Skip to main content

Is Your Medicare Information Safe?

Posted on September 06, 2018
Is the Medicare information that doctors, hospitals, and insurance companies have about you, your parents, or your grandparents well protected? The Centers for Medicare & Medicaid Services (CMS) oversees the Medicare program, which covers nearly 58 million aged and disabled Americans. Federal spending for Medicare benefits totaled approximately $696 billion in fiscal year 2016. Every dollar that is spent on Medicare is connected to someone’s personal information, and if that information is not carefully secured, it could result in financial fraud. Today’s WatchBlog explores how CMS protects Medicare data. Who Can See Medicare Information? As part of running the Medicare program, CMS shares data on Medicare recipients with other groups for three major reasons:
  •  Medicare Administrative Contractors (MAC) use this data to process the payment of Medicare benefits.
  • Researchers use this data to study how recipients get health care services.
  • “Qualified entities”—public or private organizations responsible for reporting on provider performance for one or more locations—use this data to determine how well Medicare service providers and equipment suppliers are performing.
Figure showing CMS sharing of fee-for-service beneficiary data with external entities Is Guidance for Guarding Personal Information Being Followed? CMS has set requirements that follow federal standards for MACs and qualified entities about guarding personal information. However, while researchers are required to follow federal standards, they are not given detailed guidance on which specific security measures to put in place. CMS notes that when researchers don’t have to follow specific guidance, they have more flexibility to assess security risks and decide which security measures to use. But this flexibility may result in researchers not using security measures that meet CMS standards. We recommended that CMS establish specific guidance for researchers so that they put in place security measures that are consistent and effective. Who Ensures that Security Measures Are Effectively Carried Out? In addition to setting requirements for MACs, researchers, and qualified entities, CMS must ensure that these groups are effectively carrying out CMS’s security measures. While assessing effective performance is a good management practice, the Federal Information Security Management Act also requires this. CMS is specifically required to assess the MACs under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003. We found that CMS is performing assessments for MACs but is not always tracking their findings effectively. We recommended that CMS track all findings for MACs and set up oversight programs for qualified entities and researchers. Currently, CMS does not have assessment programs for these groups. Check out our full report to learn more.
About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.