The U.S. Government Accountability Office (GAO) has recently surveyed health care contractors in the Medicare, Medicaid and Tricare programs in regard to privacy breaches and outsourcing arrangements.
The contractors included those making claims payment determinations, those assessing medical necessity, and those performing claims processing. Contractors that enroll beneficiaries, conduct fraud investigations, administer pharmaceutical benefit management services, and conduct disease management programs were also polled.
Amazingly, approximately forty percent of those contractors responding to the survey reported recent privacy breaches of personal health information.
The GAO also surveyed the outsourcing arrangements of these health care contractors. Most of the contractors had outsourced some of their responsibilities domestically. While a few contractors outsourced offshore directly, most did not. However, many of the contractors' domestic outsourcers further subcontracted those services offshore, primarily to India, Ghana and Mexico.
In light of the foregoing, the GAO has recommended that contractors that outsource information should take a three step approach to minimize the effects of privacy breaches in their outsourcing arrangements. These three steps are (1) assessing individual downstream vendors' personal privacy practices before contracting with them, (2) monitoring vendor performance after contracting, and (3) identifying vendors that outsource functions further downstream and offshore.