July 19, 2019

July 19, 2019

Subscribe to Latest Legal News and Analysis

July 18, 2019

Subscribe to Latest Legal News and Analysis

July 17, 2019

Subscribe to Latest Legal News and Analysis

GAO Says CMS Must Do More to Protect Medicare Info

In a report released on April 5, 2018, the Government Accountability Office (GAO) concluded that the Centers for Medicare and Medicaid Services (CMS) has not done enough to adequately protect the electronic data of Medicare beneficiaries.  There are over 59 million Medicare beneficiaries and beneficiary information contains some of the most sensitive personal information, making it very attractive to criminals.  Therefore, CMS’s protection of that data is critically important.

In its report, the GAO identified two failures regarding external entities with access to Medicare beneficiary data. First, it found that CMS failed to develop guidance for researchers on assessing security risks and implementing controls to address identified risks.  Researchers are one of three external groups with access to Medicare beneficiary information.  The other two groups are Medicare contractors and qualified entities (qualified entities receive data under the Affordable Care Act to evaluate the performance of providers and suppliers).  CMS has guidance for these two groups.  Without providing researchers with guidance, CMS leaves them to their own devices to determine risk and implement security measures.

Second, the GAO concluded that CMS does not have an oversight program to ensure that researchers and qualified entities have implemented adequate security measures. CMS has an oversight program for Medicare contractors.  Without the oversight program, CMS cannot confirm that researchers and qualified entities are adequately protecting Medicare beneficiary data.

In light of these findings, CMS may look to extend its existing guidance and oversight programs to ensure that all external groups with access to Medicare beneficiary data are covered.

© Copyright 2019 Murtha Cullina


About this Author

Dena Castricone, Murtha Cullina Law Firm, Privacy and Cybersecurity Attorney

Dena M. Castricone is a member of the Long Term Care and Health Care practice groups.  She is the Chair of the Privacy and Cybersecurity practice group and the Chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

Dena’s long term care and health care clients compete in a constantly evolving industry, facing both rising administrative and regulatory burdens and shrinking reimbursement rates. She helps skilled nursing centers, physician groups, home health and...