• E-mail
• Print
• RSS

HHS draws Senate attention for OCR, CMS security and medical identity theft measures

HIM-HIPAA Insider, November 30, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Members of the Senate Committee on Health, Education, Labor, and Pensions (HELP) and the Senate Committee on Finance co-signed a letter to the Department of Health and Human Services (HHS) voicing serious concerns about the protection of PHI following a series of massive health data breaches. The letter, addressed to Andy Slavitt, acting administrator of Centers for Medicare and Medicaid Services (CMS) and Jocelyn Samuels, director of the Office for Civil Rights (OCR), cites the cyberattacks against Anthem, Premera, CareFirst, Excellus, and UCLA as a call to action. The letter is signed by Lamar Alexander (R-Tenn.), Orrin Hatch (R-Utah), Patty Murray (D-Wash.), and Ron Wyden (D-Ore.).

The senators express growing concern over the number of Americans whose PHI has been breached and are at risk for medical identity theft and other forms of fraud. The letter goes on to ask specific questions about the type and adequacy of measures HHS, OCR, and CMS take to protect patient data. The senators ask for information on the effects of large breaches on fraud cases and the resources each agency makes available to victims. They are also requesting data on the effects large breaches have on non-covered entities. Some of their questions are:

• What support does HHS provide to federal, state, and local law enforcement officials to aid their response to medical identity theft?
• What services does CMS offer to Medicare and Medicaid beneficiaries who suspect they are victims of medical identity theft? How long do individuals who report identity theft to CMS have to wait for a response?
• In addition to OCR's publicly available list of breaches affecting 500 or more individuals, do OCR and CMS track reported cases of medical identity theft? If so, please provide summary of this information and a description of how this information is collected. Please include an assessment of whether this number captures the full number of cases, or if HHS believes this is an underreported crime? If HHS does not track this information, does any other federal agency?

The letter raises concerns over CMS’ willingness to assist victims of medical identity theft, stating that “in recent years, CMS has demonstrated reluctance to correct Medicare billing records for victims of medical identity theft due to fears such corrections would negatively impact beneficiaries deductible and coinsurance status, CMS internal accounting systems, and civil and criminal prosecutions.”

Medical identity fraud also represents significant losses for the Medicare Trust Funds and taxpayers, the letter says. In one incident cited from the testimony of Gary Cantrell, deputy inspector general for the Office of Inspector General, a transnational group set up a fake medical clinic and billed Medicare for over $1 million. A 2014 report from The Economist that estimated fraud added almost 10% to total annual Medicare and Medicaid spending is also brought to bear on the senators’ point.

The senators request that HHS respond to their questions by November 25.

Due in large part to the massive insurance provider breaches, as many as 154 million individuals were put at risk for medical identity theft this year, according to The Fiscal Times.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

• E-mail to a Colleague
• Print
• RSS
• Archive