Medicare
Improvements Needed to Enhance Protection of Confidential Health Information Gao ID: HEHS-99-140 July 20, 1999To determine eligibility for Medicare, pay claims, review health care access, and other purposes, the Health Care Financing Administration (HCFA) collects personally identifiable information on 39 million Medicare beneficiaries. It may disclose such information without their consent for research or authorized civil and criminal enforcement activities, but it tries to balance requesters' need for data with beneficiaries' need for confidentiality. HCFA's policies and practices on disclosure are generally consistent with the Privacy Act of 1974. However, HCFA does not readily or clearly provide beneficiaries with an accounting of its disclosures or their purposes, as required by the act. It also does not adequately provide oversight agencies, such as the Office of Management and Budget, with information on its Privacy Act activities. Weaknesses in how HCFA manages electronic data, monitors contractors and researchers who use beneficiaries' personally identifiable information, and prevents and corrects unauthorized disclosures could compromise confidentiality. HCFA's respecting state laws regarding sensitive health information that are more restrictive than federal requirements has not prevented it from paying claims but could affect its ability to set rates, monitor quality, and conduct or support health-related research. HCFA has addressed some of these issues by establishing an executive Beneficiary Confidentiality Board and directing resources toward resolving the Year 2000 computer problem.
GAO noted that: (1) to carry out its legislated responsibilities, HCFA needs to collect and maintain personally identifiable health information on its 39 million Medicare beneficiaries; (2) HCFA also uses this information in essential research activities that can lead to improvements in rate-setting, services provided, and quality of care; (3) HCFA's policies and practices regarding disclosure of personally identifiable health information are generally consistent with the provisions of the Privacy Act of 1974; (4) in accordance with the Privacy Act, when determining whether to disclose information, HCFA officials attempt to balance the information needs of data requestors with the attempt to balance the confidentiality of personally identifiable health information; (5) HCFA screens requests for personally identifiable information on Medicare beneficiaries from non-HCFA researchers more thoroughly than requests from HCFA staff who need the data to conduct the agency's business; (6) however, GAO found that HCFA cannot readily provide beneficiaries with an accounting of the disclosures it makes, a capability called for by the Privacy Act; (7) moreover, HCFA has not adequately provided oversight agencies such as the Office of Management and Budget (OMB) with complete information on its Privacy Act activities; (8) HCFA does not always clearly inform Medicare beneficiaries of the purposes for which their information may be disclosed to other organizations, as required by the Privacy Act; (9) to address these issues, HCFA has established a new executive confidentiality board and initiated a number of actions in response to January 1999 OMB guidance to all agencies to review information practices for compliance with the Privacy Act; (10) although few complaints about Privacy Act violations have been made to date, weaknesses in the implementation of HCFA's policies could potentially compromise the confidentiality of health information on Medicare beneficiaries; (11) because HCFA does not routinely monitor contractors and others, such as researchers, who use personally identifiable Medicare information, its ability to prevent unauthorized disclosures or uses and to provide timely corrective action for those that might occur is not assured; (12) some states prohibit the disclosure of sensitive health-related information except for specified purposes; and (13) HCFA officials said that HCFA's policy is to respect state laws regarding sensitive health information that are more restrictive than federal requirements.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone: