OIG Report: CMS Not Perfect with Breach Notification Rules

Oct. 12, 2012
According to a recent audit by the Department of Health & Human Services' Office of the Inspector General (OIG), the Centers for Medicare and Medicaid Services (CMS) could improve the database in which it lists all of the breaches of protected health information is has had since 2009. Also, while CMS did notify 13,775 Medicare beneficiaries affected by the breaches, it did not meet several American Recovery and Reinvestment Act (ARRA) requirements.

According to a recent audit by the Department of Health & Human Services' Office of the Inspector General (OIG), the Centers for Medicare and Medicaid Services (CMS) could improve the database in which it lists all of the breaches of protected health information is has had since 2009. Also, while CMS did notify 13,775 Medicare beneficiaries affected by the breaches, it did not meet several American Recovery and Reinvestment Act (ARRA) requirements.

The study, from OIG, looked at how effective CMS has been in notifying the affected Medicare beneficiaries when their protected health information has been breached, as required by the ARRA. The audit looked to determine the extent to which CMS’ response met the notification requirements in the ARRA by looking at its response to medical identity theft involving beneficiary and provider Medicare identification numbers and the remedies it offers to beneficiaries and providers.

The audit found that between Sept. 23, 2009 and Dec. 31, 2011, CMS reported 14 breaches. While it did make progress in responding to medical identity theft by developing a compromised number database for contractors, it failed on several requirements. Along with the database, it did not consistently develop edits to stop payments on compromised numbers. Also, the audit’s authors say CMS offers some remedies to providers but fewer to beneficiaries affected by medical identity theft.

For its recommendations, OIG recommended CMS ensure that breach notifications meet Recovery Act requirements, improve the compromised number database, and provide guidance to contractors about using database information and implementing edits. It also recommended CMS develop a method for ensuring that beneficiaries who are victims of medical identity theft retain access to needed services and one for reissuing identification numbers to beneficiaries affected by medical identity theft.

Sponsored Recommendations

Data: The Bedrock of Digital Engagement

Join us on March 21st to discover how data serves as the cornerstone of digital engagement in healthcare. Learn from Frederick Health's transformative journey and gain practical...

Northeast Georgia Health System: Scaling Digital Transformation in a Competitive Market

Find out how Northeast Georgia Health System (NGHS) enabled digital access to achieve new patient acquisition goals in Georgia's highly competitive healthcare market.

2023 Care Access Benchmark Report for Healthcare Organizations

To manage growing consumer expectations and shrinking staff resources, forward-thinking healthcare organizations have adopted digital strategies, but recent research shows that...

Increase ROI Through AI: Unlocking Scarce Capacity & Staffing

Unlock the potential of AI to optimize capacity and staffing in healthcare. Join us on February 27th to discover how innovative AI-driven solutions can revolutionize operations...