CMS Home > Site Tools & Resources > Media Release Database > Testimonies |
Media Release Database |
Content Section
Testimonies
STATEMENT OF MIKE HASH, DEPUTY ADMINISTRATOR HEALTH CARE FINANCING ADMINISTRATION BEFORE THE HOUSE WAYS AND MEANS HEALTH SUBCOMMITTEE ON PROTECTING BENEFICIARY PRIVACY Chairman Thomas, Congressman Stark, distinguished Subcommittee members, thank you for inviting us to testify about our efforts to improve protections for personally identifiable beneficiary information.No Administration has been more committed to protecting medical privacy.President Clinton and Vice President Gore have both spoken about the paramount importance of medical records privacy. We provide much greater protection for sensitive information than does the private sector.We strive to continually enhance our protections.And we greatly appreciate the evaluations and advice of the HHS Inspector General (IG) and the General Accounting Office (GAO) in this regard. As the GAO recently confirmed, personally identifiable information on Medicare beneficiaries is essential to the operation of the Medicare program.We need it to:
Medicare data are also an invaluable asset in efforts to improve care and coverage for beneficiaries by our research colleagues at the National Institutes for Health, the Agency for Health Care Policy and Research, and other scientific investigators and policy analysts. It is equally essential that we protect the sensitive beneficiary information with which we are entrusted, and that we clearly inform beneficiaries of how information about them is used in accordance with the Privacy Act.Whenever concerns are raised about privacy, we take immediate action to address them. For example, when Vice President Gore and members of Congress identified potential problems with our home health patient Outcome and Assessment Information Set (OASIS) earlier this year, we halted implementation, conducted a thorough review, and made important modifications to ensure that only essential information would be collected, that it would be properly protected, that disclosures would be limited to the minimum necessary to carry out HCFA's mission, and that beneficiaries would be fully informed on why it is being collected and how it will be used. Because protecting beneficiary information is essential to our mission, we are taking several new steps to strengthen our efforts.
CONFIDENTIALITY BOARD We have established a new Beneficiary Confidentiality Board to coordinate and consolidate privacy policies and ensure that we do not collect or disseminate more information than is absolutely necessary.The Board is led by the Director of the Center for Beneficiary Services and includes senior executives from all Agency components that have a direct stake in privacy and confidentiality, including the Center for Medicaid and State Organizations, the Center for Health Plans and Providers, the Office of Clinical Standards and Quality, the Office of Strategic Planning, the Program Integrity Group, the Office of Information Services, the Office of the Actuary, and Regional Office representatives.Core responsibilities include:
This will help ensure a central focal point for privacy issues and accountability across all aspects of Agency business. BENEFICIARY NOTICES Beneficiaries need to know and understand why personally identifiable information is collected and how it is used.This is both a legal requirement and an ethical obligation.There are many different notices to beneficiaries about why information is collected and how it is used. Some, including the newest notice for OASIS, has been carefully crafted to ensure that it is clear and comprehensive.However, we agree with the GAO that some of the earlier beneficiary notices do not meet the Privacy Act requirements to inform beneficiaries about:
Earlier this year, we began a systematic review of all beneficiary privacy notices, rewriting them as necessary, to ensure that they provide full disclosure in plain language. TRACKING DATA RELEASES The Privacy Act stipulates that beneficiaries are entitled to know, upon request, any and all instances in which identifiable information about them has been shared.We have never had such a request, but have realized that complying with one would be extraordinarily labor intensive with our current information systems.It also is currently difficult to provide data on our Privacy Act compliance to the Office of Management and Budget (OMB) for its oversight responsibilities. We are now working to fully define the requirements for information systems that will ensure full compliance with OMB and Privacy Act requirements.Implementing these systems is a top information technology priority once we have cleared the Year 2000 hurdle.In the interim, we have increased our surveillance of these requests and are improving our existing tracking systems to align them more fully with OMB requirements. DATA USE OVERSIGHT The data files we maintain are an invaluable asset to medical and health policy researchers in their efforts to improve beneficiary care and coverage.For example:
The Privacy Act does allow for sharing data with researchers as long as their work promotes the Agency's mission, is compatible with the purpose for which the information was collected, and proper privacy protections are in place. Many research needs are met by "public use files" that we readily make available, and from which any data that could identify individual beneficiaries is removed, including information that could be used to deduce an individual beneficiary's identity.Additional research needs are met by encrypted data files in which data elements that explicitly identify individuals (such as names, claim numbers, physician numbers, service dates, and date of birth) are either removed, encrypted, or stated as a range (of dates, for example).Some data elements remain in these files that could possibly be linked with other information to a deduce specific individual's identity.Finally, there are some valid research endeavors for which individually identifiable information is essential. For all research requests, we conduct a careful review to ensure that any disclosure of information is allowed under the Privacy Act.For research projects outside of HHS, or not funded by HHS, we conduct another careful level of review to ensure that the request is for the bare minimum of information that is essential to a given research project, and that the project has scientific merit and sound research methodology.We are also diligent in making clear to researchers how data that could be used to identify individual beneficiaries must be protected. When proper criteria are met, we develop data use agreements that contain explicit protections covering the release and use of data.These agreements also specify that the user must contact us within 30 days of completion of the approved project for instructions on whether to return all data files to us or to destroy such data and execute an attestation to certify the destruction.We have taken swift action to address the rare situations that we are aware of in which researchers have not fully complied with Privacy Act requirements and our data use agreements to clarify their responsibilities to protect beneficiary confidentiality. We are now increasing efforts to verify that researchers have in fact complied with their data use agreements to protect data and dispose of it properly once projects are completed.We expect to reduce our backlog in half by the end of this fiscal year.We also look forward to working with the GAO and other experts to develop more systematic ways to proactively assure compliance with data use agreements so we can prevent problems before potential security breaches occur. SYSTEMS SECURITY We are also working to improve security in electronic data processing.We have introduced a systems security initiative to aggressively address vulnerabilities found through the Inspector General's and our own reviews.Our goal is to be able to maintain the tightest possible security as the business environment in which we operate changes, and to integrate security into every aspect of our information technology management activities. One of the first things our new Chief Information Officer, Gary Christoph, did when he came on board was to hire outside experts to search out security weaknesses in our systems so we could proactively address them.We also have acquired new technology, beefed up staff training, conducted our own risk assessments and internal audits, and enhanced procedures for guarding access to sensitive systems.However, there are no silver bullets, and vigilance here must be constant given the ever changing nature of technology and evolution of new risks. As we clear the Year 2000 hurdle and its demand on our systems, we will be able to increase our security even more through our comprehensive security initiative.We are now in the process of developing the protocols to systematically monitor the systems security of our claims processing contractors.The new evaluation process will specifically assess administrative, technical, and physical protection measures to protect beneficiary privacy. We also have recently restructured our contractor oversight operations and initiated a new contractor evaluation process which will incorporate the security review findings and improve our overall management of the contractors.In addition, the Administration has proposed comprehensive contracting reform legislation that will bring Medicare contracting authority in line with standard Federal government contracting procedures and make it easier for us to terminate contractors if we find they are not providing adequate privacy protections. We will continue to use the annual Inspector General CFO audits as an opportunity to identify threats to the integrity of our data systems and to ensure that we address vulnerabilities in a timely manner.We also are carrying out activities required by the Presidential Decision Directive 63, as well as security requirements in the Health Insurance Portability and Accountability Act, which will further strengthen our security protections. CONCLUSION The new steps we are taking can only strengthen our solid track record of protecting confidential beneficiary information.Our new Beneficiary Confidentiality Board, in particular, will provide an overarching executive-level focus on our obligation to remain ever vigilant.We encourage the IG, GAO, and others to also be vigilant in raising and helping us to address any concerns about protections for sensitive information.And we remain committed to swiftly and effectively addressing any related issues or breaches that might arise.I thank you again for holding this hearing, and I am happy to answer any questions you might have.
|
|||||||
|