States Follow a Common Framework in Responding to Breaches of Medicaid Data

WHY WE DID THIS STUDY

State Medicaid agencies and their contractors maintain and process health information for millions of beneficiaries. Prior OIG reviews have identified vulnerabilities in States' information systems and controls-vulnerabilities that could have resulted in unauthorized disclosure of protected health information (PHI). States must be prepared to respond to breaches to limit potential harm, such as identity theft and fraudulent billing.

HOW WE DID THIS STUDY

We collected information about all breaches that Medicaid agencies and their contractors reported experiencing in 2016. We also surveyed 50 States and the District of Columbia to learn more about their processes for responding to breaches of PHI. Lastly, we interviewed and reviewed documents from officials in nine States to learn more about how each State responded to a specific breach that we selected and about their breach-response processes more generally. For each of these nine breaches, we examined how the State learned about the incident; how it determined whether the incident constituted a breach under HIPAA, how the State and others investigated the breach; and what actions the State took to protect its beneficiaries and programs and to correct vulnerabilities.

WHAT WE FOUND

Most of the 1,260 breaches that State Medicaid agencies and their contractors identified in 2016 disclosed information about a single individual and often resulted from misdirected letters or faxes; large breaches from hacking were rare. Most States' breach-response plans follow a common framework: (1) learning about incidents; (2) assessing incidents and determining how to respond; (3) taking steps to protect those affected; and (4) correcting vulnerabilities. However, the specific actions that States take vary depending on the circumstances of each breach and on any applicable State laws and requirements. These State actions address the potential harm that breaches can pose to Medicaid beneficiaries and programs. States' breach-response processes also address the requirements under the Breach Notification Rule-part of the Health Insurance Portability and Accountability Act (HIPAA)-for States to notify affected individuals and the Department of Health and Human Services' Office for Civil Rights. In 2006, CMS issued guidance advising States to inform CMS of breaches of Medicaid data. Some States shared that they report breaches to CMS in certain circumstances; however, most States said that they do not routinely do so.

WHAT WE RECOMMEND

We recommend that CMS reissue guidance to States about reporting Medicaid breaches to CMS. Collecting information on a national scale regarding Medicaid data breaches could help CMS identify breach trends and promote effective State responses. CMS concurred with our recommendation.