Healthcare News & Insights

CMS’s response to PHI breaches examined

You know how your hospital is doing when it comes to guarding patients’ protected health information (PHI), but do you know how the Centers for Medicare & Medicaid Services (CMS) is doing?

The Recovery Act requires covered entities (CE) to notify an individual whose unsecured PHI has been accessed as a result of a breach. And as a covered entity, CMS is subject to these requirements, too.

So considering the fact that CMS maintains the PHI of millions of Medicare beneficiaries, you would think their program and response to breaches would be exemplary. You’d be wrong.

In previous reports, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Government Accountability Office (GAO) identified gaps and weaknesses in the information security procedures of CMS and its contractors. However, there hasn’t been an evaluation to examine CMS’s breach notification procedures or determine how many breaches involving beneficiaries’ PHI have occurred.

Response to breaches

So the OIG recently assessed CMS’s response to medical identity theft involving beneficiary and provider Medicare identification numbers and the remedies it offers to beneficiaries and providers. The study was based on CMS data.

Here’s what the OIG found:

  • CMS had 14 breaches of PHI requiring notification under the Recovery Act between Sept. 23, 2009, and Dec. 31, 2011.
  • CMS notified 13,775 Medicare beneficiaries affected by the breaches, but didn’t meet several Recovery Act requirements.
  • While CMS has improved its response to medical identity theft by developing a compromised number database for contractors, the usefulness of it could still be improved.
  • CMS contractors don’t consistently develop edits to stop payments on compromised numbers, and
  • CMS offers remedies to providers affected by medical identity theft, but not as many to beneficiaries.

OIG recommendations

To help CMS improve its processes, the OIG recommended that CMS:

  • Ensure that breach notifications meet Recovery Act requirements
  • Improve the completeness and quality of the number database by soliciting input from the benefit integrity contractors and make it more user friendly
  • Provide guidance to contractors about using database information and implementing edits
  • Develop a method for ensuring that beneficiaries who are victims of medical identity theft retain access to needed services, and
  • Create a method for reissuing identification numbers to beneficiaries affected by medical identity theft.

To see the complete study results, click here.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.