What GAO Found

The Centers for Medicare and Medicaid Services (CMS) currently offers to Medicare providers and Medicare Administrative Contractors the use of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Eligibility Transaction System (HETS) in a real-time data processing environment. HETS is operational 24 hours a day, 7 days a week, except during regularly scheduled maintenance Monday mornings, from midnight until 5:00 a.m., and when CMS announces other maintenance periods during one or two weekends each month. According to program officials, 244 entities were using HETS in 2012, including about 130 providers, 104 clearinghouses that provide data exchange services to about 400,000 health care providers, and 10 Medicare contractors that help CMS process claims for services. From January through June 2012, HETS processed each month an average of 1.7 million to 2.2 million queries per day with most of the queries submitted between the hours of 8:00 a.m. and 4:00 p.m. eastern time. The users with whom we spoke confirmed that operational problems they experienced with the system in 2010 and the first few months of 2011 were resolved in spring 2011 after CMS implemented several hardware and software replacements and upgrades. System performance reports for the first 6 months of 2012 showed that the average response time per transaction was less than 3 seconds. Users described experiences with the system that were consistent with these data. They told us that they are currently satisfied with the operational status of HETS and that the system provides more complete information and reliable service than other systems that they use to verify eligibility with commercial health insurers.

CMS took steps to ensure users remain satisfied with the system's performance, including notifying users in advance of system downtime, providing help desk support, and monitoring contractors' performance. The agency had also planned several technical improvements intended to increase HETS' capacity to process a growing number of transactions, which the agency projected to increase at a rate of about 40 percent each year. These plans include a redesign of the system and migration to a new database environment that is scalable to accommodate the projected increase in transaction volume. According to HETS program officials, near-term plans also include the implementation of tools to enable proactive monitoring of system components and additional services intended to enhance production capacity until the planned redesign of the system is complete.

To help protect the privacy of beneficiary eligibility data provided by HETS, CMS established policies, processes, and procedures that are intended to address principals reflected by the HIPAA Privacy Rule. For example, in its efforts to ensure proper uses and disclosures of the data, CMS documented in user agreements the authorized and unauthorized purposes for requesting Medicare beneficiary eligibility data. Additionally, the agency conducted privacy impact and risk assessments of HETS as required by the E-Government Act of 2002. Officials from the Department of Health and Human Services' Office for Civil Rights stated that no privacy violations had been reported regarding the use of the protected health data provided by HETS since its implementation in 2005.

Why GAO Did This Study

Medicare is a federal program that pays for health care services for individuals 65 years and older and certain individuals with disabilities. In 2011, Medicare covered about 48.4 million of these individuals, and total expenditures for this coverage were approximately $565 billion. CMS, the agency within the Department of Health and Human Services that administers Medicare, is responsible for ensuring that proper payments are made on behalf of the program's beneficiaries. In response to HIPAA requirements, CMS developed and implemented an information technology system to help providers determine beneficiaries' eligibility for Medicare coverage. In May 2005 CMS began offering automated services through HETS, a query and response system that provides data to users about Medicare beneficiaries and their eligibility to receive payment for health care services and supplies.

Because of the important role that HETS plays in providers having access to timely and accurate data to determine eligibility, GAO was asked to (1) identify the operational status of HETS, (2) identify any steps CMS has taken to ensure users' satisfaction and plans to take to ensure the system supports future requirements, and (3) describe CMS's policies, processes, and procedures for protecting the privacy of data provided by HETS.

To do so, GAO collected and analyzed documentation from program officials, such as reports on transaction volume and response times, agreements with users, and CMS's privacy impact and risk assessments of HETS. GAO also interviewed program officials and system users.

For more information, contact Valerie Melvin at (202) 512-6304 or melvinv@gao.gov.