This is an archive page. The links are no longer being updated.

Statement on Protecting Beneficiary Privacy by Mike Hash
Deputy Administrator, Health Care Financing Administration
U.S. Department of Health and Human Services

Chairman Thomas, Congressman Stark, distinguished Subcommittee members, thank you for inviting us to testify about our efforts to improve protections for personally identifiable beneficiary information. No Administration has been more committed to protecting medical privacy. President Clinton and Vice President Gore have both spoken about the paramount importance of medical records privacy.

We provide much greater protection for sensitive information than does the private sector. We strive to continually enhance our protections. And we greatly appreciate the evaluations and advice of the HHS Inspector General (IG) and the General Accounting Office (GAO) in this regard.

As the GAO recently confirmed, personally identifiable information on Medicare beneficiaries is essential to the operation of the Medicare program. We need it to:

• make accurate payments in fee-for-service and to risk adjust Medicare+Choice payments so they take into account individual beneficiaries health status and curtail the disincentive for plans to enroll sicker beneficiaries;
• conduct medical reviews and conduct other activities essential to fighting fraud, waste and abuse;
• coordinate benefits and ensure that we do not pay claims for which other insurers are responsible;
• project spending trends and accurately determine premium amounts;
• develop and refine policy to ensure proper coverage and payment;
• assess and improve quality and access to care, for example by monitoring and then working to increase the number of beneficiaries receiving an influenza vaccination; and,
• be responsive to individual beneficiary inquiries about coverage and payment.

Medicare data are also an invaluable asset in efforts to improve care and coverage for beneficiaries by our research colleagues at the National Institutes for Health, the Agency for Health Care Policy and Research, and other scientific investigators and policy analysts.

It is equally essential that we protect the sensitive beneficiary information with which we are entrusted, and that we clearly inform beneficiaries of how information about them is used in accordance with the Privacy Act. Whenever concerns are raised about privacy, we take immediate action to address them.

For example, when Vice President Gore and members of Congress identified potential problems with our home health patient Outcome and Assessment Information Set (OASIS) earlier this year, we halted implementation, conducted a thorough review, and made important modifications to ensure that only essential information would be collected, that it would be properly protected, that disclosures would be limited to the minimum necessary to carry out HCFA's mission, and that beneficiaries would be fully informed on why it is being collected and how it will be used.

Because protecting beneficiary information is essential to our mission, we are taking several new steps to strengthen our efforts.

• We have established a new Beneficiary Confidentiality Board to provide Executive leadership in all aspects of privacy protection.
• We are reviewing all beneficiary notices to ensure that they fully disclose in plain language how data are used.
• We are designing new systems that will easily track when and where data are shared.
• We are increasing efforts to ensure that researchers and Medicare contractors have properly protected data.
• And we have introduced a systems security initiative to aggressively address vulnerabilities found through the Inspector General's and our own reviews.

CONFIDENTIALITY BOARD

We have established a new Beneficiary Confidentiality Board to coordinate and consolidate privacy policies and ensure that we do not collect or disseminate more information than is absolutely necessary. The Board is led by the Director of the Center for Beneficiary Services and includes senior Executive s from all Agency components that have a direct stake in privacy and confidentiality, including the Center for Medicaid and State Organizations, the Center for Health Plans and Providers, the Office of Clinical Standards and Quality, the Office of Strategic Planning, the Program Integrity Group, the Office of Information Services, the Office of the Actuary, and Regional Office representatives. Core responsibilities include:

• establishing strategic goals, overarching policies, and objectives for protecting data;
• establishing, coordinating, and issuing all policy decisions on privacy and confidentiality;
• assuring implementation and enforcement of guiding principles for Agency-wide strategic goals and objectives;
• providing Executive oversight of compliance with all privacy and confidentiality statutory and regulatory requirements, and assuring that beneficiary protections are enforced;
• reviewing all current operations with regard to systems of records and beneficiary protections to assure that strategic goals and objectives and guiding principles are in place and effective at all levels, including contractors to sub-contractors;
• evaluating legislative proposals involving the collection, use, and disclosure of personal information by any entity, public or private, for consistency with legal standards and our guiding principles;
• assuring that use of new information technologies sustains protections of information that directly identifies an individual or from which an individual=s identity can be deduced;
• assuring that personal information contained in our systems of records are handled in full compliance with fair information practices as set out in the Privacy Act; and,
• serving as a senior-level forum for the discussion and resolution of key strategic issues affecting HCFA's privacy and confidentiality policies and implementation strategies.

This will help ensure a central focal point for privacy issues and accountability across all aspects of Agency business.

BENEFICIARY NOTICES

Beneficiaries need to know and understand why personally identifiable information is collected and how it is used. This is both a legal requirement and an ethical obligation. There are many different notices to beneficiaries about why information is collected and how it is used.

Some, including the newest notice for OASIS, has been carefully crafted to ensure that it is clear and comprehensive. However, we agree with the GAO that some of the earlier beneficiary notices do not meet the Privacy Act requirements to inform beneficiaries about:

• the authority under which we are collecting information;
• the principal purpose for which it will be used;
• the routine uses for which it may be used; and
• whether the individual is required to supply the information and what the consequences are if the individual does not supply the information.

Earlier this year, we began a systematic review of all beneficiary privacy notices, rewriting them as necessary, to ensure that they provide full disclosure in plain language.

TRACKING DATA RELEASES

The Privacy Act stipulates that beneficiaries are entitled to know, upon request, any and all instances in which identifiable information about them has been shared. We have never had such a request, but have realized that complying with one would be extraordinarily labor intensive with our current information systems. It also is currently difficult to provide data on our Privacy Act compliance to the Office of Management and Budget (OMB) for its oversight responsibilities.

We are now working to fully define the requirements for information systems that will ensure full compliance with OMB and Privacy Act requirements. Implementing these systems is a top information technology priority once we have cleared the Year 2000 hurdle. In the interim, we have increased our surveillance of these requests and are improving our existing tracking systems to align them more fully with OMB requirements.

DATA USE OVERSIGHT

The data files we maintain are an invaluable asset to medical and health policy researchers in their efforts to improve beneficiary care and coverage. For example:

• we are able to share the extensive information we have on beneficiaries with end-stage renal disease directly with National Institute of Health scientists that they can use to study and improve treatment;
• the Agency for Health Care Policy and Research Patient Outcome Research Teams rely upon this beneficiary information to develop new insights on the treatment of the most frequent medical conditions affecting the elderly; and,
• the data files are also critical to investigators under contract to us for evaluation and development of payment, coverage and treatment policies.

The Privacy Act does allow for sharing data with researchers as long as their work promotes the Agency's mission, is compatible with the purpose for which the information was collected, and proper privacy protections are in place.

Many research needs are met by "public use files@ that we readily make available, and from which any data that could identify individual beneficiaries is removed, including information that could be used to deduce an individual beneficiary's identity. Additional research needs are met by encrypted data files in which data elements that explicitly identify individuals (such as names, claim numbers, physician numbers, service dates, and date of birth) are either removed, encrypted, or stated as a range (of dates, for example). Some data elements remain in these files that could possibly be linked with other information to a deduce specific individual's identity. Finally, there are some valid research endeavors for which individually identifiable information is essential.

For all research requests, we conduct a careful review to ensure that any disclosure of information is allowed under the Privacy Act. For research projects outside of HHS, or not funded by HHS, we conduct another careful level of review to ensure that the request is for the bare minimum of information that is essential to a given research project, and that the project has scientific merit and sound research methodology. We are also diligent in making clear to researchers how data that could be used to identify individual beneficiaries must be protected.

When proper criteria are met, we develop data use agreements that contain explicit protections covering the release and use of data. These agreements also specify that the user must contact us within 30 days of completion of the approved project for instructions on whether to return all data files to us or to destroy such data and execute an attestation to certify the destruction. We have taken swift action to address the rare situations that we are aware of in which researchers have not fully complied with Privacy Act requirements and our data use agreements to clarify their responsibilities to protect beneficiary confidentiality.

We are now increasing efforts to verify that researchers have in fact complied with their data use agreements to protect data and dispose of it properly once projects are completed. We expect to reduce our backlog in half by the end of this fiscal year. We also look forward to working with the GAO and other experts to develop more systematic ways to proactively assure compliance with data use agreements so we can prevent problems before potential security breaches occur.

SYSTEMS SECURITY

We are also working to improve security in electronic data processing. We have introduced a systems security initiative to aggressively address vulnerabilities found through the Inspector General's and our own reviews. Our goal is to be able to maintain the tightest possible security as the business environment in which we operate changes, and to integrate security into every aspect of our information technology management activities.

One of the first things our new Chief Information Officer, Gary Christoph, did when he came on board was to hire outside experts to search out security weaknesses in our systems so we could proactively address them. We also have acquired new technology, beefed up staff training, conducted our own risk assessments and internal audits, and enhanced procedures for guarding access to sensitive systems. However, there are no silver bullets, and vigilance here must be constant given the ever changing nature of technology and evolution of new risks.

As we clear the Year 2000 hurdle and its demand on our systems, we will be able to increase our security even more through our comprehensive security initiative. We are now in the process of developing the protocols to systematically monitor the systems security of our claims processing contractors. The new evaluation process will specifically assess administrative, technical, and physical protection measures to protect beneficiary privacy.

We also have recently restructured our contractor oversight operations and initiated a new contractor evaluation process which will incorporate the security review findings and improve our overall management of the contractors. In addition, the Administration has proposed comprehensive contrActing reform legislation that will bring Medicare contrActing authority in line with standard Federal government contrActing procedures and make it easier for us to terminate contractors if we find they are not providing adequate privacy protections.

We will continue to use the annual Inspector General CFO audits as an opportunity to identify threats to the integrity of our data systems and to ensure that we address vulnerabilities in a timely manner. We also are carrying out activities required by the Presidential Decision Directive 63, as well as security requirements in the Health Insurance Portability and Accountability Act, which will further strengthen our security protections.

CONCLUSION