OIG: CMS needs better Medicaid breach info to identify trends
The Centers for Medicare and Medicaid Services should reissue guidance to states about reporting Medicaid breaches to the agency.
More consistent and improved reporting is essential so the federal agency can collect data to identify trends and respond effectively, according to the findings of an audit by Department of Health and Human Services’ Office of Inspector General.
According to OIG, CMS issued guidance in 2006 advising states to immediately inform the agency of breaches of Medicaid data. However, auditors determined that most states do not routinely report the information.
“This evaluation builds on a body of work by the Office of Inspector General on protecting individuals from vulnerabilities related to the security of health information,” states the audit. “Prior reports have described how OIG found high-risk security vulnerabilities in state Medicaid agencies’ information systems and inadequate controls that could have resulted in unauthorized disclosure of PHI.”
Auditors noted that most breaches that occurred in 2016—the audit period—resulted from unauthorized access or disclosure of PHI, such as information being sent to the wrong beneficiary or physician office. In addition, breaches occurred when employees or family members improperly accessed or shared PHI without a legitimate business or medical need, while few breaches were a result of hacking incidents.
“A small proportion of reported breaches, such as those that involved IT hacking, allowed unauthorized access to large amounts of Medicaid data and resulted in urgent responses from multiple agencies,” concluded auditors. “Other breaches released information about only a single beneficiary, yet still required attention to limit potential harm to the beneficiaries affected.”
Going forward, OIG recommended that CMS should reissue guidance that clarifies its expectations for states’ reporting of Medicaid breaches.
“States may not be aware of any existing expectation to report Medicaid breaches to CMS because of the 2009 enactment of the Breach Notification Rule, which required entities to report breaches to OCR,” according to OIG. “Updated guidance from CMS should detail the circumstances under which states should report Medicaid breaches to CMS…and where states should send these reports.”
CMS concurred with OIG’s recommendation and indicated that it will communicate to states the necessary procedures and circumstances for reporting Medicaid breaches to the agency. CMS told OIG that it may ask states to report only higher-risk breaches or types of breaches that would be relevant to most other states.
“We encourage CMS to be as clear as possible in its guidance to states in defining what kinds of breaches it wants states to report—for example, what constitutes a higher-risk breach, or which types of breaches would be relevant to most states,” said auditors.