Centers for Medicare & Medicaid Services (CMS) Falls Short in Response to Healthcare Data Breaches
Last week, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released the results of a study entitled CMS Response to Breaches and Medical Identity Theft. OIG had two objectives for commencing this study. First, OIG sought to determine whether CMS’s response to breaches of Medicare beneficiaries’ protected health information (PHI) met the notification requirements in the HITECH Act. Second, because such breaches could result in medical identity theft, OIG wanted to gauge whether CMS’s response to medical identity theft protected both beneficiaries and the Medicare Trust Fund from potential harm.
As a HIPAA covered entity, CMS must preserve the security and privacy of PHI it collects and uses (which, in this instance, belongs to millions of Medicare beneficiaries). And just like other HIPAA covered entities (e.g., commercial health plans and physicians), CMS is required under the HITECH Act to notify affected individuals if a breach occurs that compromises the security or privacy of the PHI of Medicare beneficiaries. Such breaches could lead to medical identity theft involving the Medicare identification numbers of providers and beneficiaries. OIG is concerned that the theft and misuse of medical identifying information, such as beneficiary numbers and provider or supplier numbers, could be used to fraudulently obtain or bill for medical services or supplies.
Between September 23, 2009 (the date the HITECH Act notification requirements became effective) and December 31, 2011, the OIG found that CMS reported 14 separate breaches of PHI affecting 13,775 Medicare beneficiaries that required notification under the HITECH Act. And although CMS notified all affected Medicare beneficiaries, it failed to meet several HITECH Act notification requirements:
- Seven breach notifications did not involve notification of affected individuals within 60 days of breach’s discovery.
- Six breach notifications did not describe how CMS’s contractors were investigating the breach, mitigating losses, or protecting against future breaches.
- ·Seven breach notifications were missing information concerning the date the breach occurred or the date when it was discovered.
- Three breach notifications did not identify the type(s) of unsecured PHI involved, contact procedures for individuals to learn more about the breach, or steps individuals should take to protect themselves from harm.
The OIG also noted CMS’s progress in responding to medical identity theft by developing a compromised Medicare number database (called the Compromised Number Checklist (CNC) database), first released in February 2012, for use by CMS contractors. Based upon its investigation, however, OIG reported that the database’s usefulness could be improved, and that CMS should provide guidance to its contractors about using the database information to develop claims edits to stop payments on compromised Medicare numbers.
The OIG’s report provides two notable takeaways. HIPAA covered entities and business associates alike can take solace in the fact that CMS has difficulty complying with the HITECH Act’s notification requirements. Additionally, in its response to the OIG, CMS reported that it is currently improving the CNC database in response to content, quality, and accessibility concerns. CMS has provided Medicare contractors with improved guidance for incorporating CNC database information into benefit integrity activities and expects to issue claims edit development best practices in the near future.