News & Events
CMS Updates Requirements and Procedures for Reporting Security and Privacy Breaches
This article reprint appears courtesy of the American Health Lawyers Association.
Related Attorneys: Karen R. Palmersheim
Related Practice: Health Care
The Centers for Medicare & Medicaid Services (CMS) published on September 28, 2010, a memorandum updating its security and privacy breach reporting procedures under the Medicare Advantage and Part D Programs. The Memorandum replaces in its entirety CMS's December 16, 2008, Health Plan Management System memorandum (entitled "Security and Privacy Reminders and Clarification of Reporting Procedures"), regarding the same issues. The Memorandum applies to Medicare Advantage Organizations, Medicare Prescription Drug Plan (PDP) Sponsors, Cost-Based Contractors, and Employer/Union Sponsored Group Health Plans (collectively, Plan Sponsors).
CMS previously required that Plan Sponsors—covered entities under the Health Insurance Portability and Accountability Act (HIPAA)—report breaches to CMS's IT Service Desk. According to the Memorandum, this will no longer be required. Instead, Plan Sponsors must follow the instructions provided by the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) relating to the new HITECH breach notification regulations.
Additionally, CMS revised its requirements for reporting security breaches. Previously, CMS required that any security breach involving personally identifying information (PHI) be reported within one hour of discovery/detection. CMS is now requiring that if there is potential for significant beneficiary harm, the breach be reported immediately (within two business days) to the Plan Sponsor's Regional Office Account Manager.
Notably, CMS stated that while OCR is responsible for enforcing HIPAA Privacy, Security, and Breach Notification rules, CMS has independent authority over Plan Sponsors to ensure compliance with all federal regulations and sub-regulatory guidance. CMS cautioned that it may bring compliance and enforcement actions in connection with security and privacy breaches where CMS believes that the Plan Sponsors have not taken the appropriate measures to safeguard the security and privacy of their members.
CMS also reminded Plan Sponsors of various steps they should take to protect the security and privacy of PHI, and emphasized that Plan Sponsors should ensure that all first tier, down-stream and related entities are aware of their responsibility to protect beneficiary data and report suspected breaches.
Additional information, including a description of the breach notification requirements, instructions on notification, and links to breach notification forms is available at the HHS website.
Copyright 2010 American Health Lawyers Association, Washington, DC
Reprint permission granted.
Further reprint requests should be directed to American Health Lawyers Association
1620 Eye Street, NW, 6th Floor
Washington, DC, 20006
For more information on Health Lawyers content, visit www.healthlawyers.org.