CMS's Privacy Problem: Data Breaches, Medicare Numbers, and Inaction

more+
less-
more+
less-

[authors: Lynn Sessions, Cory Fox]

The Department of Health and Human Services Office of Inspector General (“OIG”) recently published a report, CMS Response to Breaches and Medical Identity Theft (“Report”), which referenced 14 breaches of medical information by the Centers for Medicare and Medicaid Services (CMS), including Medicare numbers, affecting nearly 14,000 beneficiaries in the past two years. Because the Medicare number includes a beneficiary's social security number, the risk of identity theft resulting from these breaches is significant. CMS's notification to the affected individuals routinely failed to meet the timeliness and content requirements imposed by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). To address these and other breaches, CMS has set up a database of the Medicare numbers of 284,000 beneficiaries and 5,000 providers that have been involved in medical identity theft in the past and are regarded as vulnerable. The Report notes, however, that database users reported problems with the interface and that the database alone is not an adequate remedy.

CMS's continued use of social security numbers as Medicare numbers has been under scrutiny for several years. Since 2002, the U.S. Government Accountability Office (GAO) has repeatedly recommended that CMS use a different methodology in assigning Medicare numbers in order to protect social security numbers. In May 2008, the OIG issued a report urging CMS to remove social security numbers from Medicare cards in order to prevent identity theft. CMS has consistently refused to modify its methodology, citing logistical and cost constraints. In an August 2012 hearing before the House Ways and Means Committee, Tony Trenkle, CMS's Chief Information Officer, testified that transitioning to a new methodology "would be a task of enormous complexity and cost that, undertaken without sufficient planning, would present great risks to continued access to healthcare for Medicare beneficiaries." Mr. Trenkle estimated that the cost of a smooth transition could be as high as $845 million, and he cautioned the committee that the transition would mean a substantial change for physicians treating Medicare patients. This recent string of CMS data breaches has captured the attention of lawmakers, who once again are calling for CMS to act.

Topics:  CMS, Data Breach, HITECH, Identity Theft, OIG

Published In: Administrative Agency Updates, Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »