CLOSE X

Digging Deeper

Meeting CMS proposed rule critical incident reporting and investigation requirements.

Medicaid home- and community-based services (HCBS) participants are among those most vulnerable to abuse, neglect and exploitation. Yet, a standard definition of what classifies as a critical incident in need of investigation and resolution does not exist across, or even within, states.

In fact, despite states having incident management regulations for health and human services programs for the protection of program participants, “there have been notable and high-profile instances of abuse and neglect in recent years that highlight the risks associated with poor quality care and with inadequate oversight of HCBS in Medicaid,” according to the Centers for Medicare & Medicaid Services (CMS).

Despite the programmatic need, according to CMS, a lack of standardization for incident reporting across states has meant critical incident definitions vary from state to state, or even within various state agencies. Further, the agency notes, manual, paper-based incident management remains a reality in many states today. And a lack of communication between state agencies remains a barrier to incident resolution for many.

A recently proposed rule, CMS-2442-P: Medicaid Program; Ensuring Access to Medicaid Services, seeks to change this. With new standards around critical incident management – including how incidents are defined and reported – the agency is seeking to find ways to better protect participants of HCBS waiver programs. The new rule requires states to operate and maintain an “incident management system that identifies, reports, triages, investigates, resolves, tracks and trends critical incidents. The proposal is intended to ensure standardized requirements for states regarding incidents that harm or place a beneficiary at risk of harm.”

According to the proposed rule, states must have incident management solutions that fulfill a series of requirements moving forward, including:

  • Electronic submission of incident reports from a variety of entities, including Medicaid fraud control units, adult protective services, child protective services and law enforcement.
  • Electronic tracking of incident investigation status.
  • Streamlined data sharing between incident reporting entities to aid in investigations.

According to the proposed rule, states must also report the results of an assessment of their incident management system to CMS every two years.

The CMS proposed rule was published in March and the agency accepted commentary until July 3, 2023. The more than 300-page proposed rule received hundreds of comments. Among the comments on incident management, was a request from the National Association of Medicaid Directors (NAMD)ADvancing States and the National Association for State Directors of Developmental Disabilities Services (NASDDDS) among others, that for a requirement of this magnitude – implementing an electronic incident management system – states be given at least five years to do all that is required to comply with the new regulations; CMS had proposed three years.

While the new CMS proposed rule is applicable to HCBS waiver programs, protecting and ensuring the health and safety of program participants remains a high priority for county, state and federal agencies serving vulnerable and at-risk populations. At FEI we share in that commitment and have designed an incident management solution that not only meets the needs of HCBS waiver programs, but a variety of other health and human services programs.

Our team of experts have developed a solution that collects and reports on incident data to facilitate the timely investigation and resolution of reported incidents. Further, our incident management solution offers trend analysis and predictive analytics to help identify patterns in behaviors or activities that can be tracked and used to prevent further events from occurring and causing harm.

As CMS seeks to increase access to Medicaid, improve quality measures and standardize incident management – as demonstrated in a series of recently proposed rules – we have aligned our technology solutions to assist our state partners in meeting these goals. We recognize the magnitude of these proposed rules and can accommodate new federal reporting and program management requirements without major impacts on day-to-day operations or a state agency’s bottom line.

See All News

FEI.com, Inc. dba FEI Systems – Notice of Data Security Incident

Columbia, Maryland, May 13, 2024 – FEI.com, Inc. dba FEI Systems (“FEI”) currently contracts with The Texas Health and Human Service Commission (“HHSC”) to provide a critical incident management system which captures critical incident reportable events for persons receiving services from health care providers in Texas (“Texas CIMS”). Among other things, Texas CIMS provides reports permitting health care providers to access certain personal information of individuals for whom they provide services.  The reporting tools in Texas CIMS are configured such that health care providers are able to view personal information only for those individuals they serve. Between May 1, 2023 and August 4, 2023, however, one of the reports in the system was not so configured, and, as a result, up to 17 administrators for various Texas health care providers may have viewed information in the report that did not belong to the individuals served by their respective providers. The information involved may have included individuals’ first names, last names, dates of birth, social security numbers, Medicaid IDs, and/or Care IDs.

FEI conducted a thorough review of the reasons why the information may have been viewable and has now remedied the issue such that provider administrators who access the report can only see information about the individuals directly served by their respective health care providers.  It is important to note that this was not a hacking incident. Instead, each of the provider administrators who may have accessed the report between May 1, 2023 and August 4, 2023 was authorized by HHSC to access Texas CIMS to view the confidential information of their health care providers and are trained to properly protect personal information, and each administrator attests upon signing on to Texas CIMS to protect the information that they see. FEI has no reason to believe the administrators that accessed Texas CIMS or the report at issue have misused any personal or sensitive information.

On May 9, 2024, FEI provided notice of this incident to potentially impacted individuals. In so doing, FEI provided information about the incident and about steps that potentially impacted individuals can take to protect their information. FEI also offered impacted individuals with access to complimentary credit monitoring and identity protection services.

FEI has established a toll-free call center to answer questions about the incident and to address related concerns. Call center representatives can be reached at 1-844-710-1716 between the hours of 8:00 a.m. to 8:00 p.m. Eastern time, Monday through Friday, excluding holidays.

The privacy and protection of personal information is a top priority for FEI, and FEI regrets any inconvenience or concern this incident may cause.

While we have no evidence of the misuse of any potentially impacted individual’s information, we are providing the following information to help those wanting to know more about steps they can take to protect themselves and their personal information:

 

What steps can I take to protect my personal information?

  • Please notify your financial institution immediately if you detect any suspicious activity on any of your accounts, including unauthorized transactions or new accounts opened in your name that you do not recognize. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.
  • You can request a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To do so, free of charge once every 12 months, please visit http://www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting agencies is listed at the bottom of this page.
  • You can take steps recommended by the Federal Trade Commission to protect yourself from identify theft. The FTC’s website offers helpful information at http://www.ftc.gov/idtheft.

How do I obtain a copy of my credit report?

You may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com/, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You also can contact one of the following three agencies:

How do I put a fraud alert on my account?

You may want to consider placing a fraud alert on your credit report. An initial fraud alert is free and will stay on your credit file for one year. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at http://www.annualcreditreport.com.

 

How do I put a security freeze on my credit reports?

You have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent. To place a security freeze on your credit report, you need to make a request to each consumer reporting agency. You may make that request by certified mail, overnight mail, or regular stamped mail, or online by following the instructions found at the websites listed below. You will need to provide the following information when requesting a security freeze (note that if you are making a request for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; and (4) address. You may also be asked to provide other personal information such as your email address, a copy of a government-issued identification card, and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. There is no charge to place, lift, or remove a freeze.

 

What should I do if my family member’s information was involved in the incident and is deceased?

You may choose to notify the three major credit bureaus, Equifax, Experian and TransUnion, and request they flag the deceased credit file. This will prevent the credit file information from being used to open credit. To make this request, mail a copy of your family member’s death certificate to each company at the addresses below.

  • Equifax
    Equifax Information Services
    P.O. Box 105139,
    Atlanta, GA 30348
  • Experian
    Experian Information Services
    P.O. Box 9701
    Allen, TX 75013
  • TransUnion
    Trans Union Information Services
    P.O. Box 2000
    Chester, PA 19016

What should I do if my minor child’s information is involved in the incident?

You can request that each of the three national credit reporting agencies perform a manual search for a minor’s Social Security number to determine if there is an associated credit report. Copies of identifying information for the minor and parent/guardian may be required, including birth or adoption certificate, Social Security card and government issued identification card. If a credit report exists, you should request a copy of the report and immediately report any fraudulent accounts to the credit reporting agency. You can also report any misuse of a minor’s information to the FTC at https://www.identitytheft.gov/. For more information about Child Identity Theft and instructions for requesting a manual Social Security number search, visit the FTC website: https://www.consumer.ftc.gov/articles/0040-child-identity-theft. Contact information for the three national credit reporting agencies may be found above.

 
Steps You Can Take to Further Protect Your Information

Review Your Account Statements and Notify Law Enforcement of Suspicious Activity

As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You also should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, including your state attorney general and the Federal Trade Commission (FTC).

To file a complaint with the FTC, go to IdentityTheft.gov or call 1-877-ID-THEFT (877-438-4338). Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies.

 

Obtain and Monitor Your Credit Report

We recommend that you obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting www.annualcreditreport.com, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can access the request form at https://www.annualcreditreport.com/requestReport/requestForm.action. Or you can elect to purchase a copy of your credit report by contacting one of the three national credit reporting agencies. Contact information for the three national credit reporting agencies for the purpose of requesting a copy of your credit report or for general inquiries is provided below:

Consider Placing a Fraud Alert on Your Credit Report

You may want to consider placing a fraud alert on your credit report. An initial fraud alert is free and will stay on your credit file for at least 90 days. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at www.annualcreditreport.com.

 

Credit Report Monitoring/Identity Theft Protection Services

In addition, FEI will arrange to provide you with credit monitoring/identity theft protection services for one year, at no cost to you. Please contact us within 90 days of this notice to do so.