Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

U.S. Flag An official website of the United States government.
Change Font Size

Audit (A-18-13-30100)

Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2011

Complete Report

Download the complete report

Adobe® Acrobat® is required to read PDF files.


The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added to the Act information security requirements for Medicare administrative contractors (MACs), fiscal intermediaries, and carriers, which process and pay Medicare fee-for-service claims. To comply with these requirements, the Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs, fiscal intermediaries, and carriers using a set of agreed-upon procedures. The Act also requires evaluations of the information security controls for a subset of systems but does not specify the criteria for these evaluations. To satisfy this requirement, CMS expanded the scope of its evaluations to test segments of the Medicare claims processing systems hosted at the Medicare data centers, which support each of the MACs, fiscal intermediaries, and carriers.

PwC's evaluations of the contractor information security programs were adequate in scope and were sufficient. PwC reported a total of 127 gaps at 11 Medicare contractors for FY 2011, which was a decrease of 23 percent from FY 2010. Gaps are defined as the differences between Federal Information Security Management Act of 2002 or CMS core security requirements and the contractors' implementation of them.

Copies can also be obtained by contacting the Office of Public Affairs at

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201