The Centers for Medicare & Medicaid Services (CMS) should try to get away from basing Medicare numbers on Social Security numbers, according to officials at the Office of the Inspector General for the U.S. Department of Health and Human Services (HHS OIG).
HHS OIG officials have included that recommendation in a report on how CMS Medicare program managers have handled breaches of Medicare enrollee information and actual cases of Medicare-related identity theft.
A provision in the American Recovery and Reinvestment Act (ARRA) requires CMS to notify the affected Medicare enrollees and provide other help when breaches occur, HHS OIG officials said in the report.
The investigators used CMS breach data to conduct the analysis.
The investigators found 14 reported breaches of protected health information that took place between Sept. 23, 2009, when ARRA took effect, and the end of 2011.
The breaches affected about 14,000 Medicare enrollees.
Although CMS identified the affected enrollees, it had trouble with meeting other ARRA requirements, such as sending information in a timely fashion, giving a description of how CMS is investigating the breach, a description of what happened, and steps enrollees can take to protect themselves, officials said.