CMS could take steps to better respond to breaches of Medicare beneficiaries' protected health information, according to a report from HHS' Office of Inspector General, Health Data Management reports.
For the report, OIG studied CMS breaches that occurred between Sept. 23, 2009 -- when a new breach notification rule took effect -- and Dec. 31, 2011.
Findings About Data Breaches
During that timeframe, OIG found that CMS experienced 14 breaches affecting 13,775 Medicare beneficiaries. Of those beneficiaries:
- 13,412 were affected by a single breach involving a Medicare summary notice printing error;
- 190 were affected by two incidents in which data were posted online;
- 165 were affected by 10 incidents involving mailing or communication errors; and
- Eight were affected by an incident in which a contractor stole data.
OIG found that for half of the breaches, CMS did not notify affected beneficiaries within 60 days, as required by the federal breach notification rule (Goedert, Health Data Management, 10/11).
OIG in its report stated, "If CMS does not follow requirements for handling breaches, opportunities increase for medical identity theft and fraudulent billing of the Medicare program" (Daly, Modern Healthcare, 10/10).
Report Identifies Issues With CMS Database
OIG also found that contractors are not effectively using a CMS database that contains information on Medicare beneficiaries and providers who have been affected by identity theft. The database currently includes 284,000 Medicare beneficiary identification numbers and 5,000 Medicare provider numbers.
The report found that contractors often:
- Are unaware of the database's features;
- Do not use the database in a standard and efficient way;
- Do not take steps to stop payments for compromised numbers; and
- Report usability problems with the database.
To address the issues outlined in its report, OIG recommended that CMS:
- Meet breach notification deadlines;
- Improve the usability of the database on compromised Medicare numbers;
- Train contractors on how to effectively use the database; and
- Establish a process for re-issuing identification numbers to beneficiaries who are affected by medical identity theft (Health Data Management, 10/11).