OIG studied CMS breaches between Sept. 23, 2009, when the breach notification rule became effective, and Dec. 31, 2011. Most of the incidents were not large--the 14 breaches affected 13,775 Medicare beneficiaries--13,412 of those affected by a single breach caused by a Medicare summary notice printing error. Eight beneficiaries had information stolen by a contractor employee; 190 were affected in two incidents of information being posted online; and 165 were affected in 10 incidents of mismailings or lost communications.
In half the breaches, CMS did not notify affected beneficiaries within 60 days of discovery, as mandated under the federal breach notification rule. Delayed notifications ranged from four days past the deadline to four months. CMS, however, did notify the HHS Office for Civil Rights within required timeframes for all 14 breaches.
Patient notification letters for half the breaches also did not include required information such as date of breach or discovery, types of compromised information, contact information for patients to learn more, steps to protect from credit or identity theft and how losses were being mitigated, and protections against future breaches being implemented.
CMS has a compromised beneficiary number database that holds beneficiary and provider Medicare ID numbers involved in medical identity theft or vulnerable to theft, the Office of Inspector General notes. The database contains nearly 284,000 beneficiary numbers and 5,000 provider numbers. But contractors do not use the database in a standard and efficient manner, often are unaware of features, and find the database unfriendly to use, according to the report. Further, Medicare contractors also do not consistently develop edits to stop payments on compromised numbers.
The OIG also found that CMS provides more remedies to providers affected by medical identity theft than to Medicare beneficiaries. CMS has a program that may relieve providers of financial liabilities when their identity is stolen and used to file false claims, and providers also can get a new identification number.
Beneficiaries with compromised identification numbers, however, are not routinely assigned a new ID number, since Social Security numbers are used for identification. “The Social Security Administration IOG has encouraged CMS to eliminate Social Security numbers from beneficiaries’ Medicare numbers,” the report notes. “CMS officials, however, have cited high costs, the volume of changes, and operational and systems issues as barriers to altering beneficiary numbers.” Further, there is no standard procedure for ensuring that beneficiaries retain their access to services if their Medicare numbers have been compromised.
CMS concurred with four recommendations from the Office of Inspector General: Meet the notification deadlines, improve the compromised number database, educate contractors to better use the database, and develop a method for reissuing identification numbers to beneficiaries affected by medical identity theft.
In a recommendation to ensure beneficiary victims of medical ID theft retain access to needed services; CMS did not agree to correct beneficiary billing histories. “CMS citied concerns that changing billing records could negatively impact criminal and civil prosecutions and the integrity of the Medicare claims processing system,” according to the report. “However, CMS stated that it will consider the insertion of an indicator on the beneficiary claim record that would allow for payment of legitimate claims for victims of medical identity theft.”
The complete report is available here.