Many of the state agencies and private companies that help run government health finance programs say they have run into privacy problems.

More than 40% of the 378 private contractors and state agencies that participated in a recent survey conducted by the U.S. Government Accountability Office reported suffering privacy breaches in 2004 or 2005.

The share of participating organizations reporting 2004-2005 privacy breaches was 38% at the Tricare program, which serves military personnel, retirees and dependents; 40% at state Medicaid agencies; 42% at Medicare fee-for-service program contractors; and 47% at Medicare Advantage managed care program contractors.

GAO researchers conducted the survey in connection with efforts to assess the risk of letting government health programs send members’ personal health information to overseas contractors.

The privacy breaches reported in the survey did not necessarily involve international outsourcing operations, and the survey did not ask participating entities how extensive or serious the privacy breaches were, GAO officials write in a report on the survey findings.

GAO officials also asked whether entities participating in the survey used 1 or more of 3 strategies recommended for protecting personal health information sent overseas: assessing privacy practices when selecting a vendor; monitoring vendor performance on privacy practices; and keeping aware of further subcontracting.

Only 27% of the Medicare Advantage contractors and 29% of the Medicare fee-for-service contractors said they use all 3 methods, compared with 51% of the state Medicaid agencies and 60% of the Tricare contractors, GAO officials write.

In the future, “the privacy breach notification requirements that currently apply to Tricare and Medicare FFS contractors should also apply to other Medicare contracts that handle personal health information (such as Medicare Advantage contractors) and to state Medicaid agencies,” GAO officials write.

A copy of the GAO report is on the Web at Document Link