OIG's 2014 work plan steps up scrutiny of EHRs

The Office of Inspector General has ramped up its attention on the security and integrity of electronic health records in its 2014 work plan, adding two new focus areas specific to EHRs and continuing its examination of their use in other areas.

The plan, published Jan. 31, states that for the first time, OIG will examine the security controls over medical devices that network with EHRs, such as dialysis machines and medication dispensing systems. OIG also will audit providers receiving Meaningful Use incentive payments and their business associates--such as cloud services providers--to determine whether they adequately protect EHRs created or maintained by certified EHR technology. OIG points out that this requirement is a "core Meaningful Use objective."

Other priority areas that OIG already is working on that affect EHRs include:

  • The extent EHRs have documentation vulnerabilities in evaluation and management coding, particularly identical documentation in patient records
  • The security of portable devices containing protected health information, such as laptops
  • Providers who have received Medicare or Medicaid incentive payments
  • The U.S. Department of Health & Human Services Office for Civil Rights oversight of HIPAA's privacy and breach notification rules.  

The work plan clarifies the agency's specific focus areas and top priorities, providing much more detail about its operations than the four-year strategic plan, released last November. The strategic plan identified EHRs as one of OIG's "key focus areas" until at least 2018.    

The security and integrity of EHRs has been of growing concern to OIG, which provides independent and objective oversight of more than 300 HHS programs. Its goals include fighting fraud, waste and abuse, promotion of quality, safety and value, and advancing excellence and innovation. 

To learn more:
- here's the work plan (.pdf)