News of the Day ... In Perspective09/9/2006
Privacy breaches reported by nearly half of federal contractors
According to a recent study by the U.S. Government Accountability Office (GAO), more than 40 percent of federal contractors and state Medicaid agencies experienced a recent privacy breach involving personal health information
Breaches within the past 2 years were reported by 47 percent of Medicare Advantage contractors, 44 percent of Medicaid agencies, 42 percent of Medicare fee-for-service (FFS) contractors, and 38 percent of TRICARE contractors. The frequency or severity of breaches was not specified.
While CMS requires Medicare FFS contractors to report privacy breaches within 30 days, state Medicaid agencies and Medicare Advantage contractors are not subjected to this oversight.
There is widespread domestic outsourcing of services involving personal health information. Little offshore outsourcing was reported to the GAO, but the extent is probably understated. Many federal contractors or state agencies do not know whether their domestic vendors transfer information offshore.
One trigger for the study was a 2004 incident in which patient survey data from a California medical center were inadvertently made available to other patients. Also, in 2003, an offshore transcriptionist threatened to disclose personal information in an effort to collect payment for her services.
The GAO notes that HIPAA-covered entities need not monitor their business associates’ compliance with HIPAA-required agreements to safeguard data, but must take action if they discover a pattern of activity that constitutes a material breach of the agreement.