GAO report highlights importance of security controls when outsourcing

* Experiences of federal and state health insurance outsourcing

The Government Accounting Office (GAO), a non-partisan audit, evaluation and investigative arm of Congress, recently surveyed federal and state health insurance operators to determine the extent of personal information being shared with domestic and offshore outsourcers (PDF of the report here). The results can remind us all of the security risks and controls required when sharing information with outsourcers.

Federal contractors and state Medicaid agencies are responsible for the day-to-day operations of the Medicare, Medicaid and TRICARE heath insurance programs. Because these entities may contract with vendors to perform services involving the use of personal health data, outsourcing and privacy protections are of interest. The GAO surveyed all federal Medicare and TRICARE contractors and all state Medicaid agencies (a combined total of 378 entities). Federal contractors and state Medicaid agencies widely reported domestic outsourcing of services involving the use of personal health information but little direct offshore outsourcing. More than 90% of Medicare contractors and state Medicaid agencies and 63% of TRICARE contractors reported some domestic outsourcing in 2005.

One federal contractor and one state Medicaid agency reported outsourcing services directly offshore. However, some federal contractors and state Medicaid agencies also knew that their domestic vendors had initiated offshore outsourcing. Thirty-three Medicare Advantage contractors, two Medicare fee-for-service (FFS) contractors, and one Medicaid agency indicated that their domestic vendors transfer personal health information offshore, although they did not provide information about the scope of personal information transferred offshore. Moreover, the reported extent of offshore outsourcing by vendors may be understated because many federal contractors and agencies did not know whether their domestic vendors transferred personal health information to other locations or vendors. The bulk of the known offshore outsourcing was to India, with Ghana, Mexico, Canada, Jamaica, Bermuda and the Philippines also receiving such work.

More than 40% of the federal contractors and state Medicaid agencies reported that they experienced a recent privacy breach involving personal health information. The frequency or severity of these breaches was not reported.

The Health Insurance Portability and Accountability Act Privacy Rule requires contractual agreements to protect against unauthorized disclosure of personal health information by vendors that receive such information from covered entities to perform certain clinical, operational, or administrative functions. Contracts should specify the vendors' responsibilities for:

* Maintaining safeguards to protect personal information.

* Circumstances under which personal information may be disclosed.

* Rules for subcontracting.

Firms transferring personal health information to vendors should also:

* Assess potential vendors' privacy practices when selecting a vendor.

* Monitor vendor performance on privacy practices.

* Be aware of downstream outsourcing.

While this study is a very federal health insurance specific study, there are broad outsourcing lessons to be gained from a quick review. These include:

1. Regulation is not enough to ensure data security in outsourcing.

HIPAA includes strict guidelines on the security of personal health information and has been in effect for several years now. Yet, as the survey revealed, many breaches have occurred.

2. Know who is doing your work.

I was amazed to read how many of the survey respondents did not know all of the subcontractors involved in the course of doing their work, including whether they were domestic or foreign subcontractors.

3. Use best practices when contracting and managing outsourcers, particularly with respect to data security.

Security is not a fire and forget issue just because you have assigned the work to a third party. Clear guidelines within the contract and ongoing monitoring are required.

Copyright © 2006 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022