Investigation faults handling of Medicare patient data breaches

CMS is not complying with notification requirements and needs to upgrade its database of compromised identities, an OIG report finds.

By — Posted Oct. 29, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

The Centers for Medicare & Medicaid Services has measures to protect physicians from the liabilities that the theft of their Medicare identification numbers could create. But it offers few remedies to Medicare beneficiaries whose identifications have been compromised, according to a report by the Dept. of Health and Human Services’ Office of the Inspector General.

In October, the OIG published its investigation of CMS’ management of a database of Medicare identification numbers, for patients and physicians, that have been compromised because of a breach. The OIG examined 14 breaches affecting 13,755 beneficiaries that occurred between Sept. 23, 2009, when the notification rules under the economic stimulus package went into effect, and Dec. 31, 2011. The report covered CMS breaches involving at least 500 Medicare beneficiaries. Any organization that commits a breach involving at least that many patients is required to report it to HHS.

Of the 14 breach cases, the OIG found that:

  • Notification was not made within the required 60 days in seven cases.
  • Notification did not include a description of the breach investigation, loss mitigation and protection against further breaches in six cases.
  • Notification did not include when breaches occurred or were discovered in seven cases.
  • Notification did not include the breached information, contact procedures or steps to protect from harm in three cases.

Although CMS informed HHS and media outlets in each case as required under the law, the OIG said it hadn’t done enough to notify patients. In its role as an insurer, CMS “has the same responsibilities and liabilities as any other covered entity subject to HIPAA,” said Susan McAndrew, deputy director of the Health Information Privacy Division at HHS Office for Civil Rights, the HIPAA enforcement arm for HHS, in an e-mail.

The OIG report did not look at compliance issues leading to the breaches, which can cause private HIPAA-covered entities to be fined for noncompliance. The report only examined CMS’ handling of the notification requirements.

The OIG reported that CMS has made progress in its breach protection and notification efforts. CMS created a database in February 2012 that contains Medicare identification numbers that have been compromised or are at risk of being compromised. Using the database, Medicare contractors who review and pay claims can catch and prevent identity theft and fraudulent payments. The database includes physicians’ Medicare identifiers that have been compromised. The OIG found that CMS offers remedies to physicians so they are not held responsible for overpayment and tax liabilities from fraudulent activities using their stolen Medicare credentials.

But the report found that Medicare wasn’t doing enough to mitigate damages caused when a Medicare patient’s identification is stolen. The OIG found a need for better management of the database and consistency in how Medicare contractors use the database to catch and prevent fraud. The lack of consistency could cause a disruption in payments to physicians and other health care organizations that treat and provide medical supplies to Medicare patients.

Because victims of identity theft are not given new identification numbers, in part because Social Security numbers are included in them, fraudulent claims made under a patient’s stolen identity could count toward their cap for the amount of services and medical devices they can receive, the OIG said.

The report also found that contractors received no guidance from CMS on using the database, including protocols for “edits” made to compromised identification numbers. The edits are rules that determine what claims are paid and denied. Some edit the identification numbers by placing automatic denials on all claims, while others place denials on certain services and devices.

Acting CMS Administrator Marilyn Tavenner agreed that there needs to be better consistency in how the database is used and how the identification numbers are edited. She said the agency is upgrading the system to make it more user-friendly, and that it will develop guidelines to handle edits. These changes are scheduled to be completed in the first quarter of 2013.

Tavenner said the agency will analyze its handling of breach notifications to identify gaps in the process. She said she appreciated the OIG’s efforts in “working with our agency to help ensure that health information of Medicare beneficiaries is protected.”

Back to top

External links

“CMS Response to Breaches and Medical Identity Theft,” HHS Office of Inspector General, October (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn