The Centers for Medicare & Medicaid Services (CMS) is requiring Humana to take corrective action and may pursue civil penalties after the health insurance company failed to adequately protect private information on its Medicare enrollees in two separate instances.

Only a month after 268 paper applications for Medicare enrollees in Humana health plans were stolen from an insurance agent's car in Minnesota, CMS revealed that personal data for 17,000 Humana enrollees was inadvertently left unprotected on a Baltimore hotel computer by an employee. The two privacy breaches involving the insurance company have raised concerns about the security of health plans' databases on people with Medicare.

The privacy breaches prompted CMS to impose corrective measures on Humana. The company is to contact all affected enrollees, provide them with free access to a credit–monitoring service for a year, and submit an action plan to prevent future incidents.

CMS Administrator Mark McClellan said in a June 5 statement that the agency will closely monitor Humana's compliance with those measures and "will take aggressive actions against any plan or Medicare contractor that compromises the privacy and security of Medicare beneficiaries' personal information."

McClellan also suggested that further punitive actions could be taken under criminal and civil enforcement provisions of the Health Insurance Portability and Accountability Act (HIPAA). Calling the compromise of enrollees' personal data "unacceptable," McClellan warned employees, contractors and health plans about federal and state penalties for violating enrollee privacy and security protections.

(reproduced with permission from Medicare Watch, Issue 14)