Yesterday the U.S. Department of Health and Human Services Office of Inspector General (OIG) released the results of a study entitled CMS Response to Breaches and Medical Identity Theft. OIG had two objectives for commencing this study. First, OIG sought to determine whether CMS’s response to breaches of Medicare beneficiaries’ protected health information (PHI) met the notification requirements in the HITECH Act. Second, because such breaches could result in medical identity theft, OIG wanted to gauge whether CMS’s response to medical identity theft protected both beneficiaries and the Medicare Trust Fund from potential harm.
As a HIPAA covered entity, CMS must preserve the security and privacy of PHI it collects and uses (which, in this instance, belongs to millions of Medicare beneficiaries). And just like other HIPAA covered entities (e.g., commercial health plans and physicians), CMS is required under the HITECH Act to notify affected individuals if a breach occurs that compromises the security or privacy of the PHI of Medicare beneficiaries. Such breaches could lead to medical identity theft involving the Medicare identification numbers of providers and beneficiaries. OIG is concerned that the theft and misuse of medical identifying information, such as beneficiary numbers and provider or supplier numbers, could be used to fraudulently obtain or bill for medical services or supplies.
Between September 23, 2009 (the date the HITECH Act notification requirements became effective) and December 31, 2011, the OIG found that CMS reported 14 separate breaches of PHI affecting 13,775 Medicare beneficiaries that required notification under the HITECH Act. And although CMS notified all affected Medicare beneficiaries, it failed to meet several HITECH Act notification requirements:
Seven breach notifications did not involve notification of affected individuals within 60 days of breach’s discovery.
Six breach notifications did not describe how CMS’s contractors were investigating the breach, mitigating losses, or protecting against future breaches.
Seven breach notifications were missing information concerning the date the breach occurred or the date when it was discovered.
Three breach notifications did not identify the type(s) of unsecured PHI involved, contact procedures for individuals to learn more about the breach, or steps individuals should take to protect themselves from harm.
The OIG also noted CMS’s progress in responding to medical identity theft by developing a compromised Medicare number database (called the Compromised Number Checklist (CNC) database), first released in February 2012, for use by CMS contractors. Based upon its investigation, however, OIG reported that the database’s usefulness could be improved, and that CMS should provide guidance to its contractors about using the database information to develop claims edits to stop payments on compromised Medicare numbers.
The OIG’s report provides two notable takeaways. HIPAA covered entities and business associates alike can take solace in the fact that CMS has difficulty complying with the HITECH Act’s notification requirements. Additionally, in its response to the OIG, CMS reported that it is currently improving the CNC database in response to content, quality, and accessibility concerns. CMS has provided Medicare contractors with improved guidance for incorporating CNC database information into benefit integrity activities and expects to issue claims edit development best practices in the near future.
The content of this article is intended to provide a general guide
to the subject matter. Specialist advice should be sought about your
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Whether you are an employer that provides health insurance for your employees, a business in the growing healthcare industry, a hospital, or other medical provider—or you provide services to any of those entities—you need to know about changes to the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Marilyn Tavenner received bipartisan support from members of the Senate Committee on Finance in her confirmation hearing to lead the Centers for Medicare and Medicaid Services (CMS) though a full Senate vote is being held up, the president released his FY 2014 budget proposal with health care reform and specified reimbursement reductions to providers and manufacturers totaling $400 billion over 10 years sprinkled throughout it, and Department of Health and Human Services (HHS) Secretary Sebelius
The Office of Inspector General for the Department of Health and Human Services has recently issued an updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs.
On Tuesday, the North Carolina legislature has enacted into law, pending the governor's signature, a prohibition on the use of most favored nations clauses in contracts between commercial health insurers and providers.