Medicare: Improvements Needed to Enhance Protection of Confidential Health Information
HEHS-99-140
Published: Jul 20, 1999. Publicly Released: Jul 20, 1999.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO reviewed four areas related to the Health Care Financing Administration's (HCFA) use of personally identifiable health information, focusing on: (1) HCFA's need for personally identifiable health information to manage the Medicare program and accomplish other purposes; (2) HCFA's policies and practices regarding disclosure of information on Medicare beneficiaries; (3) the adequacy of HCFA's safeguards for protecting the confidentiality of electronic information and HCFA's monitoring of others' protection of beneficiary information; and (4) the effect on HCFA of state restrictions on the disclosure of confidential health information.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Health Care Financing Administration | To improve HCFA's protection of the confidentiality of personally identifiable Medicare beneficiary information, the Administrator, HCFA, should correct the vulnerabilities identified in its information management systems by the Office of the Inspector General. |
Closed – Not Implemented
In fiscal year (FY) 2002, CMS made progress in addressing weaknesses in its automated processing systems. However, the FY 2002, OIG CFO review of Medicare information systems controls continued to find weaknesses in general and application controls at Medicare contractors, data centers, entities sharing system software, and CMS central office. Although no individual weakness was determined to be material, taken together, these vulnerabilities were deemed material weaknesses. GAO is closing this recommendation, but believes continued efforts are needed to address this issue.
|
| Health Care Financing Administration | To improve HCFA's protection of the confidentiality of personally identifiable Medicare beneficiary information, the Administrator, HCFA, should systematically monitor contractors' safeguards for protecting confidential information. |
Closed – Implemented
The fiscal year (FY) 2002, OIG CFO audit identified weaknesses at Medicare contractors in a variety of general controls. The access control weaknesses, including configuration of access control software, procedures for reviewing suspected access violations, consistency of security controls, and physical access to data centers, were reported to "represent a significant risk to the Medicare program." In late FY 2002, CMS provided funding to Medicare contractors to address gaps in access controls. Also, in revisions to Medicare Manual System dated February 7, 2003, CMS added a control objective that contractors perform certain regularly scheduled processes required to minimize the impact of threats to data, facilities or equipment.
|
| Health Care Financing Administration | To improve HCFA's protection of the confidentiality of personally identifiable Medicare beneficiary information, the Administrator, HCFA, should develop a system to routinely monitor other organizations that have received personally identifiable information on Medicare beneficiaries to help ensure that information is used only as approved and to identify instances of misuse. |
Closed – Implemented
CMS maintains a process for ensuring compliance with the terms for closing out data use agreements (DUA). Upon completion of project and/or expiration of the DUA, the data must be returned to CMS or destroyed, and a statement certifying this action sent to CMS. The Division of Privacy Compliance Data Development contacts each requestor prior to the DUA expiration date to obtain a letter on the organization's letterhead certifying that no data are retained when the file(s) are returned or destroyed or, if the project is still active, to grant an extension of the requestor's DUA. The CMS Privacy officer reported that, to date, no violations of DUA provisions for protection of Medicare data set files have been identified.
|
| Health Care Financing Administration | To improve HCFA's protection of the confidentiality of personally identifiable Medicare beneficiary information, the Administrator, HCFA, should ensure that all agency Privacy Act notifications convey the information required by the Act in a manner that is clear and informative to beneficiaries. |
Closed – Implemented
The HIPAA Privacy Rule requires each covered entity to develop and provide a plain language notice that describes its legal duties, the uses and disclosures of protected health information that it may make, and individual rights and how to exercise them. CMS developed a Notice of Privacy Practices, effective on April 14, 2003, for Medicare beneficiaries. Medicare's privacy notice was provided to beneficiaries for the first time in the 2003 Medicare & You handbook, that was mailed beginning in October 2002.
|
| Health Care Financing Administration | To improve HCFA's protection of the confidentiality of personally identifiable Medicare beneficiary information, the Administrator, HCFA, should implement a system that would permit HCFA to respond in a timely fashion to beneficiary inquiries about the disclosure of their information to others outside HCFA as well as to provide information on Privacy Act activities to OMB and others. |
Closed – Implemented
In general, the Privacy Rule gives beneficiaries the right to receive an accounting of certain disclosures of protected health information made by CMS. Exceptions to this accounting requirement include disclosures of a limited data set to researchers with a data use agreement. For disclosures of protected health information for research purposes without the beneficiary's authorization and that involve at least 50 records, CMS may provide individuals with a list of all protocols for which the patient's protected health information may have been disclosed, as well as the researcher's name and contact information.
|
Full Report
Office of Public Affairs
Topics
BeneficiariesSafeguardsComputer securityConfidential communicationsstate relationsHealth care programsHealth insuranceInternal controlsMedical recordsMedicarePrivacy lawReporting requirements