Health Information Compliance Alert

Patient Privacy:

More Reasons For You To Thwart Patient Privacy Breaches

Published on Mon Nov 05, 2012

PDF

OIG finds even CMS fallible.

Have you ever wondered how the Centers for Medicare & Medicaid Services keep all 40+ million Medicare beneficiaries protected under HIPAA? Keeping the privacy secure for the patient base of a practice or a facility is challenging enough. The troubling truth is that the agency is subject to the same penalties that you are in the event of a breach -- and it is also vulnerable to privacy breaches.

Between 2009 and 2011, CMS reported that it had 14 breaches of protected health information (PHI) requiring notification to the 13,775 Medicare beneficiaries affected, according to the OIG report, "CMS Response to Breaches and Medical Identity Theft," released on Oct. 10.

Background: The Recovery Act requires covered entities to notify any individual whose PHI has been breached. If a breach impacts 500 or more residents of a state or jurisdiction, the entity must also notify media outlets in the area to distribute the word of the PHI leak.

The OIG sought to determine whether CMS responded appropriately to any PHI breaches that the agency or its contractors caused between Sept. 23, 2009 (when the Recovery Act went into effect) and Dec. 31, 2011.

One Mailing Error Impacts 13,412 Patients

CMS self-identified 14 breaches over the review period, impacting 13,775 beneficiaries total. However, one breach constituted the majority of the issues, affecting 13,412 patients. In that instance, a contractor erroneously sent Medicare Summary Notices containing PHI to the wrong addresses.

Ten additional breaches were attributed to mis-mailings or loss of documents during transit, while another two breaches involved beneficiary information being posted online. The final breach was discovered when a CMS contractor employee was arrested for stealing beneficiary information.

The OIG found that CMS appropriately notified all beneficiaries impacted by the 14 breaches, but did not meet the timeliness standard in seven instances. The Recovery Act dictates that breach notifications should be sent to beneficiaries within 60 days of discovery, but CMS took up to four months longer than that in a few cases, the OIG reports.

In response to the report, CMS noted that it "will develop new procedures and/or modify existing ones to improve the breach notification process."

Resource: To read the complete OIG report, visit https://oig.hhs.gov/oei/reports/oei-02-10-00040.pdf.

Health Information Compliance Alert

PECOS:
CMS Makes Vast Improvements To Revalidation Process
Plus: The agency acquiesces and begins accepting faxed, emailed supporting documents. You need to get [...]

Patient Privacy:
More Reasons For You To Thwart Patient Privacy Breaches
OIG finds even CMS fallible. Have you ever wondered how the Centers for Medicare & [...]

Avoid Spending Thousands To Clean Up HIPAA Compliance Issues
Follow these 8 tips to comply with security rule. How would your practice handle the [...]

Documentation:
3-Step Process Helps Ensure HIPAA-Compliant Psychotherapy
Let cooler heads prevail with patient notes. While HIPAA doesn't require providers who offer mental [...]

Home Health F2F Compliance:
Ensure Your Face-To-Face Documentation Passes Muster
OIG's investigation of F2F compliance could get ugly. You need to keep your F2F documentation [...]

Industry Notes:
HIPAA Penalties In Play
If a new Department of Justice conviction and guilty plea are any indications of what [...]

Reader Question:
Keep Physician Communication Open To Avoid Getting Stuck With The Home Health Bill
Question: We have run into a unique situation for us. A client's family member called [...]

View All