Chairman Thomas, Congressman Stark, distinguished Subcommittee members, thank you for
inviting us to testify about our efforts to improve protections for personally
identifiable beneficiary information. No Administration has been more committed to
protecting medical privacy. President Clinton and Vice President Gore have both spoken
about the paramount importance of medical records privacy.
We provide much greater protection for sensitive information than does the private
sector. We strive to continually enhance our protections. And we greatly appreciate the
evaluations and advice of the HHS Inspector General (IG) and the General Accounting Office
(GAO) in this regard.
As the GAO recently confirmed, personally identifiable information on Medicare
beneficiaries is essential to the operation of the Medicare program. We need it to:
- make accurate payments in fee-for-service and to risk adjust Medicare+Choice payments so
they take into account individual beneficiaries health status and curtail the disincentive
for plans to enroll sicker beneficiaries;
- conduct medical reviews and conduct other activities essential to fighting fraud, waste
- coordinate benefits and ensure that we do not pay claims for which other insurers are
- project spending trends and accurately determine premium amounts;
- develop and refine policy to ensure proper coverage and payment;
- assess and improve quality and access to care, for example by monitoring and then
working to increase the number of beneficiaries receiving an influenza vaccination; and,
- be responsive to individual beneficiary inquiries about coverage and payment.
Medicare data are also an invaluable asset in efforts to improve care and coverage for
beneficiaries by our research colleagues at the National Institutes for Health, the Agency
for Health Care Policy and Research, and other scientific investigators and policy
It is equally essential that we protect the sensitive beneficiary information with
which we are entrusted, and that we clearly inform beneficiaries of how information about
them is used in accordance with the Privacy Act. Whenever concerns are raised about
privacy, we take immediate action to address them.
For example, when Vice President Gore and members of Congress identified potential
problems with our home health patient Outcome and Assessment Information Set (OASIS)
earlier this year, we halted implementation, conducted a thorough review, and made
important modifications to ensure that only essential information would be collected, that
it would be properly protected, that disclosures would be limited to the minimum necessary
to carry out HCFA's mission, and that
beneficiaries would be fully informed on why it is being collected and how it will be
Because protecting beneficiary information is essential to our mission, we are taking
several new steps to strengthen our efforts.
- We have established a new Beneficiary Confidentiality Board to provide Executive
leadership in all aspects of privacy protection.
- We are reviewing all beneficiary notices to ensure that they fully disclose in plain
language how data are used.
- We are designing new systems that will easily track when and where data are shared.
- We are increasing efforts to ensure that researchers and Medicare contractors have
properly protected data.
- And we have introduced a systems security initiative to aggressively address
vulnerabilities found through the Inspector General's
and our own reviews.
We have established a new Beneficiary Confidentiality Board to coordinate and
consolidate privacy policies and ensure that we do not collect or disseminate more
information than is absolutely necessary. The Board is led by the Director of the Center
for Beneficiary Services and includes senior Executive
s from all Agency components that
have a direct stake in privacy and confidentiality, including the Center for Medicaid and
State Organizations, the Center for Health Plans and Providers, the Office of Clinical
Standards and Quality, the Office of Strategic Planning, the Program Integrity Group, the
Office of Information Services, the Office of the Actuary, and Regional Office
representatives. Core responsibilities include:
- establishing strategic goals, overarching policies, and objectives for protecting data;
- establishing, coordinating, and issuing all policy decisions on privacy and
- assuring implementation and enforcement of guiding principles for Agency-wide strategic
goals and objectives;
- providing Executive
oversight of compliance with all privacy and confidentiality
statutory and regulatory requirements, and assuring that beneficiary protections are
- reviewing all current operations with regard to systems of records and beneficiary
protections to assure that strategic goals and objectives and guiding principles are in
place and effective at all levels, including contractors to sub-contractors;
- evaluating legislative proposals involving the collection, use, and disclosure of
personal information by any entity, public or private, for consistency with legal
standards and our guiding principles;
- assuring that use of new information technologies sustains protections of information
that directly identifies an individual or from which an individual=s identity can be deduced;
- assuring that personal information contained in our systems of records are handled in
full compliance with fair information practices as set out in the Privacy Act; and,
- serving as a senior-level forum for the discussion and resolution of key strategic
issues affecting HCFA's privacy and
confidentiality policies and implementation strategies.
This will help ensure a central focal point for privacy issues and accountability
across all aspects of Agency business.
Beneficiaries need to know and understand why personally identifiable information is
collected and how it is used. This is both a legal requirement and an ethical obligation.
There are many different notices to beneficiaries about why information is collected and
how it is used.
Some, including the newest notice for OASIS, has been carefully crafted to ensure that
it is clear and comprehensive. However, we agree with the GAO that some of the earlier
beneficiary notices do not meet the Privacy Act requirements to inform beneficiaries
- the authority under which we are collecting information;
- the principal purpose for which it will be used;
- the routine uses for which it may be used; and
- whether the individual is required to supply the information and what the consequences
are if the individual does not supply the information.
Earlier this year, we began a systematic review of all beneficiary privacy notices,
rewriting them as necessary, to ensure that they provide full disclosure in plain
TRACKING DATA RELEASES
The Privacy Act stipulates that beneficiaries are entitled to know, upon request, any
and all instances in which identifiable information about them has been shared. We have
never had such a request, but have realized that complying with one would be
extraordinarily labor intensive with our current information systems. It also is currently
difficult to provide data on our Privacy Act compliance to the Office of Management and
Budget (OMB) for its oversight responsibilities.
We are now working to fully define the requirements for information systems that will
ensure full compliance with OMB and Privacy Act requirements. Implementing these systems
is a top information technology priority once we have cleared the Year 2000 hurdle. In the
interim, we have increased our surveillance of these requests and are improving our
existing tracking systems to align them more fully with OMB requirements.
DATA USE OVERSIGHT
The data files we maintain are an invaluable asset to medical and health policy
researchers in their efforts to improve beneficiary care and coverage. For example:
- we are able to share the extensive information we have on beneficiaries with end-stage
renal disease directly with National Institute of Health scientists that they can use to
study and improve treatment;
- the Agency for Health Care Policy and Research Patient Outcome Research Teams rely upon
this beneficiary information to develop new insights on the treatment of the most frequent
medical conditions affecting the elderly; and,
- the data files are also critical to investigators under contract to us for evaluation
and development of payment, coverage and treatment policies.
The Privacy Act does allow for sharing data with researchers as long as their work
promotes the Agency's mission, is compatible
with the purpose for which the information was collected, and proper privacy protections
are in place.
Many research needs are met by "public use
files@ that we readily make available, and from
which any data that could identify individual beneficiaries is removed, including
information that could be used to deduce an individual beneficiary's identity. Additional research needs are met by
encrypted data files in which data elements that explicitly identify individuals (such as
names, claim numbers, physician numbers, service dates, and date of birth) are either
removed, encrypted, or stated as a range (of dates, for example). Some data elements
remain in these files that could possibly be linked with other information to a deduce
specific individual's identity. Finally, there
are some valid research endeavors for which individually identifiable information is
For all research requests, we conduct a careful review to ensure that any disclosure of
information is allowed under the Privacy Act. For research projects outside of HHS, or not
funded by HHS, we conduct another careful level of review to ensure that the request is
for the bare minimum of information that is essential to a given research project, and
that the project has scientific merit and sound research methodology. We are also diligent
in making clear to researchers how data that could be used to identify individual
beneficiaries must be protected.
When proper criteria are met, we develop data use agreements that contain explicit
protections covering the release and use of data. These agreements also specify that the
user must contact us within 30 days of completion of the approved project for instructions
on whether to return all data files to us or to destroy such data and execute an
attestation to certify the destruction. We have taken swift action to address the rare
situations that we are aware of in which researchers have not fully complied with Privacy
Act requirements and our data use agreements to clarify their responsibilities to protect
We are now increasing efforts to verify that researchers have in fact complied with
their data use agreements to protect data and dispose of it properly once projects are
completed. We expect to reduce our backlog in half by the end of this fiscal year. We also
look forward to working with the GAO and other experts to develop more systematic ways to
proactively assure compliance with data use agreements so we can prevent problems before
potential security breaches occur.
We are also working to improve security in electronic data processing. We have
introduced a systems security initiative to aggressively address vulnerabilities found
through the Inspector General's and our own
reviews. Our goal is to be able to maintain the tightest possible security as the business
environment in which we operate changes, and to integrate security into every aspect of
our information technology management activities.
One of the first things our new Chief Information Officer, Gary Christoph, did when he
came on board was to hire outside experts to search out security weaknesses in our systems
so we could proactively address them. We also have acquired new technology, beefed up
staff training, conducted our own risk assessments and internal audits, and enhanced
procedures for guarding access to sensitive systems. However, there are no silver bullets,
and vigilance here must be constant given the ever changing nature of technology and
evolution of new risks.
As we clear the Year 2000 hurdle and its demand on our systems, we will be able to
increase our security even more through our comprehensive security initiative. We are now
in the process of developing the protocols to systematically monitor the systems security
of our claims processing contractors. The new evaluation process will specifically assess
administrative, technical, and physical protection measures to protect beneficiary
We also have recently restructured our contractor oversight operations and initiated a
new contractor evaluation process which will incorporate the security review findings and
improve our overall management of the contractors. In addition, the Administration has
proposed comprehensive contrActing
reform legislation that will bring Medicare contrActing
authority in line with standard Federal government contrActing
procedures and make it
easier for us to terminate contractors if we find they are not providing adequate privacy
We will continue to use the annual Inspector General CFO audits as an opportunity to
identify threats to the integrity of our data systems and to ensure that we address
vulnerabilities in a timely manner. We also are carrying out activities required by the
Presidential Decision Directive 63, as well as security requirements in the Health
Insurance Portability and Accountability Act, which will further strengthen our security
The new steps we are taking can only strengthen our solid track record of protecting
confidential beneficiary information. Our new Beneficiary Confidentiality Board, in
particular, will provide an overarching Executive
-level focus on our obligation to remain
ever vigilant. We encourage the IG, GAO, and others to also be vigilant in raising and
helping us to address any concerns about protections for sensitive information. And we
remain committed to swiftly and effectively addressing any related issues or breaches that
might arise. I thank you again for holding this hearing, and I am happy to answer any
questions you might have.