CMS should tighten privacy of health data held by contractors

The Government Accountability Office says the Centers for Medicare and Medicaid Services should apply the same notification requirements for privacy breaches to its state Medicaid agencies and more recent Medicare contractors as it applies to its traditional Medicare contractors and the Defense Department applies to its military health contractors.

Standard notification requirements will ease some concerns about the vulnerability of improper disclosure of personal health information by subcontractors, some of whom are located in other countries, GAO said in a report this week.

In a survey of almost 400 federal contractors and state Medicaid agencies, 40 percent reported a recent privacy breach, within the past two years, involving personal health information. The data may include medical diagnosis and treatment records and patient identifiers, such as name, address, date of birth and Social Security number.

DOD's Tricare management requires contractors to report monthly on privacy breaches and follow up with contractors that report recurring lapses in privacy. CMS, an agency of the Health and Human Services Department, requires its Medicare fee-for-service contractors to report privacy breaches within 30 days of discovery. Medicare fee-for-service contractors bill Medicare for services to seniors, while Medicare Advantage contractors receive a monthly set payment for each enrollee for all covered services they provide.

CMS, however, lacks oversight for privacy breaches of personal health information that state Medicaid agencies and Medicare Advantage contractors hold.

Contractors play a lead role in administering three of the largest public health insurance programs'Medicare, Medicaid and Tricare. They enroll individuals, process claims for payment and operate call centers to assist enrollees. Contractors often outsource some activities to domestic and offshore organizations, and CMS may not be aware of it.

'The actual prevalence of offshore outsourcing by domestic vendors may be greater than reported, as many federal contractors and state Medicaid agencies did not know whether their domestic vendors further transferred personal health information,' said Leslie Aronovitz, GAO's director of health care, in its report.

Most offshore outsourcing occurs as a result of a domestic contractor using a subsidiary or affiliated entity in another country for services that include transferring personal health information. For example, a Medicare Advantage contractor uses its subsidiary in India to perform claims data entry services. The overwhelming majority of offshore outsourcing went to India, with Ghana second in its survey of federal health contractors, GAO said.

CMS said it had already taken steps to obtain information on privacy breaches from its Medicare Advantage contractors, including a memo that requires them to notify CMS of personal health data breaches, said CMS administrator Mark McClellan in a response last month.

CMS is developing specific instructions for how its regional and central office staff should respond to reports of privacy breaches. The HHS Office of Inspector General will assist in assessing the adequacy of the contractors' systems for securing personal health information.

CMS also sent privacy reminder notices to Medicare fee-for-service contractors. The agency will add language to new contracts that require written CMS approval before performing work offshore. The revised language will take effect over the next several years as current contracts are competed and awarded.

Contract provisions that specify vendors' responsibilities for maintaining personal information safeguards, circumstances under which personal information may be disclosed and rules for subcontracting are critical, GAO said. Agencies should focus monitoring on the vendors that handle the most sensitive and largest volume of personal data or have the highest risk for privacy breaches.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group