This is the accessible text file for GAO report number GAO-12-973 entitled 'Health Information Technology: CMS Took Steps to Improve Its Beneficiary Eligibility Verification System' which was released on October 5, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: September 2012: Health Information Technology: CMS Took Steps to Improve Its Beneficiary Eligibility Verification System: GAO-12-973: GAO Highlights: Highlights of GAO-12-973, a report to congressional requesters. Why GAO Did This Study: Medicare is a federal program that pays for health care services for individuals 65 years and older and certain individuals with disabilities. In 2011, Medicare covered about 48.4 million of these individuals, and total expenditures for this coverage were approximately $565 billion. CMS, the agency within the Department of Health and Human Services that administers Medicare, is responsible for ensuring that proper payments are made on behalf of the program’s beneficiaries. In response to HIPAA requirements, CMS developed and implemented an information technology system to help providers determine beneficiaries’ eligibility for Medicare coverage. In May 2005 CMS began offering automated services through HETS, a query and response system that provides data to users about Medicare beneficiaries and their eligibility to receive payment for health care services and supplies. Because of the important role that HETS plays in providers having access to timely and accurate data to determine eligibility, GAO was asked to (1) identify the operational status of HETS, (2) identify any steps CMS has taken to ensure users’ satisfaction and plans to take to ensure the system supports future requirements, and (3) describe CMS’s policies, processes, and procedures for protecting the privacy of data provided by HETS. To do so, GAO collected and analyzed documentation from program officials, such as reports on transaction volume and response times, agreements with users, and CMS’s privacy impact and risk assessments of HETS. GAO also interviewed program officials and system users. What GAO Found: The Centers for Medicare and Medicaid Services (CMS) currently offers to Medicare providers and Medicare Administrative Contractors the use of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Eligibility Transaction System (HETS) in a real-time data processing environment. HETS is operational 24 hours a day, 7 days a week, except during regularly scheduled maintenance Monday mornings, from midnight until 5:00 a.m., and when CMS announces other maintenance periods during one or two weekends each month. According to program officials, 244 entities were using HETS in 2012, including about 130 providers, 104 clearinghouses that provide data exchange services to about 400,000 health care providers, and 10 Medicare contractors that help CMS process claims for services. From January through June 2012, HETS processed each month an average of 1.7 million to 2.2 million queries per day with most of the queries submitted between the hours of 8:00 a.m. and 4:00 p.m. eastern time. The users with whom we spoke confirmed that operational problems they experienced with the system in 2010 and the first few months of 2011 were resolved in spring 2011 after CMS implemented several hardware and software replacements and upgrades. System performance reports for the first 6 months of 2012 showed that the average response time per transaction was less than 3 seconds. Users described experiences with the system that were consistent with these data. They told us that they are currently satisfied with the operational status of HETS and that the system provides more complete information and reliable service than other systems that they use to verify eligibility with commercial health insurers. CMS took steps to ensure users remain satisfied with the system’s performance, including notifying users in advance of system downtime, providing help desk support, and monitoring contractors’ performance. The agency had also planned several technical improvements intended to increase HETS’ capacity to process a growing number of transactions, which the agency projected to increase at a rate of about 40 percent each year. These plans include a redesign of the system and migration to a new database environment that is scalable to accommodate the projected increase in transaction volume. According to HETS program officials, near-term plans also include the implementation of tools to enable proactive monitoring of system components and additional services intended to enhance production capacity until the planned redesign of the system is complete. To help protect the privacy of beneficiary eligibility data provided by HETS, CMS established policies, processes, and procedures that are intended to address principals reflected by the HIPAA Privacy Rule. For example, in its efforts to ensure proper uses and disclosures of the data, CMS documented in user agreements the authorized and unauthorized purposes for requesting Medicare beneficiary eligibility data. Additionally, the agency conducted privacy impact and risk assessments of HETS as required by the E-Government Act of 2002. Officials from the Department of Health and Human Services’ Office for Civil Rights stated that no privacy violations had been reported regarding the use of the protected health data provided by HETS since its implementation in 2005. View [hyperlink, http://www.gao.gov/products/GAO-12-973]. For more information, contact Valerie Melvin at (202) 512-6304 or melvinv@gao.gov. [End of section] Contents: Letter: Background: HETS Is Operational and Provides Responses to Users' Requests in Real Time: CMS Has Taken Steps to Ensure Users' Satisfaction and Is Making Plans to Implement Improvements to Meet Future Requirements: CMS Established Policies and Procedures Intended to Address Privacy Principles and Assessed Impact and Risks of Sharing Data: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: HETS Transaction Volumes and Response Times: Appendix III: Comments from the Department of Health & Human Services: Appendix IV: GAO Contacts and Staff Acknowledgments: Tables: Table 1: HETS Transaction Volume: Table 2: CMS's Actions to Address Key HIPAA Privacy Principles: Table 3: Average System Response Time from January 2010 through June 2012: Abbreviations: CMS: Centers for Medicare and Medicaid Services: HETS: HIPAA Eligibility Transaction System: HHS: Department of Health and Human Services: HIPAA: Health Insurance Portability and Accountability Act of 1996: MAC: Medicare Administrative Contractor: OMB: Office of Management and Budget: [End of section] United States Government Accountability Office: Washington, DC 20548: September 12, 2012: The Honorable Orrin Hatch: Ranking Member: Committee on Finance: United States Senate: The Honorable Richard M. Burr: Ranking Member: Subcommittee on Children and Families: Committee on Health, Education, Labor, and Pensions: United States Senate: The Honorable Tom Coburn, M.D. Ranking Member: Permanent Subcommittee on Investigations: Committee on Homeland Security and Governmental Affairs: United States Senate: Medicare is a federal program that pays for health care services for individuals 65 years and older, certain individuals with disabilities, and those with end-stage renal disease. It is funded by general revenues; payroll taxes paid by most employees; employers and individuals who are self employed; and beneficiary premiums. In 2011, Medicare covered about 48.4 million of these individuals with a total expenditure of approximately $565 billion. The Centers for Medicare and Medicaid Services (CMS), the agency within the Department of Health and Human Services (HHS) that administers Medicare, is responsible for ensuring that proper payments are made on behalf of its beneficiaries to the doctors, hospitals, visiting nurses, and others who provide health care services and treatment, along with entities that supply medical equipment such as wheelchairs, walkers, and hospital beds to their patients. To avoid risks that they may not be reimbursed for services, these health care providers take steps to determine whether patients and services are covered by entities that pay for health care expenses, such as Medicare. Toward this end, CMS developed and implemented an information technology system to help providers determine Medicare beneficiaries' eligibility for health care services and supplies in response to requirements under the Health Insurance Portability and Accountability Act of 1996, or HIPAA.[Footnote 1] CMS officials stated that, in accordance with the act, on May 31, 2005, the agency began offering automated services for determining Medicare eligibility for certain beneficiaries through the use of an information technology system called the HIPAA Eligibility Transaction System, or HETS. [Footnote 2] Five years after its implementation, however, problems with the performance of the system were noted by CMS and its users. Because of the important role that HETS plays in assuring that providers have timely and accurate data to determine Medicare beneficiaries' eligibility, you requested that we undertake a review of the system. Our specific objectives were to (1) identify the operational status of HETS, (2) identify any steps CMS has taken to ensure users' satisfaction and plans to take to ensure the performance of the system supports future requirements, and (3) describe CMS's policies, processes, and procedures for protecting the privacy of beneficiary eligibility data provided by the system. To identify the operational status of HETS, we collected and analyzed documentation from program officials that described daily operations of the system, such as reports on incoming transaction volume, response time, and downtime, along with documents that describe outcomes of the system, including reported problems. We also determined the level of service provided to HETS users by comparing the information we collected to business requirements defined in program and system plans and strategies, and by obtaining users' views of the extent to which the current implementation of HETS met their needs. To do this, we selected and interviewed representatives of the six highest volume users throughout the United States. These users were identified as those having submitted approximately 35 percent of the total HETS information requests during a week in March 2012, the week selected for our study. To identify the steps that CMS has taken to ensure HETS users are satisfied with the performance of the system, and that the agency plans to take to ensure the system provides the level of service needed to support future requirements, we reviewed agency documents, interviewed business and system owners knowledgeable of the management of the program, and identified steps CMS took to assess contractors' performance toward providing efficient and quality service to users of HETS. We also collected and analyzed program planning documentation that described long-term plans for the system and assessed those plans against projections of future requirements and recommendations from independent studies of CMS's implementation of the system. Finally, to describe the policies, processes, and procedures established by CMS to protect the privacy of beneficiary eligibility data, we evaluated agency documentation such as agreements with users regarding the use of the system and requirements for handling data, and the system's privacy impact and risk assessments. We compared information discussed in these documents to requirements and practices derived from relevant privacy laws, including the HIPAA Privacy Rule[Footnote 3] and the Privacy Act of 1974.[Footnote 4] In conducting our work, we did not review or test controls implemented by the agency to secure the data processed by HETS. More detailed information about our objectives, scope, and methodology is discussed in appendix I. We conducted this performance audit from February 2012 to August 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Medicare consists of four parts--A, B, C, and D. Medicare Part A provides payment for inpatient hospital, skilled nursing facility, some home health, and hospice services, while Part B pays for hospital outpatient, physician, some home health, durable medical equipment, and preventive services. In addition, Medicare beneficiaries have an option to participate in Medicare Advantage, also known as Part C, which pays private health plans to provide the services covered by Medicare Parts A and B. Further, all Medicare beneficiaries may purchase coverage for outpatient prescription drugs under Medicare Part D, and some Medicare Advantage plans also include Part D coverage. The fee-for-service portion of the Medicare program (Parts A and B) processes approximately a billion claims each year from about 1.5 million providers who deliver and bill Medicare for health care services and supplies. In delivering patient care, providers need to not only ensure that claims for services covered by Medicare and other health care insurers are submitted correctly, but to also ensure that beneficiaries receive benefits to which they are entitled. To do this, these providers need access to accurate and timely eligibility information to help them determine whether and how to properly submit claims for payment to Medicare and other insurers on behalf of their patients. Many health care insurers have implemented information technology systems to help providers make this determination at the time services are being delivered--that is, at the point of care--by providing electronic data on a real-time basis regarding patients' benefits covered by their insurance plans. CMS's Implementation of HETS to Assist Providers: To assist providers with verifying beneficiaries' eligibility for services under Medicare, and in response to HIPAA requirements, CMS provided an electronic mechanism that allowed providers to access real- time data at the point care is scheduled or delivered.[Footnote 5] To meet this requirement, CMS officials stated that they implemented the initial version of HETS in May 2005. CMS's Business Applications Management Group and the Provider Communications Group are the system and business owners of HETS. As such, these groups are responsible for the development, implementation, maintenance, and support of the system, as well as establishing business rules regarding the use of the system application, such as agreements regarding the use and protection of the data provided by HETS. CMS awarded cost-plus-award-fee contracts to two contractors to assist the agency with developing and maintaining HETS, performing independent testing, production support, help desk, and project integration services. HETS operates from CMS's data center in Baltimore, Maryland, and is accessed by users via the CMS extranet.[Footnote 6] The system is comprised of software that processes query and response transactions, along with hardware, such as servers that support connections with users' facilities and the internet, and devices that store the data provided by the system. The system software is designed to process transactions according to standards and formats defined by HIPAA. [Footnote 7] It was designed to allow the release of patients' data to Medicare providers, or their authorized billing agents, to support their efforts to complete accurate Medicare claims when determining beneficiaries' liability and eligibility for specific services. [Footnote 8] CMS officials stated that the agency does not receive any payments for the use of HETS, nor does the agency require Medicare providers to use HETS to verify eligibility prior to filing claims. CMS intended for HETS to be used by health care providers; health care clearinghouses, which are entities that provide electronic data exchange services for their customers; [Footnote 9] and Medicare Administrative Contractors (MACs) that assist CMS in processing claims.[Footnote 10] Health care providers may request beneficiary eligibility data from HETS directly via CMS's extranet or by utilizing the services of clearinghouses. According to clearinghouse officials with whom we spoke, many providers use clearinghouses to conduct transactions with HETS because they may not have the technical capability to connect directly to CMS's extranet, or they may chose to employ the services of clearinghouses for financial or other reasons. For example, these providers may use clearinghouses to conduct electronic transactions with CMS and other different payers' systems, and avoid expenses associated with establishing and maintaining the in- house technology and expertise needed to connect with multiple systems. Rather, they can conduct these transactions by establishing one connection with a clearinghouse. However, the MACs access HETS via CMS's extranet. In all cases, users gain access to the extranet through a vendor-supplied network service.[Footnote 11] According to documented system descriptions, when requesting information from HETS, a user initiates a transaction by entering data into its workstation using software systems installed within its facility. The end-users' systems may be developed in-house by individual providers, clearinghouses, or MACs, or by commercial software vendors. The data entered into the workstation identify the provider, beneficiary, and services for which eligibility is to be verified. The data are translated by the end-user software into the standard HIPAA transaction format, then transmitted from the user's workstation to the HETS system via either the agency's extranet, or the vendor-supplied network service which connects to the CMS extranet. The system validates the incoming data and, if the request is valid, returns response data back to the user's workstation. If the request data are not valid, the system responds with error codes that indicate the type of error detected in the request data. Responses are transmitted from HETS in the HIPAA format and translated by the users' software before being presented. According to reports provided by program officials, the number of HETS transactions has grown each year since its initial implementation in May 2005. The business and system owners with whom we spoke attributed the growth primarily to increases in the number of new users of HETS, particularly during the first 2 years of implementation, and the growth in the number of Medicare beneficiaries. Nonetheless, while the number of transactions has continued to increase, the annual rate of increase in transaction volume has declined since the system's initial implementation. Table 1 shows HETS utilization, measured by the number of incoming transactions processed each fiscal year, from its initial implementation in May 2005 through fiscal year 2011. Table 1: HETS Transaction Volume: Fiscal year: 2005; Number of transactions: 7,063,457. Fiscal year: 2006; Number of transactions: 91,892,244; Percentage Increase over prior year: 1,201%. Fiscal year: 2007; Number of transactions: 173,562,342; Percentage Increase over prior year: 89%. Fiscal year: 2008; Number of transactions: 247,323,623; Percentage Increase over prior year: 42%. Fiscal year: 2009; Number of transactions: 362,770,998; Percentage Increase over prior year: 47%. Fiscal year: 2010; Number of transactions: 504,534,542; Percentage Increase over prior year: 39%. Fiscal year: 2011; Number of transactions: 669,750,568; Percentage Increase over prior year: 33%. Source: GAO analysis of CMS data. [End of table] CMS's internal operational requirements for HETS established a goal for the system to respond to query transactions in 5 seconds or less. According to program officials, from 2005 to 2010, HETS responded to transaction inquiries well within this goal. However, reports of the system's performance showed that beginning in January 2010, response times began to exceed 5 seconds and progressively worsened throughout most of the year. CMS attributed this performance degradation to outdated software and increases in the number of eligibility verification transactions submitted to the extent that the volume exceeded the hardware capacity. The business and system owners with whom we spoke stated that in July 2010 they began to implement a series of major improvements to the HETS operating environment and system, including hardware and software upgrades. However, users continued to experience lengthy response and system down times. Program officials stated that in January 2011 they took additional steps to address the slow response and system availability problems. In this case, they doubled the hardware capacity, replaced the operating system, and upgraded the system's software. According to these officials, the revisions, upgrades, and replacements were more complex than expected and were not fully implemented until April 2011. Subsequently, from mid April 2011 to May 2011, CMS conducted a phased migration of HETS users to the upgraded system. Federal Requirements for Protecting Individually Identifiable Health Information: Because HETS processes and transmits personal information related to individuals' Medicare program eligibility, the system is subject to federal requirements for protecting the personally identifiable health information. In this regard, the Privacy Act of 1974 regulates the collection, maintenance, use, and dissemination of personal information by federal government agencies. It also prohibits disclosure of records held by a federal agency or its contractors in a system of records without the consent or request of the individual to whom the information pertains unless the disclosure is permitted by the Privacy Act.[Footnote 12] The Privacy Act includes medical history in its definition of a record. Other federal laws and regulations further define acceptable use and disclosure activities that can be performed with individually identifiable health information, known as protected health information.[Footnote 13] These activities include--provided certain conditions are met--treatment, payment, health care operations, and public health or research purposes. For example, HIPAA and its implementing regulations allow the entities they cover to use or disclose protected health information for providing clinical care to a patient.[Footnote 14] These covered entities and their business associates, such as medical professionals, pharmacies, health information networks, and pharmacy benefit managers, work together to gather and confirm patients' electronic health information that is needed to provide treatment, such as a beneficiary's eligibility, benefits, and medical history. Key privacy and security protections associated with individually identifiable health information, including information needed by providers to verify patients' eligibility for coverage by Medicare or private health plans, are established under HIPAA. Key privacy principles associated with individually identifiable health information, including information needed by providers to verify patients' eligibility for coverage by Medicare of private health plans, are reflected in HIPAA.[Footnote 15] HIPAA's Administrative Simplification Provisions provided for the establishment of national privacy and security standards, as well as the establishment of civil money and criminal penalties for HIPAA violations. HHS promulgated regulations implementing the act's provisions through its issuance of the HIPAA rules. Specifically, the HIPAA Privacy Rule regulates covered entities' use and disclosure of protected health information. Under the Privacy Rule, a covered entity may not use or disclose an individual's protected health information without the individual's written authorization, except in certain circumstance expressly permitted by the Privacy Rule. These circumstances include certain treatment, payment, and other health care operations. As such, the disclosure of beneficiary eligibility information by HETS is permitted in accordance with the rule since it is used in making treatment and payment decisions. The HIPAA Privacy Rule reflects basic privacy principles for ensuring the protection of personal health information, such as limiting uses and disclosures to intended purposes, notification of privacy practices, allowing individuals to access their protected health information, securing information from improper use or disclosure, and allowing individuals to request changes to inaccurate or incomplete information. The Privacy Rule generally requires that a covered entity make reasonable efforts to use, disclose, or request only the minimum necessary protected health information to accomplish the intended purpose.[Footnote 16] In addition to the Privacy Act and the HIPAA Privacy Rule, the E- Government Act of 2002 includes provisions to enhance the protection of personal information in government information systems.[Footnote 17] To this end, the act requires federal agencies to conduct privacy impact assessments to determine the impact of their information systems on individuals' privacy. The act also states that the assessment should be completed to analyze how information is to be handled and to evaluate needed protections and alternative processes for handling information in order to mitigate potential privacy risks. HETS Is Operational and Provides Responses to Users' Requests in Real Time: After experiencing performance problems throughout 2010, HETS is currently operating on a real-time basis and with few user concerns being noted. As of June 2012, CMS reported that 244 entities were using the system; these included 130 providers, 10 Medicare Administrative Contractors, and 104 clearinghouses that conduct query and response transactions for about 400,000 providers.[Footnote 18] The agency further reported that, during the first 6 months of 2012, the system processed more than 380 million transactions from these users. System performance data showed that, since May 2011, HETS has been consistently providing service to its users 24 hours a day, 7 days a week, except during regularly scheduled maintenance periods, which occur on Monday mornings from midnight until 5:00 a.m. (CMS sometimes schedules additional outages for system maintenance and upgrades, usually during one or two weekends each month.) The performance reports showed that from January 2011 through June 2012, the system processed each month an average of 1.7 million to 2.2 million queries per day, with the highest volume of transaction processing occurring between 8:00 a.m. and 4:00 p.m. eastern time, Monday through Friday. About 90 percent of these transactions were initiated by the clearinghouses. Daily reports of system performance that were generated by the system showed that the average response time for 99 percent of the transactions was less than 3 seconds during the first 6 months of 2012.[Footnote 19] Appendix II provides our detailed analysis of the system's transaction volumes and response times from January 2010 through June 2012. Users of the system told us that since CMS completed hardware and software improvements in spring 2011, they have been satisfied with its operational status. They stated that they are not currently experiencing operational or communication issues. Records of contacts with CMS's help desk regarding the operational status of HETS show that the number of calls by users declined from an average of 133 calls per week during the first quarter of 2011 to an average of 64 per week during the second quarter of 2012. The users also stated that health care insurers in the commercial sector conduct electronic eligibility verifications in a manner similar to that of CMS. They told us that, based on their experiences with using those insurers' systems, HETS provides faster response times as well as more complete information and reliable service than the other beneficiary eligibility verification systems they use. CMS Has Taken Steps to Ensure Users' Satisfaction and Is Making Plans to Implement Improvements to Meet Future Requirements: CMS's efforts to correct operational problems experienced with HETS in 2010 and early 2011 led to improved performance and overall user satisfaction with the system. To ensure that the agency is able to maintain performance that satisfies users and meets goals for response and system availability times, HETS program officials have taken steps to provide ongoing support for users through help desk procedures, system status notifications, and management of contractors based on incentive awards for performance that exceeds contractual requirements. Additionally, these officials have begun to plan for improvements and enhancements to the system in efforts to position themselves to meet future demands on the system as they projected transaction volume to increase at a rate of about 40 percent a year. Among other improvements, the officials described plans to redesign the system and upgrade hardware, and to establish service level agreements with HETS users. CMS Has Taken Steps to Ensure Users Remain Satisfied: CMS has taken various steps to improve the operational status of HETS and to ensure user satisfaction with its performance. With regard to ensuring the availability of the system, CMS notifies users of the status of operations on a daily basis and whenever a change in status occurs. For example, CMS contractors perform daily health checks each morning to determine the status of HETS. If system performance or availability issues are identified, help desk contractors post messages to that effect on the system website and a trouble ticket is opened. The appropriate staff is assigned to troubleshoot and resolve the issues. Additionally, when users have complaints or issues related to the system's operations, they are instructed to contact the help desk. Upon receipt of the problem, the help desk staff are to triage the problem and generate a ticket if the problem cannot be resolved at the help desk level. For example, if a user is unable to access the system and contacts the help desk, staff are to determine if the problem is an operational issue or is an issue with the user or another component of the system, such as the network services provided by a vendor. They are to then track the issue until the problem is resolved. According to HETS program officials, problems are generally reported when the system response time begins to slow down. CMS's help desk contractors who support HETS post announcements on the agency's website and send e-mails to notify users when the system is to be brought down to allow corrections to system operation problems, or to perform upgrades or maintenance. The contractors post a second announcement and send e-mails to notify users when the system becomes available after an outage. The past 6 months' help desk announcements on the HETS website showed that additional maintenance or system upgrades were performed outside the scheduled maintenance period. Specifically, during this time CMS notified users that maintenance would be performed one to two times per month on weekends, with the system down from as few as 6 hours to as many as 3 days. In most cases, CMS sent a notice to its HETS users 2 weeks in advance of the outages. In discussions with provider, clearinghouse, and MAC users, two of the users expressed concerns with the frequency that CMS conducts maintenance outside the scheduled maintenance time. These users stated that they do not have access to the system for 1 day three to four weekends per month. However, one of these users, a provider, told us that during these times the system was accessible via an alternate portal, which indicated that HETS was operational and likely not a cause of the problem. A clearinghouse user stated that, while these outages are inconvenient, CMS notifies users well in advance of the outages and that there are some times during the announced outages when transactions can be processed. All the users with whom we spoke told us that the CMS help desk notified them in advance of any unscheduled system outages that were planned in addition to the regularly scheduled maintenance downtime. CMS has also taken steps to ensure that its contractors meet quality and service requirements related to the development, maintenance, and support of HETS. Program officials told us that the contractors' performance is reviewed and evaluated every 6 months in addition to annual evaluations, based on measures for overall technical performance and management. The evaluations identify strengths and weaknesses noted during the evaluation periods. The contractors may be awarded financial incentives for exceeding performance expectations in certain categories, such as software maintenance and support for the system's operations. For example, a May 2012 report on the results of the most recent 6-month evaluation of the help desk contractor's performance documented its strengths and weaknesses. The report showed that program officials were satisfied with the contractor's efforts to meet measures in technical performance and, therefore, provided the full financial incentive. However, they noted weaknesses in one category for which the contractor did not receive the full incentive amount. In this case, the contractor failed to deliver required reports and identify infrastructure changes that impacted the implementation of HETS. Additionally, a November 2011 report on the development contractor's performance showed similar results. In both reports, program officials stated overall satisfaction with the contractors' performance and noted areas of needed improvements. CMS Is Making Plans to Ensure the System Supports Future Requirements: To help ensure the current level of service is sustained during projected increases in transaction volumes, the system owners have initiated various activities aimed at helping to prevent operational problems similar to those experienced with the system in 2010 and early 2011. In this regard, CMS projected the increase in transaction volume to continue at a rate of about 40 percent for the next several years. This increase is expected in part because of the discontinuance of some providers' use of other means to obtain eligibility information from CMS and the migration of that user population to HETS by the end of March 2013.[Footnote 20] Program officials also anticipate that more Medicare Administrative Contractors will begin to offer beneficiary eligibility verification services to the providers they support and will use HETS to conduct these verifications. The system and business owners described steps they took in 2011 and 2012 that were intended to help plan for future increases in the number of transactions. * In March 2011, CMS tasked its HETS development contractor to prepare a plan and process for long-term improvements to the system and its operating environment. The agency tasked an additional contractor to evaluate the existing architecture, monitoring tools, and the extent to which the existing system platform could be scaled to meet future requirements. This contractor was also tasked to propose and analyze alternatives for future system implementation and recommend future service levels, monitoring tools, and practices for managing the application. * In July 2011, CMS released a Request for Information to obtain knowledge and information of current marketplace solutions that may meet future needs. As stated in the request, this action was intended to compile information that would assist CMS in the identification of potential options for creating an enterprise-level health care eligibility inquiry system that would support both real-time and batch transaction exchanges. In August 2011, 12 companies responded to the request and provided information on how their existing products could address CMS requirements. CMS analyzed the responses to the Request for Information and concluded that while 3 of the companies provided information that was not useful, others offered a range of products that CMS could consider when they begin to survey the marketplace for viable products and solutions for a future implementation of HETS. In January 2012, the two contractors completed the evaluations that were initiated in March 2011 and submitted reports that included recommendations regarding steps needed to accommodate projected eligibility transaction volumes while maintaining appropriate availability, security, and costs of HETS operations. The first report stated the existing architecture is sufficient to handle current transaction volumes and, with minor changes, should be able to handle transaction volumes anticipated for the next 2 years. The report also included recommendations to address the increases in transaction volume projected beyond the next 2 years. For example, the contractor who conducted the evaluation recommended that CMS reassess and change the architecture as transaction volumes grow, and automate routine processes, including troubleshooting practices and application start-up and shutdown procedures. This contractor also recommended that CMS establish service level agreements with its users to define and agree upon service parameters for HETS, including system availability and performance. The second contractor's report provided technical evaluations of six commercial-off-the-shelf products that were capable of meeting future estimated transaction volumes and presented recommendations for three alternate solutions, spelling out the strengths and weaknesses of each. Program officials stated that they agree with the recommendations identified in the contractors' reports and are making plans to address many of them in the near term. Specifically, they are planning to automate some processes, such as the application start-up and shutdown procedures. Additionally, HETS business owners stated that they are currently working to establish and document service level agreements with users, as recommended by one of the evaluation contractors. They plan to complete this activity and have agreements in place by January 2013. The officials we spoke with also described several technical improvements they intend to take to increase the system's capacity to handle growing numbers of transactions, including some consistent with the contractors' evaluations. For example, according to CMS's plans for modifying and improving the system through 2015, in fiscal year 2011 CMS began to plan for development of a redesigned system to be completed by the end of June 2014. The agency awarded a contract for defining and writing requirements for the redesigned system in June 2012. Among other capabilities, as part of the system redesign CMS plans to implement batch processing of transactions in addition to the current real-time process.[Footnote 21] According to HETS business owners, this capability is needed to support users' needs since some clearinghouses receive batch files from providers and have to convert them for real-time submission. The implementation of batch processing capabilities within the system will remove the need for clearinghouses to take this extra step. Among several other initiatives to be conducted are plans to procure a contract for maintenance of the current system until the redesign is complete. This activity is necessary because the terms of the current contract expire at the end of September 2013 and the system redesign is not planned to be complete until the end of June 2014. CMS's plans also identified a step to, by the end of August 2012, migrate the current HETS database to a new operating platform that is scalable to accommodate the expected increase in transaction volume. Further, agency officials stated that while they plan to make these improvements to the system over the next 3 years, their ability to conduct the activities they have planned is dependent on the agency's budget. These officials stated that, to mitigate risks associated with the level of funding the program receives in the future, they prioritized improvements planned for the existing system and began to implement those that they determined to be the most cost-effective during this and early next fiscal year. Among other things, these include activities to support the current system until the redesigned system is implemented, including development of tools that enable the HETS contractors to proactively monitor system components, additional services to enhance production capacity, and automated processes for starting up and shutting down the application. Program officials stated that they will review and prioritize other activities for improving the system as part of the HETS redesign project. CMS Established Policies and Procedures Intended to Address Privacy Principles and Assessed Impact and Risks of Sharing Data: The Privacy Act of 1974 and the HIPAA Privacy Rule protect personally identifiable health information, such as Medicare beneficiary information, to ensure that it is disclosed only under specified conditions and used only for its intended purpose. In accordance with these privacy protections, the information provided by HETS is to be used only for confirming eligibility of patients to receive benefits for services provided under the Medicare fee-for-service program. CMS is governed by the Privacy Act and all covered entities that use HETS- -health care providers, clearinghouses, and Medicare contractors--are required to comply with the HIPAA Privacy Rule. In accordance with provisions of the Privacy Rule, the protected health information provided by HETS is to be disclosed and used only for certain activities. Among other activities, these include treatment of patients and payment for services--the activities supported by the use of HETS. CMS has taken actions intended to ensure that the personal health information sent to and from the system is protected from misuse and improper disclosure. For example, CMS documented in the HETS Rules of Behavior that users must adhere to the authorized purposes for requesting Medicare beneficiary eligibility data. Specifically, the rules state that users are authorized to request information to determine whether patients who were determined to be Medicare eligible are covered for specific services that are to be provided at the point of care. However, users are not authorized to request information for the sole purpose of determining whether patients are eligible to receive Medicare benefits. According to program officials, CMS enforces its rules of behavior by monitoring inquiries to identify behaviors that may indicate intentional misuse of the data. For example, inquiries from one user that result in high rates of errors or a high ratio of inquiries compared to the number of claims submitted may indicate that a user is searching the system to identify Medicare beneficiaries rather than using HETS for its intended purpose. Users engaging in these types of behavior may be contacted or, when appropriate, referred for investigation for inappropriate use of the data, such as health care identity theft or fraudulent billing practices. Additionally, system documentation described mechanisms that were implemented to prevent access by requesters with invalid provider identifications or certain providers who have been excluded or suspended from participating in the Medicare program. For example, CMS maintains databases of National Provider Identifiers, another HIPAA standard.[Footnote 22] The eligibility request transactions submitted by HETS users include these identifiers, and, before providing beneficiary data in response to requests, the system validates the identifiers against data stored in an agency database. Additionally, according to the HETS business owners, providers who have been identified by HHS's Office of Inspector General and the General Services Administration as ones conducting activities intended to defraud Medicare may be included on a "do not pay" list.[Footnote 23] In this case, providers excluded from the program would not "need to know" information about patients' personal health, including whether or not they are eligible for Medicare benefits. According to HETS officials, these data are also incorporated into the National Provider Identifier database that is used to validate identifiers submitted to HETS and, as a result, these excluded providers are also not allowed to receive information from the system. HETS system documentation also described mechanisms for securing the data transmitted to and from HETS. For example, access to the system is only allowed through CMS's secured extranet. To gain access, the providers and clearinghouses must first submit a Trading Partner Agreement. In addition to including information needed to enable CMS and its trading partners, or users, to establish connectivity and define data exchange requirements, the agreement defines responsibilities for securing the data of the entities receiving beneficiary eligibility information from CMS. After users submit the agreement, CMS contacts them to authenticate their identity and, once authentication has been determined, CMS help desk staff provide the requester with a submitter ID that is required to be included on all transactions. Users then may request access to the CMS extranet from one of four network service vendors which establish a secure software connection to the system.[Footnote 24] The table below summarizes these and other actions CMS described that address key HIPAA privacy principles relevant to the implementation of HETS. Table 2: CMS's Actions to Address Key HIPAA Privacy Principles: Principles: Uses and disclosures; Limits the circumstances in which an individual's protected health information may be used or disclosed by covered entities and provides for accounting of certain disclosures; requires covered entities to make reasonable efforts to disclose or use only the minimum necessary information to accomplish the intended purpose for the uses, disclosures, or requests, with certain exceptions such as for treatment or as required by law; Actions by CMS: Documented in Rules of Behavior the authorized and unauthorized uses and disclosures of data; To ensure only entitled Medicare providers have access to beneficiary data, designed the system to validate the National Provider Identifiers included in each request transaction to ensure the provider is active and associated with the entity requesting data; Performed daily reviews to ensure that providers with invalid identifiers or who are excluded from participating in Medicare are not allowed to access beneficiary data through HETS; Monitored the number of error codes that were sent back to requestors in system responses. Officials stated that weekly error reports are reviewed to determine whether the 30 percent threshold for an accepted error rate has been exceeded. If so, CMS will follow up with the submitter and take actions as appropriate; Initially consulted with Medicare Administrative Contractors to determine the minimum amount of protected health information needed to accomplish the requestor's purpose. Submitters may make recommendations to the help desk on an ongoing basis regarding additional information they would like to receive. Principles: Notice; Requires most covered entities to provide a notice of their privacy practices including how personal health information may be used and disclosed; Actions by CMS: Informed users of their responsibility to comply with Privacy Act and HIPAA requirements through its website and by requiring users to agree and comply with requirements outlined in the Trading Partner Agreement and Rules of Behavior. Principles: Security; Requires covered entities to safeguard protected health information from inappropriate use or disclosure; Actions by CMS: Secured the data transmitted to and from HETS by only allowing access to the system through CMS's secured extranet; Authorized users based on their originating internet protocol address and CMS-issued user ID; Required users to protect data from inappropriate use or disclosure. For example, they must provide security measures, including their submitter IDs and passwords, to associate each with the particular personnel who initiated the eligibility inquiry; and must not disclose, lend, or transfer transaction identification numbers or password to other personnel[A]. Principles: Opportunity to amend; Gives individuals the right to request from covered entities changes to inaccurate or incomplete protected health information held in a designated record set; Actions by CMS: Instructed beneficiaries to contact 1-800-MEDICARE to report inaccurate or incomplete information. In addition, beneficiaries are informed they can contact the Social Security Administration to correct their information. Principles: Implementation of requirements; Requires covered entities to analyze their own needs and implement solutions appropriate for their own environment based on a basic set of requirements for which they are accountable; Actions by CMS: Required all users to complete a Trading Partner Agreement and make certain assurances. Among other things, users must: ensure Medicare data are only used to conduct Medicare business on behalf of Medicare providers; assume full responsibility for all submitted transactions; not make any disclosure of data that is not specifically authorized; not use data files for private gain or misrepresent themselves or CMS; and not browse or use data files for unauthorized or illegal purposes. Source: GAO analysis of CMS data. [A] In conducting our work, we did not review or test CMS's controls for securing HETS data. [End of table] Further, the E-Government Act of 2002 requires federal agencies to conduct privacy impact assessments, and the Office of Management and Budget (OMB) provides guidance to agencies conducting these assessments.[Footnote 25] The act and OMB's implementing guidance require that these assessments address: (1) what information is to be collected; (2) why the information is being collected; (3) the intended use of the information; (4) with whom the information will be shared; (5) what opportunities individuals have to decline to provide the information or to consent to particular uses of the information, and how individuals can grant consent; (6) how the information will be secured; and (7) whether a system of records is being created under the Privacy Act. According to the OMB guidance, agencies should conduct a privacy impact assessment before developing or procuring IT systems or projects that collect, maintain, or disseminate information in identifiable form from or about members of the public. Agencies are required to perform an update as necessary when a system change creates new privacy risks. Additionally, in a previous report,[Footnote 26] we identified the assessment of privacy risks as an important element of the privacy impact assessment process to help officials determine appropriate privacy protection policies and techniques to implement those policies. We noted that a privacy risk analysis should be performed to determine the nature of privacy risks and the resulting impact if corrective actions are not in place to mitigate those risks. CMS conducted a privacy impact assessment of HETS as called for by the E-Government Act, and updated the assessment in April 2011. The assessment addressed the seven OMB requirements for implementing privacy provisions. For example, in addressing how HETS information would be secured, it stated that the system is accessible only via the CMS private network to authorized users. The assessment also stated that the intended use of the system is to allow providers to confirm patients' enrollment in the Medicare program and provide information that is needed to correctly bill for payment of claims. Additionally, as part of a security risk assessment, program officials also completed a privacy risk analysis of the system that addressed several privacy risks. For example, CMS assessed privacy risks related to improper disclosure of the protected health information processed by HETS and determined that the risk level was low to moderate. By establishing practices and procedures intended to protect the privacy of Medicare beneficiaries' personal health information, and assessing the impact and risks associated with the use of HETS, CMS took required steps to address privacy principles reflected by HIPAA, the HIPAA rules, and the Privacy Act and has acted in accordance with OMB's guidance for protecting personally identifiable information. According to officials in HHS's Office for Civil Rights, no violations of the HIPAA Privacy Rule resulting from the use and disclosure of data provided by HETS have been reported since the system was implemented. Agency Comments and Our Evaluation: In written comments on a draft of this report, signed by HHS's Assistant Secretary for Legislation (and reprinted in appendix III), the department stated that it appreciated the opportunity to review the report prior to its publication. The department added that it regretted the poor service that resulted from operational problems in 2010 and early 2011 and that it is continuing to take steps to maintain and improve the performance of the system. The department also provided technical comments, which we incorporated as appropriate. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to interested congressional committees, the Secretary of HHS, the Administrator of CMS, and other interested parties. In addition, the report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-6304 or by e-mail at melvinv@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Sincerely yours, Signed by: Valerie C. Melvin: Director Information Management and Technology Resources Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: Our objectives were to (1) identify the operational status of HETS, (2) identify any steps CMS has taken to ensure users' satisfaction and plans to take to ensure the performance of the system supports future requirements, and (3) describe CMS's policies, processes, and procedures for protecting the privacy of beneficiary eligibility data provided by the system. To identify the operational status of HETS, we collected and analyzed documentation from program officials that described the use and daily operations of the system, such as reports on incoming transaction volume, response time, and downtime, along with documents that describe outcomes of the system, such as reported problems. To determine whether CMS provided the level of service agreed upon with HETS users, we compared the information we collected to business requirements defined in program and system plans, and to any agreements with users. Additionally, we obtained users' views of the extent to which the current implementation of HETS satisfied their needs for timely information by holding structured interviews with selected representatives of providers; clearinghouses, which provide services for about 90 percent of Medicare providers; and a Medicare Administrative Contractor who used the system. The selected HETS users included three clearinghouses; two fee-for- service providers, including a visiting nurse agency and a medical equipment supplier; and one Medicare Administrative Contractor. Based on data provided by system performance reports for the week of March 12th through the 18th 2012, we selected the highest volume users among each user type throughout the United States. The selected users submitted about 44 percent of the 14.5 million total transactions processed during the selected period of time. Specifically, the clearinghouses submitted a total of about 40 percent of the transactions, the Medicare contractor submitted about 2 percent, and the provider and supplier submitted less than 1 percent of the transactions, respectively. We discussed with the users their experiences and satisfaction with the level of service the system has provided over the last 2 years, and the results of CMS's efforts to resolve any problems or system- related issues. In addition, we interviewed program officials knowledgeable of the management of the program to gain additional understanding of the agency's practices for defining performance requirements for HETS contractors, and for managing and assessing their performance relevant to ensuring efficient operations of HETS. We also discussed with the users their experiences with other automated eligibility verification systems provided by commercial health insurers. We held these discussions to determine whether these officials could share any lessons that could be beneficial to CMS in operating HETS. To identify the steps that CMS has taken to ensure that HETS users remain satisfied with the performance of the system and that the agency plans to take to ensure the system provides the level of service needed to support future requirements, we reviewed agency documents, such as project timelines and system release notes, and reports of users' calls to the help desk. These documents described steps taken to address problems reported by users, identified systems modifications to correct problems, and showed patterns in the numbers of help desk calls over the past 2 years. We also identified steps the agency initiated to help alleviate problems introduced by increasing transaction volume as the number of Medicare beneficiaries has increased over the past 2 years. Further, through our review of relevant agency documents, contractors' performance reports, and discussions with program officials, we identified steps CMS took to assess contractors' performance toward providing efficient and quality service to users of HETS, and any necessary corrective actions. Additionally, we identified steps the agency plans to take toward defining and addressing future requirements of the system that may be introduced by increasing numbers of verification inquiries, and collected and reviewed documentation that provided information about projected growth in transaction volume as providers were faced with the need to conduct HETS queries of more patients filing Medicare claims. We also collected available program planning documentation that described long-term plans for the system and assessed these plans against projections of future requirements and recommendations from independent studies of CMS's implementation of HETS. Finally, to describe the policies, processes, and procedures established by CMS to ensure that the privacy of beneficiary eligibility data is protected, we evaluated agency documentation such as HETS privacy impact and risk assessments, and agreements with users that describe CMS's and users' responsibilities and requirements for protecting the data processed and provided by the system. We compared the information from these documents to requirements and privacy practices derived from provisions of the Privacy Act and the HIPAA Privacy Rule. We also held a discussion with an official with HHS's Office for Civil Rights to determine whether any complaints related to the use of HETS had been noted. In conducting our work, we did not review or test controls implemented by the agency to secure the data processed by HETS. We supplemented data collection for all objectives with interviews of agency officials, including system and business owners, who were knowledgeable of the system's operations and improvements, contract management and oversight, and requirements and practices for protecting the privacy of personal health information. Among these officials, we held discussions with directors in CMS's Provider Communications Group and the Business Applications Management Group, Office of Information Services. We used computer-maintained data provided by CMS program officials when addressing our first objective, and we determined the reliability of these data by obtaining corroborating evidence through interviews with agency officials who are knowledgeable of the operations of the system and its user population. We also conducted a reliability assessment of the data provided by CMS. We found the data sufficiently reliable for the purposes of this review. [End of section] Appendix II: HETS Transaction Volumes and Response Times: HETS program officials provided system-generated data that reflected the performance of the system in terms of the numbers of transactions processed each month and the response time in four categories. The data were provided for the time period beginning in January 2010, when the operational problems began to occur, through June 2012. Table 1 shows the percentage of transactions that received responses from HETS in less than 3 seconds increased from 60.8 percent to 99.9 percent during this time period. Table 3: Average System Response Time from January 2010 through June 2012: Transaction month: January 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 22; Percent: 60.8; Average response time: 3.00 to 4.99 seconds: No. of transactions: 5,718,162; Percent: 15.4; Average response time: 5.00 to 9.99 seconds: No. of transactions: 8,463,492; Percent: 22.8; Average response time: 10.00 seconds or greater: No. of transactions: 388,670; Percent: 1.0; Total: No. of transactions: 37,142,406; Percent: 100.0. Transaction month: February 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 22; Percent: 62.6; Average response time: 3.00 to 4.99 seconds: No. of transactions: 6,838,862; Percent: 18.8; Average response time: 5.00 to 9.99 seconds: No. of transactions: 6,001,652; Percent: 16.5; Average response time: 10.00 seconds or greater: No. of transactions: 783,358; Percent: 2.2; Total: No. of transactions: 36,417,379; Percent: 100.0. Transaction month: March 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 25; Percent: 59.8; Average response time: 3.00 to 4.99 seconds: No. of transactions: 7,920,542; Percent: 18.6; Average response time: 5.00 to 9.99 seconds: No. of transactions: 7,987,584; Percent: 18.7; Average response time: 10.00 seconds or greater: No. of transactions: 1,260,054; Percent: 3.0; Total: No. of transactions: 42,671,420; Percent: 100.0. Transaction month: April 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 25; Percent: 65.1; Average response time: 3.00 to 4.99 seconds: No. of transactions: 6,093,526; Percent: 15.3; Average response time: 5.00 to 9.99 seconds: No. of transactions: 6,184,566; Percent: 15.6; Average response time: 10.00 seconds or greater: No. of transactions: 1,603,757; Percent: 4.0; Total: No. of transactions: 39,737,985; Percent: 100.0. Transaction month: May 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 22; Percent: 59.3; Average response time: 3.00 to 4.99 seconds: No. of transactions: 6,251,411; Percent: 16.3; Average response time: 5.00 to 9.99 seconds: No. of transactions: 6,077,201; Percent: 15.8; Average response time: 10.00 seconds or greater: No. of transactions: 3,294,441; Percent: 8.6; Total: No. of transactions: 38,425,237; Percent: 100.0. Transaction month: June 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 23; Average response time: 0.00 to 2.99 seconds: Percent: 57.0; No. of transactions: 6,174,717; Average response time: 3.00 to 4.99 seconds: Percent: 15.0; No. of transactions: 4,630,307; Average response time: 5.00 to 9.99 seconds: Percent: 11.3; Average response time: 10.00 seconds or greater: No. of transactions: 6,837,504; Percent: 16.7; Total: No. of transactions: 41,042,812; Percent: 100.0. Transaction month: July 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 23; Percent: 56.1; Average response time: 3.00 to 4.99 seconds: No. of transactions: 5,517,503; Percent: 13.2; Average response time: 5.00 to 9.99 seconds: No. of transactions: 6,224,177; Percent: 14.9; Average response time: 10.00 seconds or greater: No. of transactions: 6,634,920; Percent: 15.8; Total: No. of transactions: 41,878,066; Percent: 100.0. Transaction month: August 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 21; Percent: 46.6; Average response time: 3.00 to 4.99 seconds: No. of transactions: 5,084,218; Percent: 11.3; Average response time: 5.00 to 9.99 seconds: No. of transactions: 6,098,451; Percent: 13.5; Average response time: 10.00 seconds or greater: No. of transactions: 12,910,684; Percent: 28.6; Total: No. of transactions: 45,094,278; Percent: 100.0. Transaction month: September 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 20; Percent: 44.9; Average response time: 3.00 to 4.99 seconds: No. of transactions: 6,992,241; Percent: 15.1; Average response time: 5.00 to 9.99 seconds: No. of transactions: 4,409,053; Percent: 9.5; Average response time: 10.00 seconds or greater: No. of transactions: 14,158,528; Percent: 30.5; Total: No. of transactions: 46,421,571; Percent: 100.0. Transaction month: October 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 17; Percent: 38.3; Average response time: 3.00 to 4.99 seconds: No. of transactions: 5,425,982; Percent: 11.6; Average response time: 5.00 to 9.99 seconds: No. of transactions: 7,763,758; Percent: 16.6; Average response time: 10.00 seconds or greater: No. of transactions: 15,737,988; Percent: 33.6; Total: No. of transactions: 46,895,475; Percent: 100.0. Transaction month: November 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 22; Percent: 47.9; Average response time: 3.00 to 4.99 seconds: No. of transactions: 8,518,739; Percent: 18.0; Average response time: 5.00 to 9.99 seconds: No. of transactions: 9,757,929; Percent: 20.7; Average response time: 10.00 seconds or greater: No. of transactions: 6,328,228; Percent: 13.4; Total: No. of transactions: 47,228,391; Percent: 100.0. Transaction month: December 2010; Average response time: 0.00 to 2.99 seconds: No. of transactions: 26; Percent: 59.5; Average response time: 3.00 to 4.99 seconds: No. of transactions: 8,600,280; Percent: 19.0; Average response time: 5.00 to 9.99 seconds: No. of transactions: 6,806,922; Percent: 15.0; Average response time: 10.00 seconds or greater: No. of transactions: 2,976,122; Percent: 6.6; Total: No. of transactions: 45,363,725; Percent: 100.0. Transaction month: January 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 33; Percent: 59.9; Average response time: 3.00 to 4.99 seconds: No. of transactions: 6,843,604; Percent: 12.3; Average response time: 5.00 to 9.99 seconds: No. of transactions: 10,935,377; Percent: 19.7; Average response time: 10.00 seconds or greater: No. of transactions: 4,505,490; Percent: 8.1; Total: No. of transactions: 55,551,107; Percent: 100.0. Transaction month: February 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 46; Percent: 92.7; Average response time: 3.00 to 4.99 seconds: No. of transactions: 2,832,250; Percent: 5.6; Average response time: 5.00 to 9.99 seconds: No. of transactions: 657,735; Percent: 1.3; Average response time: 10.00 seconds or greater: No. of transactions: 174,920; Percent: 0.3; Total: No. of transactions: 50,436,189; Percent: 100.0. Transaction month: March 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 52; Percent: 96.3; Average response time: 3.00 to 4.99 seconds: No. of transactions: 1,489,091; Percent: 2.7; Average response time: 5.00 to 9.99 seconds: No. of transactions: 522,921; Percent: 1.0; Average response time: 10.00 seconds or greater: No. of transactions: [Empty]; Percent: [Empty]; Total: No. of transactions: 54,599,967; Percent: 100.0. Transaction month: April 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 48; Percent: 95.7; Average response time: 3.00 to 4.99 seconds: No. of transactions: 781,124; Percent: 1.5; Average response time: 5.00 to 9.99 seconds: No. of transactions: 1,027,342; Percent: 2.0; Average response time: 10.00 seconds or greater: No. of transactions: 355,643; Percent: 0.7; Total: No. of transactions: 50,406,932; Percent: 100.0. Transaction month: May 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 52; Percent: 97.6; Average response time: 3.00 to 4.99 seconds: No. of transactions: 773,042; Percent: 1.4; Average response time: 5.00 to 9.99 seconds: No. of transactions: 177,683; Percent: 0.3; Average response time: 10.00 seconds or greater: No. of transactions: 355,971; Percent: 0.7; Total: No. of transactions: 53,840,105; Percent: 100.0. Transaction month: June 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 52; Percent: 96.1; Average response time: 3.00 to 4.99 seconds: No. of transactions: 1,018,495; Percent: 1.9; Average response time: 5.00 to 9.99 seconds: No. of transactions: 990,908; Percent: 1.8; Average response time: 10.00 seconds or greater: No. of transactions: 139,290; Percent: 0.3; Total: No. of transactions: 54,729,824; Percent: 100.0. Transaction month: July 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 51; Percent: 95.0; Average response time: 3.00 to 4.99 seconds: No. of transactions: 454,101; Percent: 0.8; Average response time: 5.00 to 9.99 seconds: No. of transactions: 443,551; Percent: 0.8; Average response time: 10.00 seconds or greater: No. of transactions: 1,835,663; Percent: 3.4; Total: No. of transactions: 54,547,111; Percent: 100.0. Transaction month: August 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 60; Percent: 97.1; Average response time: 3.00 to 4.99 seconds: No. of transactions: 662,293; Percent: 1.1; Average response time: 5.00 to 9.99 seconds: No. of transactions: 864,661; Percent: 1.4; Average response time: 10.00 seconds or greater: No. of transactions: 296,853; Percent: 0.5; Total: No. of transactions: 62,005,174; Percent: 100.0. Transaction month: September 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 60; Percent: 98.3; Average response time: 3.00 to 4.99 seconds: No. of transactions: 525,761; Percent: 0.9; Average response time: 5.00 to 9.99 seconds: No. of transactions: 368,796; Percent: 0.6; Average response time: 10.00 seconds or greater: No. of transactions: 157,610; Percent: 0.3; Total: No. of transactions: 61,816,134; Percent: 100.0. Transaction month: October 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 57; Percent: 99.0; Average response time: 3.00 to 4.99 seconds: No. of transactions: 122,630; Percent: 0.2; Average response time: 5.00 to 9.99 seconds: No. of transactions: 24,304; Percent: 0.0; Average response time: 10.00 seconds or greater: No. of transactions: 407,222; Percent: 0.7; Total: No. of transactions: 57,839,549; Percent: 100.0. Transaction month: November 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 54; Percent: 99.7; Average response time: 3.00 to 4.99 seconds: No. of transactions: 163,137; Percent: 0.3; Average response time: 5.00 to 9.99 seconds: No. of transactions: [Empty]; Percent: [Empty]; Average response time: 10.00 seconds or greater: No. of transactions: [Empty]; Percent: [Empty]; Total: No. of transactions: 54,490,041; Percent: 100.0. Transaction month: December 2011; Average response time: 0.00 to 2.99 seconds: No. of transactions: 56; Percent: 100.0; Average response time: 3.00 to 4.99 seconds: No. of transactions: [Empty]; Percent: [Empty]; Average response time: 5.00 to 9.99 seconds: No. of transactions: [Empty]; Percent: [Empty]; Average response time: 10.00 seconds or greater: No. of transactions: [Empty]; Percent: [Empty]; Total: No. of transactions: 56,269,671; Percent: 100.0. Transaction month: January 2012; Average response time: 0.00 to 2.99 seconds: No. of transactions: 64; Percent: 97.8; Average response time: 3.00 to 4.99 seconds: No. of transactions: 392,453; Percent: 0.6; Average response time: 5.00 to 9.99 seconds: No. of transactions: 296,591; Percent: 0.4; Average response time: 10.00 seconds or greater: No. of transactions: 773,699; Percent: 1.2; Total: No. of transactions: 65,968,034; Percent: 100.0. Transaction month: February 2012; Average response time: 0.00 to 2.99 seconds: No. of transactions: 62; Percent: 98.6; Average response time: 3.00 to 4.99 seconds: No. of transactions: 141,176; Percent: 0.2; Average response time: 5.00 to 9.99 seconds: No. of transactions: 491,744; Percent: 0.8; Average response time: 10.00 seconds or greater: No. of transactions: 242,493; Percent: 0.4; Total: No. of transactions: 63,232,557; Percent: 100.0. Transaction month: March 2012; Average response time: 0.00 to 2.99 seconds: No. of transactions: 65; Percent: 98.2; Average response time: 3.00 to 4.99 seconds: No. of transactions: 227,841; Percent: 0.3; Average response time: 5.00 to 9.99 seconds: No. of transactions: 278,055; Percent: 0.4; Average response time: 10.00 seconds or greater: No. of transactions: 718,378; Percent: 1.1; Total: No. of transactions: 66,683,643; Percent: 100.0. Transaction month: April 2012; Average response time: 0.00 to 2.99 seconds: No. of transactions: 61; Percent: 99.7; Average response time: 3.00 to 4.99 seconds: No. of transactions: 61,172; Percent: 0.1; Average response time: 5.00 to 9.99 seconds: No. of transactions: 24,596; Percent: 0.0; Average response time: 10.00 seconds or greater: No. of transactions: 88,177; Percent: 0.1; Total: No. of transactions: 61,989,780; Percent: 100.0. Transaction month: May 2012; Average response time: 0.00 to 2.99 seconds: No. of transactions: 62; Percent: 99.9; Average response time: 3.00 to 4.99 seconds: No. of transactions: [Empty]; Percent: [Empty]; Average response time: 5.00 to 9.99 seconds: No. of transactions: [Empty]; Percent: [Empty]; Average response time: 10.00 seconds or greater: No. of transactions: 93,673; Percent: 0.1; Total: No. of transactions: 63,065,751; Percent: 100.0. Transaction month: June 2012; Average response time: 0.00 to 2.99 seconds: No. of transactions: 60; Percent: 99.9; Average response time: 3.00 to 4.99 seconds: No. of transactions: [Empty]; Percent: [Empty]; Average response time: 5.00 to 9.99 seconds: No. of transactions: 50,534; Percent: 0.1; Average response time: 10.00 seconds or greater: No. of transactions: 8,499; Percent: 0.0; Total: No. of transactions: 60,255,164; Percent: 100.0. Source: GAO analysis of agency data. [End of table] [End of section] Appendix III: Comments from the Department of Health & Human Services: Department of Health & Human Services: Office of The Secretary: Assistant Secretary for Legislation: Washington, DC 20201: September 10 2012: Valerie C. Melvin, Director: Information Management and Technology Resources Issues: U.S. Government Accountability Office: 441 G Street NW: Washington, DC 20548: Dear Ms. Melvin: Attached are comments on the U.S. Government Accountability Office's (GAO) report entitled, "Health Information Technology: CMS Took Steps to Improve Its Beneficiary Eligibility Verification System" (GA0-12- 973). The Department appreciates the opportunity to review this report prior to publication. Sincerely, Signed by: Jim R. Esquea: Assistant Secretary for Legislation: Attachment: General Comments Of The Department Of Health And Human Services (HHS) On The Government Accountability Office's (GAO) Draft Report Entitled. "Health Information Technology: CMS Took Steps To Improve Its Beneficiary Eligibility Verification System" (GAO-12-973): The Department appreciates the opportunity to comment on this draft report. HHS is pleased that GAO confirmed CMS's success at correcting operational problems and improving the reliability of the HETS. HHS regrets the poor service that resulted from the operational problems in 2010 and early 2011. To prevent this in the future, CMS continues to take steps to maintain and improve the current performance of the system. [End of section] Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Valerie C. Melvin, (202) 512-6304 or melvinv@gao.gov: Staff Acknowledgments: In addition to the contacts named above, Teresa F. Tucker, Assistant Director; Tonia D. Brown; LaSherri Bush; Sharhonda Deloach; Rebecca Eyler; and Monica Perez-Nelson made key contributions to this report. [End of section] Footnotes: [1] Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (codified at 42 U.S.C. §§ 1320d-1320d-8). HIPAA required the adoption of uniform data interchange standards. [2] 45 C.F.R. Part 162 sets out that HETS is the electronic data interchange standard for health care eligibility inquiry and response transactions. [3] Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (codified at 42 U.S.C. §§ 1320d-1320d-8). The HIPAA Privacy Rule was promulgated at 45 C.F.R. Part 160. [4] Title 5 U.S.C. 552a. [5] The provisions of the law established requirements for the implementation of standard transactions for the electronic transmission of certain health information, including patients' eligibility to receive health care services and supplies covered by Medicare. [6] An extranet is a computer network that allows controlled access from outside an organization's intranet, usually by partners, vendors, and suppliers, in isolation from all other internet users. The CMS extranet is a secure closed private network used for transmission of electronic transactions between CMS and Medicare contractors, providers, or clearinghouses. [7] The Administrative Simplification provisions of HIPAA provided for the establishment of national standards for the electronic transmission of certain health information, such as standards for certain health care transactions conducted electronically and code sets and unique health care identifiers for health care providers and employers. [8] In June 2006, CMS began pilot testing an internet-based user interface system for providers who check Medicare eligibility infrequently. However, an official representing the HETS system owners stated that the HETS User Interface service will likely not continue beyond the pilot initiative, and will probably end in the next 2 years because of the Medicare Administrative Contractors' expansion of Internet services. [9] Health care clearinghouses are public or private entities, such as billing services, community health information systems, and "value- added" networks and switches, that process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity. [10] The Medicare Prescription Drug, Improvement and Modernization Act of 2003 required CMS to implement Medicare contracting reform. The act required CMS to select new contracting entities to process medical claims, Medicare Administrative Contractors (MACs). [11] CMS contracts four vendors to provide this service. Users select one of the four to connect with the CMS extranet. [12] The Privacy Act defines a "system of records" as a group of records under the control of any agency that contains information about an individual and from which information is retrieved by the name of the individual or other personal identifier. [13] Protected health information is individually identifiable health information that is transmitted or maintained in any form or medium, and in this report it is used interchangeably with individually identifiable health information. [14] Covered entities are defined under regulations implementing HIPAA as health plans that provide or pay for the medical care of individuals, health care providers that electronically transmit health information in connection with transactions covered by the regulations, and health care clearinghouses that receive health information from other entities and process or facilitate the processing of that information into standard or nonstandard format for those entities (45 C.F.R § 160.103). [15] Pub. L. No. 104-191, Title II, Subtitle F, 110 Stat. 1936, 2021 (codified at 42 U.S.C. §§ 1320d-1320d-8). The HIPAA Privacy and Security Rules were promulgated at 45 C.F.R. Parts 160 and 164. [16] There are exceptions to the "minimum necessary" requirement of the Privacy Rule for certain disclosures for treatment and uses and disclosures required by law. [17] E-Government Act of 2002, Pub L. No. 107-347, Dec. 17, 2002, codified at 44 U.S.C. § 3501 note. [18] Within these 244 entities, multiple individuals initiate HETS inquiry transactions. The HETS system reports identify the entities that submit transactions but not individual users. [19] The HETS system owners stated that the agency does not maintain statistics on the number of beneficiaries queried because they have not seen a need to collect this information. [20] The Common Working File is a data source used by fiscal intermediaries and carriers to verify beneficiary eligibility and conduct prepayment review and approval of claims from a national perspective. However, CMS is in the process of terminating the use of this system for beneficiary eligibility verifications and is migrating these users to HETS for eligibility inquires. According to program officials, CMS is taking this action because the Common Working File was developed prior to the enactment of HIPAA and was not intended for a HIPAA-compliant environment. As such, the system does not conduct beneficiary eligibility transactions that are compliant with the standards and formats defined by HIPAA or one of the HIPAA rules. [21] In batch processing mode, transactions are accumulated throughout a time period, then transmitted at the end of a time period or when a certain number of transactions is reached. Transactions are then submitted together in a "batch." Real-time transactions are submitted and processed one at a time as they occur. [22] The National Provider Identifier is a unique identification number for covered health care providers who, along with all health plans and health care clearinghouses, must use them in the administrative and financial transactions adopted under HIPAA. Covered providers must also share their National Provider Identifier with other providers, health plans, clearinghouses, and any entity that may need it for billing purposes. [23] The HHS Office of Inspector General List of Excluded Individuals and Entities includes all individuals and entities currently excluded from participating in federally funded health care programs including Medicare and Medicaid. Exclusions are imposed for a number of reasons including: (1) Medicare or Medicaid fraud, as well as any other offenses related to the delivery of items or services under Medicare, Medicaid, the Children's Health Insurance Program, or other state health care programs; (2) patient abuse or neglect; (3) felony convictions for other health care-related fraud, theft, or other financial misconduct; and (4) felony convictions relating to unlawful manufacture, distribution, prescription, or dispensing of controlled substances. The General Services Administration's Excluded Parties List System includes information on entities debarred, suspended, proposed for debarment, excluded, or disqualified by federal government agencies from receiving federal contracts or federally approved subcontracts and from certain types of federal financial and nonfinancial assistance and benefits. [24] While there may be many individual users within each provider, supplier, clearinghouse, and Medicare Administrative Contractors organization who access HETS, we refer to the organizations themselves as the "users." [25] OMB, Guidance for Implementing the Privacy Provisions of the E- Government Act of 2002, Memorandum, M-03-22 (Washington, D.C.: Sept. 26, 2003). [26] GAO, OPM Should Better Monitor Implementation of Privacy-Related Policies and Procedures for Background Investigations, [hyperlink, http://www.gao.gov/products/GAO-10-849/ (Washington, D.C.: September 2010). [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E-mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. [End of document] Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.