Home Health & Hospice Week

OIG investigates CMS's ability -- or lack of -- to keep benes' PHI private.

Maintaining the privacy of your patient base may seem like a daunting task, but imagine keeping all 40+ million Medicare beneficiaries protected under HIPAA. Ever wonder how CMS keeps up with privacy requirements so consistently? Well, the agency makes mistakes just like you do, and is subject to the same notification regulations as your organization.

Between 2009 and 2011, the Centers for Medicare & Medicaid Services reported that it had 14 breaches of protected health information (PHI) requiring notification to the 13,775 Medicare beneficiaries affected, according to an HHS Office of In-spector General report, "CMS Response to Breach-es and Medical Identity Theft," released this month.

Background: The Recovery Act requires covered entities to notify any individual whose PHI has been breached. If a breach impacts 500 or more residents of a state or jurisdiction, the entity must also notify media outlets in the area to distribute word of the PHI leak.

The OIG sought to determine whether CMS responded appropriately to any PHI breaches that the agency or its contractors caused between Sept. 23, 2009 (when the Recovery Act went into effect) and Dec. 31, 2011.

One Mailing Error Impacts 13,412 Patients

CMS self-identified 14 breaches over the review period, impacting 13,775 beneficiaries total. However, one breach constituted the majority of the issues, affecting 13,412 patients. In that instance, a contractor erroneously sent Medicare Summary Notices containing PHI to the wrong addresses.

Ten additional breaches were attributed to mismailings or loss of documents during transit, while another two breaches involved beneficiary information being posted online. The final breach was discovered when a CMS contractor employee was arrested for stealing beneficiary information.

The OIG found that CMS appropriately notified all beneficiaries impacted by the 14 breaches, but did not meet the timeliness standard in seven instances. The Recovery Act dictates that breach notifications should be sent to beneficiaries within 60 days of discovery, but CMS took up to four months longer than that in a few cases, the OIG reports.

In response to the report, CMS says it "will develop new procedures and/or modify existing ones to improve the breach notification process."

Note: The OIG report is at https://oig.hhs.gov/oei/reports/oei-02-10-00040.pdf.