Most data breaches within the health service sector, specifically within Medicaid agencies, result from misdirected and incohesive communication. Though out of the many breaches, most did not affect beneficiaries, they still posed and continue to pose security dangers to all parties involved in the agency’s work. The breaches were often characterized by miscommunications through letters, faxes, or other documents that unknowingly exposed Medicaid beneficiaries’ names or identification numbers (Murrin, 2018). Breaches that were the result of IT incidents or third-party involvement were much less prevalent. The current compliance direction presents a concise breach-response plan that involves four steps. First, the agency gathers information concerning the incident. Second, the incident is assessed and a response is formulated. Third, the agency must take steps to contact and protect affected individuals. Fourth, the agency must implement corrective measures to minimize the vulnerability of its equipment and databases. As such, the compliance measures placed by the Centers for Medicare and Medicaid Services, or CMS, are concise and also inform the states in which the agencies operate to inform CMS of breaches. However, it has been found that most states fail to routinely report such breaches to the CMS.
Currently, Medicaid agencies and contractors that work with them are responsible for processing the health information of millions of beneficiaries. OIG reviews that have been conducted prior have been able to identify multiple vulnerabilities within the system of information within these agencies. These insecurities have the potential to result in the mass unauthorized disclosure of a variety of personal and protected health information. Such breaches can become the catalysts for fraudulent activities such as identity theft as well as harmful actions that allow Medicaid programs to become susceptible to fraud. As such, the current compliance of Medicaid agencies towards breaches has begun to improve with actions such as mandatory notification of beneficiaries, services against identity theft and credit monitoring, and issuing new identification numbers if necessary. Additionally, some agencies have implemented corrective measures such as the retraining of employees, modifications to policy and procedure, and enforcing restrictions on the accessibility of beneficiaries’ protected health information.
With an increased prevalence of digital records of patient health information, the ways in which such data is utilized have been debated. On one hand, the gathered information may be implemented in a way that can improve the quality of care, while on the other, it allows for greater vulnerability to data breaches. As such, the CMS upholds regulations that prioritize improved patient access, transparent and consistent privacy safeguard, and consensual exchange of health information. The 21st Century Cures Act, along with follow-up regulations from the CMS aims to improve the access that both clinicians and patients have to such health information while avoiding the risk of system insecurities to the best ability of the agency (Rockwern et al., 2021). The content of these regulations includes giving the patients control over their personal health information, allowing for the patient-directed exchange of data via the mHealthapps, and information-blocking policies. These policies have also altered the ways in which programs and tools have been created as they navigate and drive standards-based applications, interfaces, and system programming. However, the current regulations implemented by the CMS have also exhibited some drawbacks. For instance, once personal health information is disclosed on the apps or other digital health devices by the patients, the data is no longer protected by HIPPA. This vulnerability is an example of the current need for guardrails that are industry-wide and adhere to a national privacy network that is able to keep up with the ever-growing landscape of digital health care.
A recent breach occurred among beneficiaries of AllyAlign Health, a VA-based Medicare agency which was identified and reported as a ransomware attack by the health plan administrator (Alder, 2021). The system, which was accessed by the attackers, included the first and last names of benefices, their dates of birth, social security numbers, medical histories, health insurance policy numbers, Medicare health beneficiary identifiers, and insurance claim numbers. As such, the agency notified the beneficiaries that a substantial number of the information may have been compromised. Though the agency did not report in which ways the involved individuals may have been affected by the breach, the leak of personal data is significant. After the breach, AllyAlign Health was able to respond in a timely manner and with the expertise of IT specialists, they were able to return their network environment to a secure state. Within the timeframe after the breach, the agency has updated policies and procedures which are related to the security of their systems and servers.
The current and future regulations are likely to expand and become substantial and difficult to navigate and implement, which will demand a higher involvement of compliance officers, especially individuals involved in HIPAA compliance programs. Their responsibilities include the development and maintenance of HIPAA-compliant programs, which will be essential in the formulation of universal policies that will be able to consider patient privacy, accessibility for agencies and physicians, as well as the improvement of medical care with the assistance of data. Changes to the policy will also require increased training of employees within compliance programs and the assurance that patient rights are protected in accordance to the law during the process.
The CMS has been implementing multiple compliances with requirements from Administrative Simpficiations on behalf of the HHS (Centers for Medicare and Medicaid Services, 2020). These changes have become apparent in enforcement, such as the education of healthcare providers, health plans, software vendors, and other affected groups. There has also been greater attention paid to solving complaints, especially in the case of beneficiary-submitted reports of fraud. The CMS has also been conducting proactive and transparent compliance audits. Adherence to these requirements has also improved the timeliness and financial loss of certain transactions within the healthcare organization. Continued investigations may occur in the case that HIPAA violations are identified, but the current improved policy that adheres to nationwide laws has increased security and lowered the chances of data breaches within the entire health industry.
Alder, S. (2021). Tens of Thousands of Individuals Affected by AllyAlign Health Ransomware Attack. HIPAA Journal.
Centers for Medicare and Medicaid Services. (2020). Enforcement and Compliance Overview. CMS.gov.
Murrin, S. (2018). States Follow a Common Framework in Responding to Breaches of Medicaid Data. Office of Inspector General.
Rockwern, B., Johnson, D., & Sulmasy, L. S. (2021). Health Information Privacy, Protection, and Use in the Expanding Digital Health Ecosystem: A Position Paper of the American College of Physicians. Annals of Internal Medicine, 174(7), 994-998.