July 23, 2014

Centers for Medicare & Medicaid Services (CMS) Falls Short in Response to Healthcare Data Breaches

Last week, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released the results of a study entitled CMS Response to Breaches and Medical Identity Theft.  OIG had two objectives for commencing this study.  First, OIG sought to determine whether CMS’s response to breaches of Medicare beneficiaries’ protected health information (PHI) met the notification requirements in the HITECH Act.  Second, because such breaches could result in medical identity theft, OIG wanted to gauge whether CMS’s response to medical identity theft protected both beneficiaries and the Medicare Trust Fund from potential harm.

As a HIPAA covered entity, CMS must preserve the security and privacy of PHI it collects and uses (which, in this instance, belongs to millions of Medicare beneficiaries).  And just like other HIPAA covered entities (e.g., commercial health plans and physicians), CMS is required under the HITECH Act to notify affected individuals if a breach occurs that compromises the security or privacy of the PHI of Medicare beneficiaries.  Such breaches could lead to medical identity theft involving the Medicare identification numbers of providers and beneficiaries.  OIG is concerned that the theft and misuse of medical identifying information, such as beneficiary numbers and provider or supplier numbers, could be used to fraudulently obtain or bill for medical services or supplies.

Between September 23, 2009 (the date the HITECH Act notification requirements became effective) and December 31, 2011, the OIG found that CMS reported 14 separate breaches of PHI affecting 13,775 Medicare beneficiaries that required notification under the HITECH Act.  And although CMS notified all affected Medicare beneficiaries, it failed to meet several HITECH Act notification requirements:

  • Seven breach notifications did not involve notification of affected individuals within 60 days of breach’s discovery.
  • Six breach notifications did not describe how CMS’s contractors were investigating the breach, mitigating losses, or protecting against future breaches.
  • ·Seven breach notifications were missing information concerning the date the breach occurred or the date when it was discovered.
  • Three breach notifications did not identify the type(s) of unsecured PHI involved, contact procedures for individuals to learn more about the breach, or steps individuals should take to protect themselves from harm.

The OIG also noted CMS’s progress in responding to medical identity theft by developing a compromised Medicare number database (called the Compromised Number Checklist (CNC) database), first released in February 2012, for use by CMS contractors.  Based upon its investigation, however, OIG reported that the database’s usefulness could be improved, and that CMS should provide guidance to its contractors about using the database information to develop claims edits to stop payments on compromised Medicare numbers.

The OIG’s report provides two notable takeaways.  HIPAA covered entities and business associates alike can take solace in the fact that CMS has difficulty complying with the HITECH Act’s notification requirements.  Additionally, in its response to the OIG, CMS reported that it is currently improving the CNC database in response to content, quality, and accessibility concerns.  CMS has provided Medicare contractors with improved guidance for incorporating CNC database information into benefit integrity activities and expects to issue claims edit development best practices in the near future.

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.