Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

State Medicaid Agency Breach Protections and Responses

Breaches of unsecured protected health information (PHI), including data held by State Medicaid agencies and their contractors, are a major concern for health care providers and consumers. The Breach Notification Rule (BNR) outlines requirements for health information safeguards and for notifications after the discovery of a breach of unsecured PHI (45 CFR §§ 164.400 414). Beyond the BNR requirements, State Medicaid agencies may establish other requirements that govern their responses to breaches. We will examine the efforts of State Medicaid agencies in conducting oversight and in responding to breaches.

Announced or Revised Agency Title Component Report Number(s) Expected Issue Date (FY)
Completed Centers for Medicare & Medicaid Services State Medicaid Agency Breach Protections and Responses Office of Evaluation and Inspections OEI-09-16-00210 2018