OIG 2015 work plan increases EHR scrutiny

The U.S. Department of Health and Human Services Office of Inspector General continues to ramp up its scrutiny of electronic health records, adding a new focus area specific to EHRs in its 2015 work plan and continuing most of its EHR-related reviews from last year.  

The 2015 work plan, published Oct. 31, says that for the first time, OIG will review hospitals' EHR contingency plans:

"We will determine the extent to which hospitals comply with contingency planning requirements of the Health Insurance Portability and Accountability Act [HIPAA]." the plan states. "We will also compare hospitals' contingency plans with government- and industry-recommended practices. The HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information."

Other priority areas that OIG already is working on and that remain in the 2015 work plan include:

  • Whether providers that received Medicare and/or Medicaid Meaningful Use incentive payments were entitled to the money
  • How well the Centers for Medicare & Medicaid Services is overseeing the Meaningful Use payments being made
  • CMS oversight of hospitals' security controls over networked medical devices that are integrated with EHR systems
  • Whether covered entities and business associates, such as cloud services and other "downstream service providers" are adequately securing electronic patient protected health information created or maintained by certified EHR technology. OIG specifically states that hospitals must conduct security risk analyses.

OIG also hints that it may, in the future, evaluate electronic health information exchanges.

Interestingly, OIG has dropped from the work plan its intent to review the extent that EHRs have documentation vulnerabilities in evaluation and management coding or the security of portable devices containing protected health information, such as laptops. Both of these topics were included in past work plans. The 2015 work plan also does not explain if these are simply no longer focus areas or if OIG has already completed those reviews.

OIG provides oversight of more than 300 HHS programs. Its goals include fighting fraud, waste and abuse, promotion of quality, safety and value, and advancing excellence and innovation.

To learn more:
- here's the work plan (.pdf)