Medicare

The Health Care Financing Administration (HCFA) collects and maintains personally identifiable health information on its 39 million Medicare beneficiaries for paying claims, determining eligibility, reviewing care, and performing research that helps improve Medicare. Under the Privacy Act of 1974, HCFA may disclose this information to other agencies, but confidentiality is compromised by HCFA's and its contractors' management of electronic information and its inability to prevent unauthorized disclosures or uses and to correct them in a timely way. HCFA also cannot readily provide beneficiaries with an accounting of the disclosures it makes and does not always clearly inform them of its purpose in disclosing information as required by the Privacy Act. It does not adequately provide oversight agencies such as the Office of Management and Budget with complete information on its Privacy Act activities. Also, HCFA's policy of allowing the states to withhold sensitive health information could adversely affect its ability to set rates, monitor quality, and conduct or support health-related research. GAO recommends ways HCFA can improve its protection of confidential information. This testimony summarizes the July 1999 report, GAO/HEHS-99-140.

GAO noted that: (1) personally identifiable information on Medicare beneficiaries is vital to the operation of the Medicare program, and that HCFA can disclose such information to other organizations consistent with provisions of the Privacy Act; (2) HCFA has policies and procedures for evaluating requests for disclosure of personally identifiable health information, but HCFA's confidentiality practices have a number of weaknesses; (3) these weaknesses include HCFA's inability to easily provide beneficiaries with an accounting of disclosures made of their personal information and failure to always give them clear notification of the purposes for which their personal information may be disclosed outside of HCFA as required by the Privacy Act; (4) although few complaints of violations have been reported to date, the Department of Health and Human Services Office of the Inspector General also continues to report vulnerabilities in HCFA's safeguards for confidentiality of electronic information; (5) these vulnerabilities could lead to unauthorized individuals reading, disclosing, or altering confidential information; (6) potential conflicts exist between HCFA and state laws regarding the disclosure of sensitive health information; (7) to date, conflicts have been minimal and the administration of Medicare has not been hindered, according to HCFA officials, because all states permit release of information for health care treatment and payment; and (8) however, if the same data elements were not available from all states, it might compromise HCFA's ability to conduct research and analysis to improve Medicare policies.