Health IT Pulse

Oct 16 2012   11:51AM GMT

OIG: CMS fails to meet medical data breach reporting standards

Alex Delvecchio Alex Delvecchio Profile: Alex Delvecchio

Tags:
CMS
Data breach
health care data breach
HITECH Act

The Centers for Medicare and Medicaid Services (CMS) failed to meet the HITECH Act’s standard for timeliness in reporting medical data breaches to beneficiaries in seven of 14 cases over a two year period, according to an Office of Inspector General report.

CMS did notify all beneficiaries about each of the 14 breaches, but they failed to do so within the recommended 60-day timeframe in half the cases. The 14 breaches affected 13,775 beneficiaries and occurred from September 23, 2009 to December 31, 2011, the agency wrote in its report.

Health care facilities should have a data breach response plan in place to react to unauthorized access of patient information. Data breaches are most often a result of misplaced or stolen laptops, with 110 of 480 reported cases attributed to that cause. User education is the most important step to take in protecting against potential data breaches, particularly with increased patient access to information as encouraged by meaningful use stage 2.

The patient data of nearly 3,900 people were put at risk during a recent data breach at Beth Israel Deaconess Medical Center (BIDMC). The data was compromised when a physician’s laptop was stolen. The risk for data breaches will always exist as long as physicians and others need access to medical information. BIDMC’s reaction to this breach was to educate its network users and encourage them to let hospital IT staff install the proper security on hospital-purchased employee devices.

More than 70% of health care professionals responded that their organizations suffered a data breach during a yearlong period, according to a survey by Veriphyr. Some data breaches take longer to detect than others, the survey also highlighted. Respondents noted that 17% of reported breaches took between two to four weeks to be discovered. A minority (16%) of the reported breaches were resolved in one to three days, while 25% were resolved in two to four weeks.

The HITECH Act redefined data breach reporting conditions. It states any Health Insurance Portability and Accountability Act (HIPAA)-covered entity must report data breaches that affect over 500 patients. There have been 400 data breaches that have met that reporting standard, as of January 2012. In addition, encrypted data is considered protected, and does not have to be reported as compromised in the event of a data breach, under HITECH Act rules.

7  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Ed Burns
    OIG: #CMS fails to meet medical data breach reporting standards http://t.co/bTRrI0VI
    0 pointsBadges:
    report
  • Don Fluckinger
    OIG: CMS fails to meet medical data breach reporting standards #HIPAA http://t.co/D1hsKxe2
    0 pointsBadges:
    report
  • David May
    OIG: CMS fails to meet medical data breach reporting standards #HIPAA http://t.co/D1hsKxe2
    0 pointsBadges:
    report
  • Jenny Laurello
    RT @DonFluckinger: OIG: CMS fails to meet medical data breach reporting standards #HIPAA http://t.co/22BiDvys
    0 pointsBadges:
    report
  • Donna Speckhard
    Not surprising @HITExchange: RT @DonFluckinger: OIG: CMS fails to meet medical data breach reporting standards #HIPAA http://t.co/f3gVnk0f
    0 pointsBadges:
    report
  • Karima Zannotti
    RT @DonFluckinger: OIG: CMS fails to meet medical data breach reporting standards #HIPAA http://t.co/22BiDvys
    0 pointsBadges:
    report
  • OIG report: EHR incentive program lacks prepayment, auditing protocols - Health IT Pulse
    [...] is the second OIG report to criticize the CMS recently for falling short of standards set through the HITECH Act. [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: