Following is the summary of the Report findings.
Federal contractors and state Medicaid agencies widely reported domestic outsourcing of services involving the use of personal health information but little direct offshore outsourcing. Among those that completed GAO’s survey, more than 90 percent of Medicare contractors and state Medicaid agencies and 63 percent of TRICARE contractors reported some domestic outsourcing in 2005. Typically, survey groups reported engaging from 3 to 20 U.S. vendors (commonly known as subcontractors). One federal contractor and one state Medicaid agency reported outsourcing services directly offshore. However, some federal contractors and state Medicaid agencies also knew that their domestic vendors had initiated offshore outsourcing. Thirty-three Medicare Advantage contractors, 2 Medicare fee-for-service (FFS) contractors, and 1 Medicaid agency indicated that their domestic vendors transfer personal health information offshore, although they did not provide information about the scope of personal information transferred offshore. Moreover, the reported extent of offshore outsourcing by vendors may be understated because many federal contractors and agencies did not know whether their domestic vendors transferred personal health information to other locations or vendors.
In responding to GAO’s survey, over 40 percent of the federal contractors and state Medicaid agencies reported that they experienced a recent privacy breach involving personal health information. (The frequency or severity of these breaches was not reported.) By survey group, 47 percent of Medicare Advantage contractors reported privacy breaches within the past 2 years, as did 44 percent of Medicaid agencies, 42 percent of Medicare FFS contractors, and 38 percent of TRICARE contractors. TMA and CMS differ in their requirements for notification of privacy breaches. TMA requires monthly reports on privacy breaches from its TRICARE contractors and follows up with contractors that report recurring lapses in privacy. While CMS requires Medicare FFS contractors to report privacy breaches within 30 days of discovery, such oversight is lacking for privacy breaches that may occur with personal health information held by state Medicaid agencies and Medicare Advantage contractors, as CMS does not require reports of privacy breaches from these entities.