA’s
Compromise         safeguarding of confidential information.4 The OIG’s audits of fiscal years
                   1997 and 1998 financial statements identified a variety of problems with
Confidentiality    HCFA’s safeguards for electronic information at HCFA’s central office and for
                   selected Medicare claims administration contractors. The OIG reported the
                   need for HCFA to implement an overall security structure and discussed
                   weaknesses in the following areas: computer access controls (techniques
                   to ensure that only authorized persons access the computer system),


                   3
                    Medicare Part B helps pay for doctors, outpatient hospital care, and other medical services such as
                   physical and occupational therapy.
                   4
                    HHS/OIG, Report on the Financial Statement Audit of the Health Care Financing Administration for
                   Fiscal Year 1996 (CIN: A-17-95-00096, July 17, 1997); HHS/OIG, Report on the Financial Statement
                   Audit of the Health Care Financing Administration for Fiscal Year 1997 (CIN: A-17-97-00097, Apr. 24,
                   1998); HHS/OIG, Report on the Financial Statement Audit of the Health Care Financing Administration
                   for Fiscal Year 1998 (CIN: A-17-98-00098, Feb. 26, 1999). See also Information Security: Serious
                   Weaknesses Place Critical Federal Operations and Assets at Risk (GAO/AIMD-98-92, Sept. 23, 1998).



                   Page 7                                                                          GAO/T-HEHS-99-172
                            Medicare: HCFA Needs to Better Protect
                            Beneficiaries’ Confidential Health
                            Information




                            segregation of duties (the division of steps among different individuals to
                            reduce the risk that a single individual could compromise security), and
                            service continuity (the ability to recover from a security violation and
                            provide service sufficient to meet the minimal needs of users of the
                            system). The OIG also reported problems with controls over operating
                            system software integrity and application development and change
                            controls. However, HCFA has reported few complaints of potential Privacy
                            Act violations.

                            When the OIG conducted work at 12 Medicare contractors for its fiscal year
                            1998 audit, auditors were able to penetrate security and obtain access to
                            sensitive Medicare data at 5 of them. The auditors’ ability to do so without
                            using their formal access privileges is of particular concern because
                            unauthorized users can exploit this security weakness in several ways and
                            compromise confidential medical data.

                            Agency officials told us they are in the process of taking action to correct
                            the weaknesses identified by the OIG. However, HCFA’s ability to make
                            progress is currently affected by the agency’s efforts to address computer
                            requirements for the year 2000 so that there will be no interruption of
                            services and claims payments. HCFA, consistent with priorities established
                            by OMB, has a moratorium on software and hardware changes until it is
                            compliant with year 2000 computer requirements. During its fiscal year
                            1999 financial statement audit, the OIG will evaluate the effectiveness of
                            any corrective actions that HCFA is able to implement.


HCFA Does Not               Although HCFA has a process for monitoring systems security at its claims
Systematically Monitor      administration contractors, agency officials told us that competing
How Organizations Protect   demands and resource constraints have prevented them from monitoring
                            whether these organizations follow OMB guidance for protecting the
the Confidentiality of      confidentiality of information. HCFA officials told us that, other than OIG
Medicare Data               reviews, there were no explicit on-site reviews of contractors’ security
                            protections in fiscal years 1997 and 1998 because of resource constraints
                            and the assignment of staff to assess contractor year 2000 computer
                            requirements. However, HCFA did initiate reviews of network security in
                            1998 for 12 Medicare contracts at 4 of its 60 claims processing contractors.

                            In addition, HCFA officials told us that they do not have a system for
                            monitoring whether organizations outside of HCFA have established
                            safeguards for personally identifiable information received from the
                            agency. When organizations sign data use agreements with HCFA, they



                            Page 8                                                      GAO/T-HEHS-99-172
                            Medicare: HCFA Needs to Better Protect
                            Beneficiaries’ Confidential Health
                            Information




                            agree to establish appropriate administrative, technical, and physical
                            safeguards, providing a level and scope of security that is not less than the
                            level and scope established by OMB. Data use agreements also include
                            requirements that those receiving information from HCFA use the data only
                            for their HCFA-approved purpose and that the data be returned to HCFA or
                            destroyed upon completion of the project. HCFA does not systematically
                            monitor how the data are being used. Although the agency follows up on
                            expired data use agreements, HCFA currently has a backlog of about 1,400
                            expired agreements. It expects to reduce the backlog by one-half by
                            September 30, 1999.

                            HCFA’s failure to monitor contractors and others who use personally
                            identifiable Medicare information hampers HCFA’s ability to prevent the
                            occurrence of problems and to provide timely identification and corrective
                            action for those that have occurred.


Few Complaints of Privacy   The agency identified 7 complaints of potential violations of the Privacy
Act Violations Reported     Act it has received and resolved in the past 4 years. Six complaints
                            involved contractors conducting research for HCFA, health data
                            organizations, and individual researchers; the seventh complaint was
                            made by a Medicare beneficiary’s attorney. The first six complaints were
                            raised by similar organizations or other researchers and involved posting
                            of potentially identifiable Medicare billing information on an Internet
                            website, using and publishing data in a second research project without
                            authorization from HCFA, and offering to share Medicare files at a national
                            research conference. In the first six cases, HCFA provided direction on
                            Privacy Act requirements to those involved. In the seventh case, HCFA
                            provided the beneficiary’s attorney with a letter addressing the issues
                            raised.

                            HCFA  reported only one internal disciplinary action within the past 5 years
                            relating to violations of HCFA’s confidentiality policies. This incident
                            involved an agency employee who was accessing beneficiary files more
                            frequently than appeared necessary for performing his job. The employee
                            admitted to looking at files of famous people. He was placed on
                            administrative leave and later signed an affidavit stating that the files had
                            not been sold or shared with other persons; accordingly, he was allowed
                            to resign.




                            Page 9                                                       GAO/T-HEHS-99-172
                         Medicare: HCFA Needs to Better Protect
                         Beneficiaries’ Confidential Health
                         Information




                         In its oversight of the Medicare program, HCFA necessarily deals with
Some States Restrict     beneficiaries and providers from every state. States have laws governing
Disclosure of            the confidentiality of health information. For example, in Florida, mental
Sensitive Confidential   health records are confidential and may be disclosed only under limited
                         circumstances. State laws vary significantly, resulting in what has been
Information              called a patchwork system of protections.

                         Conflicts between HCFA and the states involving medical record
                         disclosures have been minimal, according to HCFA officials, and HCFA
                         officials believe its administration of the Medicare program has not been
                         hindered because all states permit release of information for health care
                         treatment and payment. If a state law prohibited disclosure of information
                         to HCFA that was critical for these purposes, and a federal statute required
                         such disclosure, HCFA officials told us that the agency would rely on the
                         Supremacy Clause of the U.S. Constitution and its express statutory
                         authority.5

                         HCFA  officials told us that if information is not critical to HCFA operations,
                         HCFA’s policy is to respect and abide by state laws that provide greater
                         health records protection than would otherwise be required by federal law
                         or regulation. For example, when California and Washington notified HCFA
                         that laws in their states did not authorize the disclosure of diagnostic
                         information related to the human immunodeficiency virus (HIV), acquired
                         immunodeficiency syndrome (AIDS) and sexually transmitted diseases
                         (STD), HCFA changed the system used to collect and analyze certain nursing
                         home information by allowing the states to withhold diagnostic
                         information collected about HIV/AIDS and STDs for their nursing home
                         patients.6 HCFA told us that 15 states have exercised this option by blanking
                         out identifiable codes for HIV/AIDs or STDs before submitting the requisite
                         information to HCFA. According to HCFA officials, the deletion of diagnostic
                         information collected about HIV/AIDS and STDs for nursing home patients
                         generally has not affected its operations. However, HCFA officials told us
                         that the agency will require diagnostic information as it refines its new
                         prospective payment system for skilled nursing facilities as well as its
                         other payment systems and may, therefore, need to change its policy of
                         allowing states to withhold information.

                         5
                          U.S. Const. Art. VI, cl. 2. The Supreme Court has construed the Supremacy Clause of the U.S.
                         Constitution to hold that federal law preempts state law where, for example: (1) the state law directly
                         conflicts with federal law, (2) the federal legislative scheme leaves no room for state regulation, or
                         (3) the state statute frustrates or conflicts with the purposes of the federal law.
                         6
                          The information is used by HCFA to track changes in health and functional status of nursing home
                         residents. The information system is known as the National Minimum Data Set (Resident Assessment
                         Instrument) repository.



                         Page 10                                                                          GAO/T-HEHS-99-172
                  Medicare: HCFA Needs to Better Protect
                  Beneficiaries’ Confidential Health
                  Information




                  Restricting HCFA from receiving uniform health information across the
                  country could adversely affect internal operations such as rate-setting and
                  monitoring for quality assurance. It could also affect the ability of analysts
                  in HCFA, other federal agencies, and nongovernmental organizations to
                  conduct policy analysis and health services research because of the
                  difficulty in complying with varying state laws. If the same data elements
                  and health information were not available from all states, HCFA’s ability to
                  conduct research and analysis to improve Medicare policies might be
                  compromised.


                  In its role as administrator and overseer of the nation’s Medicare program,
Conclusions and   HCFA must collect and maintain personally identifiable information on
Recommendations   millions of beneficiaries to effectively operate and manage the program.
                  As a steward of confidential information, HCFA must balance its need to
                  effectively manage the Medicare program with the privacy concerns of its
                  beneficiaries. HCFA must protect beneficiaries’ health information from
                  inappropriate or inadvertent disclosures.

                  We found that HCFA’s policies and practices are generally consistent with
                  Privacy Act protections. However, we also found that the agency needs to
                  do a better job implementing and enforcing certain protections. As the OIG
                  has reported, HCFA continues to have vulnerabilities in its information
                  management systems. In addition, HCFA has not consistently monitored its
                  claims administration contractors’ safeguards for protecting confidential
                  information. We recognize that HCFA, consistent with priorities set forth by
                  OMB, has focused its resources on ensuring that the agency and its
                  contractors are compliant with year 2000 computer requirements.
                  Nonetheless, we believe that reducing the vulnerabilities in its information
                  systems and increasing its monitoring of contractors are important
                  concerns that HCFA must address in the coming year.

                  HCFA  also needs to better implement other aspects of its confidentiality
                  policies and practices. The agency does not always fully and clearly inform
                  beneficiaries that their information may be disclosed. It also lacks the
                  ability to readily provide beneficiaries with an accounting of disclosures.
                  In addition, HCFA does not have a formal system for monitoring the
                  confidentiality protections of organizations to which it discloses
                  personally identifiable information. As a result, HCFA is unable to
                  systematically reduce the likelihood of inappropriate use of the data or
                  identify instances of such misuse.




                  Page 11                                                      GAO/T-HEHS-99-172
                   Medicare: HCFA Needs to Better Protect
                   Beneficiaries’ Confidential Health
                   Information




                   Although few complaints about Privacy Act violations have been made to
                   date, we believe that the weaknesses we and others have identified
                   potentially compromise the confidentiality of health information on
                   Medicare beneficiaries. However, HCFA has begun some important
                   initiatives that appear promising and could improve its protection of
                   Medicare beneficiary health information. These include the creation of a
                   new beneficiary confidentiality board and actions taken in response to OMB
                   guidance for agencies to reevaluate the circumstances under which they
                   disclose information.

                   Our report makes recommendations to the HCFA Administrator to improve
                   HCFA’s protection of the confidentiality of personally identifiable
                   information on Medicare beneficiaries. In summary, we recommend that
                   HCFA correct the vulnerabilities identified in its information management
                   systems by the OIG, systematically monitor contractors’ safeguards for
                   protecting confidential information; develop a system to routinely monitor
                   other organizations that have received personally identifiable information
                   on Medicare beneficiaries; ensure that all agency Privacy Act notifications
                   contain the information required by the Act in a form that is clear and
                   informative to beneficiaries, and implement a system that would permit
                   HCFA to respond in a timely fashion to beneficiary inquiries about
                   disclosure of their information outside HCFA as well as to provide
                   information on Privacy Act activities to OMB and others.


                   Mr. Chairman, this concludes my prepared statement. I would be happy to
                   answer any questions you or the Subcommittee members may have.


                   For future contacts regarding this testimony, please call Leslie G.
GAO Contacts and   Aronovitz at (312) 220-7600 or Bruce D. Layton at (202) 512-6837. Key
Acknowledgments    contributors to this testimony include Nancy Donovan, Bonnie Brown,
                   Nila Garces-Osorio, Barry Bedrick, and Julian Klazkin.




                   Page 12                                                   GAO/T-HEHS-99-172
Page 13   GAO/T-HEHS-99-172
Page 14   GAO/T-HEHS-99-172
Page 15   GAO/T-HEHS-99-172
Related GAO Products


              Medicare: Improvements Needed to Enhance Protection of Confidential
              Health Information (GAO/HEHS-99-140, July 20, 1999).

              Year 2000 Computing Challenge: Estimated Costs, Planned Uses of
              Emergency Funding, and Future Implications (GAO/T-AIMD-99-214, June 22,
              1999).

              Year 2000 Computing Crisis: Readiness of Medicare and the Health Care
              Sector (GAO/T-AIMD-99-160, Apr. 27, 1999).

              Financial Audit: 1998 Financial Report of the United States Government
              (GAO/AIMD-99-130, Mar. 31, 1999).

              Auditing the Nation’s Finances: Fiscal Year 1998 Results Highlight Major
              Issues Needing Resolution (GAO/T-AIMD-99-131, Mar. 31, 1999).

              Medical Records Privacy: Access Needed for Health Research, but
              Oversight of Privacy Protections Is Limited (GAO/HEHS-99-55, Feb. 24, 1999).

              Year 2000 Computing Crisis: Readiness Improving, but Much Work
              Remains to Avoid Major Disruptions (GAO/T-AIMD-50, Jan. 20, 1999).

              Major Management Challenges and Program Risks: Department of Health
              and Human Services (GAO/OGC-99-7, Jan. 1999).

              Medicare Computer Systems: Year 2000 Challenges Put Benefits and
              Services in Jeopardy (GAO/AIMD-98-284, Sept. 28, 1998).

              Information Security: Serious Weaknesses Place Critical Federal
              Operations and Assets at Risk (GAO/AIMD-98-92, Sept. 23, 1998).




(101874)      Page 16                                                     GAO/T-HEHS-99-172
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested