Medicare Lags on Breach Notification

Report: Program Doesn't Always Follow HHS Rules
Medicare Lags on Breach Notification

The unit of the Department of Health and Human Services that administers the Medicare program isn't consistently complying with the breach notification rule that HHS enforces, a new report shows.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

The report from the HHS Office of the Inspector General says the Centers for Medicare and Medicaid Services failed to meet the patient notification deadline under the breach notification rule for half of the 14 Medicare breaches it reported between Sept. 23, 2009, and Dec. 31, 2011.

Under the breach notification rule, breaches must be reported to those affected "without unreasonable delay and in no case later than 60 days after the date of discovery." CMS sent tardy notifications for some breaches four days after the 60-day timeframe, while others were sent more than four months late, the OIG reports. Notification letters for the largest breach were sent within the required timeframe.

OIG also finds that the Medicare breach notifications often lacked required information, including dates of the breaches, how CMS contractors were investigating the breach, and descriptions of how the agency was mitigating losses or protecting against further breaches.

The 14 breaches affected a total of 13,775 individuals. Most of the breaches were small. The largest, which affected 13,412, involved a Medicare Summary Notice printing error by a CMS contractor, which caused notices to be mailed to wrong addresses. Two breaches affecting a total of 190 individuals involved beneficiary information being posted online; 10 breaches affecting a total of 165 individuals involved mismailings or mail lost in transit; and one breach affecting eight individuals involved stolen beneficiary information.

Identity Theft

The OIG also notes that when it comes to taking action to address medical ID theft, CMS is making some headway, but it still needs to improve.

CMS in February 2010 launched a database of Medicare ID and claims numbers that have either been used in medical identity theft or are suspected of having been used in or susceptible to ID theft.

As of February 2012, the database contained the Medicare numbers of almost 284,000 beneficiaries and 5,000 providers. Benefit integrity contractors for CMS identify numbers to include in the database for claims analysis and complaint investigations and submit the information monthly.

The goal of this initiative is to identify unusual billing activity and establish risk scores to identify claims for review before payment is made, according to the report. However, CMS has not issued guidance to the contractors that could help make use of the database easier and more effective in identifying fraudulent billing and medical ID fraud, the report notes.

Recommendations

OIG's report makes several recommendations to CMS, including:

  • Ensure that breach notifications meet federal requirements;
  • Improve the compromised number database by making it more user friendly, soliciting input from contractors and providing better guidance;
  • Develop a method for ensuring beneficiaries who are victims of medical ID theft retain access to needed health services; and
  • Develop a method for reissuing ID numbers to beneficiaries affected by medical ID theft.

The OIG report notes: "As the single largest health care payer in the United States, CMS plays a critical role in addressing breaches of protected health information and medical identity theft. Breaches and medical identity theft put beneficiaries, providers, and the Medicare Trust Funds at risk. If CMS does not follow the requirements for handling breaches, opportunities increase for medical identity theft and fraudulent billing of the Medicare program."

In CMS' response to the OIG report, the agency generally agreed with the recommendations. It adds: "To ensure that breach notifications are sent within the required timeframe and include required information, we will initiate an analysis of the agency's current incident handling process to identify gaps and strategize actions for improvements."

The OIG report comes about two months after the Government Accountability Office issued it's own report urging the Social Security Administration to remove Social Security numbers from Medicare numbers because of the threat of medical ID theft (see: GAO: Remove SSN from Medicare Cards.)


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network