Centers For For Medicare & Medicaid Services (CMS) Falls Short In Response To Healthcare Data Breaches

Author:Ms Cynthia Larose and Stephen R. Bentfield
Profession:Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Last week, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released the results of a study entitled CMS Response to Breaches and Medical Identity Theft. OIG had two objectives for commencing this study. First, OIG sought to determine whether CMS's response to breaches of Medicare beneficiaries' protected health information (PHI) met the notification requirements in the HITECH Act. Second, because such breaches could result in medical identity theft, OIG wanted to gauge whether CMS's response to medical identity theft protected both beneficiaries and the Medicare Trust Fund from potential harm.

As a HIPAA covered entity, CMS must preserve the security and privacy of PHI it collects and uses (which, in this instance, belongs to millions of Medicare beneficiaries). And just like other HIPAA covered entities (e.g., commercial health plans and physicians), CMS is required under the HITECH Act to notify affected individuals if a breach occurs that compromises the security or privacy of the PHI of Medicare beneficiaries. Such breaches could lead to medical identity theft involving the Medicare identification numbers of providers and beneficiaries. OIG is concerned that the theft and misuse of medical identifying information, such as beneficiary numbers and provider or supplier numbers, could be used to fraudulently obtain or bill for medical services or supplies.

Between September 23, 2009 (the date the HITECH Act notification requirements became effective) and December 31, 2011, the OIG found that CMS reported 14 separate breaches of PHI affecting 13,775 Medicare beneficiaries that required notification under the HITECH Act. And although CMS notified all affected Medicare beneficiaries, it failed to meet several HITECH Act notification requirements:

Seven breach notifications did not involve notification of affected individuals...

To continue reading