This week, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released a report entitled CMS Response to Breaches and Medical Identity Theft. The OIG was concerned about the possible medical identity theft that could come from misuse of Medicare beneficiary numbers.
The OIG found that between September 23, 2009 (the date the HITECH Act notification requirements became effective) and December 31, 2011, CMS reported 14 separate breaches of PHI affecting 13,775 Medicare beneficiaries. And although CMS reportedly notified all affected individuals, it failed to meet several HITECH Act notification requirements, including:
- Failing to notify affected individuals within 60 days of the breach’s discovery;
- Failing to describe how CMS’s contractors were investigating the breach, mitigating losses, or protecting against future breaches;
- Failing to include information about when the breach occurred or the date when it was discovered; and
- Failing to identify the type(s) of unsecured PHI involved, contact procedures for individuals to learn more about the breach, or steps individuals should take to protect themselves from harm.
CMS actually agreed with most of the OIG's findings, and is working to improve its practices.
So if you feel like you are falling behind, you are certainly not alone. Even the feds can't comply with their own rules very easily.
But given the enforcement environment, just keep at it!
