OIG's work plan shifts review of EHRs, warns of further scrutiny

A focus on electronic health records and health IT by the Department of Health and Human Services' Office of Inspector General shows no signs of abating, as evidenced by its 2016 work plan, issued Nov. 2. But its priorities certainly have evolved.

The new plan, which outlines what OIG will investigate in order to maintain the integrity of HHS' programs, will continue to review the EHR-related issues from last year's work plan, which are:

  • The use of EHRs to support care coordination by accountable care organizations
  • Medicare and Medicaid Meaningful Use incentive payments
  • The security of certified EHR technology under Meaningful Use
  • The extent to which hospitals comply with EHR contingency planning requirements of HIPAA

The 2016 work plan also adds two new EHR-related issues: The first is to examine whether the U.S. Food and Drug Administration's oversight of hospitals' networked medical devices is sufficient to protect electronic patient protected health information (ePHI) integrated with EHRs and the larger health network; the second is to review the Office for Civil Rights' (OCR) oversight of the security of ePHI, much of which is found on EHRs and other health IT.    

These two new agenda items aren't surprising. The security of medical devices and electronic patient information have both been hot button, highly publicized problems this year, with all of the hacking breaches and warnings about the vulnerability of infusion pumps and heart monitors.

But there's been a subtle shift in OIG's focus.

First, look at its examination of the FDA's oversight of medical devices networked to EHRs. It may look familiar. This issue is new only in that the FDA is now the agency on the hook. Just a year ago, the OIG work plan said that OIG would to examine the Centers for Medicare & Medicaid Services' oversight of medical devices networked to EHRs.This was dropped from the 2015 updated work plan and has been renewed, indicating that the baton on oversight has been passed from CMS to FDA. Now we'll get to see how well FDA does this job. This also indicates the expansion of agency oversight of EHRs beyond CMS and the Office of the National Coordinator for Health IT.

Moreover, OIG has further expanded its scrutiny beyond that of providers to review the agencies that regulate them. OIG is not only willing to delve into what providers are doing, but also take a broader look at how well the overseers are overseeing. That way, the OIG can review a problem from two different, related angles: via both a deep dive and a view from 30,000 feet.

What's also intriguing is what isn't in the 2016 work plan: After all of the brouhaha about information blocking this year, one would have thought that OIG would have added that in. But it didn't.

It could be that having just issued its alert that EHR donation programs that contribute to information blocking are unlawful, OIG is taking a wait-and-see approach regarding whether it needs to elevate this issue to the work plan. After all, there's been some indication that information blocking isn't as cut and dried a problem as it first appeared.

Then again, OIG may be waiting to see what occurs with the 21st Century Act, which could give it more authority to go after vendors which block information. Currently, OIG can only go after providers, and they're not the only information blockers.

OIG obviously has a lot more on its plate than EHRs and health IT. There are a number of new issues, plus many that have been revised this year, also indicating OIG's willingness to update its focus as needed.

But OIG made no bones about its plans to keep EHRs in its crosshairs:

"Going forward, OIG's planning efforts will consider the significant challenges that exist with respect to Health IT adoption; Meaningful Use; and interoperability across providers, across HHS, and between providers and patients. Future work may also examine the outcomes from health IT investments," the work plan states. "OIG expects to broaden its portfolio regarding information privacy and security, including issues that arise from the continuing expansion of the Internet of Things."

As I've noted before, the industry needs to take the work plan very seriously. OIG is being very transparent about what it considers the biggest threats. We can't say we weren't warned. - Marla (@MarlaHirsch and @FierceHealthIT)