Investigation faults handling of Medicare patient data breaches
■ CMS is not complying with notification requirements and needs to upgrade its database of compromised identities, an OIG report finds.
- WITH THIS STORY:
- » External links
The Centers for Medicare & Medicaid Services has measures to protect physicians from the liabilities that the theft of their Medicare identification numbers could create. But it offers few remedies to Medicare beneficiaries whose identifications have been compromised, according to a report by the Dept. of Health and Human Services’ Office of the Inspector General.
In October, the OIG published its investigation of CMS’ management of a database of Medicare identification numbers, for patients and physicians, that have been compromised because of a breach. The OIG examined 14 breaches affecting 13,755 beneficiaries that occurred between Sept. 23, 2009, when the notification rules under the economic stimulus package went into effect, and Dec. 31, 2011. The report covered CMS breaches involving at least 500 Medicare beneficiaries. Any organization that commits a breach involving at least that many patients is required to report it to HHS.
Of the 14 breach cases, the OIG found that:
- Notification was not made within the required 60 days in seven cases.
- Notification did not include a description of the breach investigation, loss mitigation and protection against further breaches in six cases.
- Notification did not include when breaches occurred or were discovered in seven cases.
- Notification did not include the breached information, contact procedures or steps to protect from harm in three cases.
Although CMS informed HHS and media outlets in each case as required under the law, the OIG said it hadn’t done enough to notify patients. In its role as an insurer, CMS “has the same responsibilities and liabilities as any other covered entity subject to HIPAA,” said Susan McAndrew, deputy director of the Health Information Privacy Division at HHS Office for Civil Rights, the HIPAA enforcement arm for HHS, in an e-mail.
The OIG report did not look at compliance issues leading to the breaches, which can cause private HIPAA-covered entities to be fined for noncompliance. The report only examined CMS’ handling of the notification requirements.
The OIG reported that CMS has made progress in its breach protection and notification efforts. CMS created a database in February 2012 that contains Medicare identification numbers that have been compromised or are at risk of being compromised. Using the database, Medicare contractors who review and pay claims can catch and prevent identity theft and fraudulent payments. The database includes physicians’ Medicare identifiers that have been compromised. The OIG found that CMS offers remedies to physicians so they are not held responsible for overpayment and tax liabilities from fraudulent activities using their stolen Medicare credentials.
But the report found that Medicare wasn’t doing enough to mitigate damages caused when a Medicare patient’s identification is stolen. The OIG found a need for better management of the database and consistency in how Medicare contractors use the database to catch and prevent fraud. The lack of consistency could cause a disruption in payments to physicians and other health care organizations that treat and provide medical supplies to Medicare patients.
Because victims of identity theft are not given new identification numbers, in part because Social Security numbers are included in them, fraudulent claims made under a patient’s stolen identity could count toward their cap for the amount of services and medical devices they can receive, the OIG said.
The report also found that contractors received no guidance from CMS on using the database, including protocols for “edits” made to compromised identification numbers. The edits are rules that determine what claims are paid and denied. Some edit the identification numbers by placing automatic denials on all claims, while others place denials on certain services and devices.
Acting CMS Administrator Marilyn Tavenner agreed that there needs to be better consistency in how the database is used and how the identification numbers are edited. She said the agency is upgrading the system to make it more user-friendly, and that it will develop guidelines to handle edits. These changes are scheduled to be completed in the first quarter of 2013.
Tavenner said the agency will analyze its handling of breach notifications to identify gaps in the process. She said she appreciated the OIG’s efforts in “working with our agency to help ensure that health information of Medicare beneficiaries is protected.”