Providers, vendors: Ignore OIG's work plan at your peril

In many movies, you just know what's going to happen, at least in part. You predict it. You anticipate it. You know that in It's a Wonderful Life, for instance, Clarence the angel will help George Bailey realize that life is worth living. 

It's not clairvoyance on our part (who could predict the plot twist, in say The Crying Game or The Sixth Sense.) It's just that sometimes we've been given the clues. You can't have a movie entitled It's a Wonderful Life with a depressing ending.

It's the same way with the Office of Inspector General's 2014 annual work plan. OIG is very transparent about its focus. And it's not a surprise that the agency has stepped up scrutiny of the electronic health record industry, since there's been such a proliferation of EHR use. There's no plot twist here.

For example, OIG has added to its 2014 work plan two new focus areas related to EHR. For the first time, OIG will examine the security controls over medical devices that network with EHRs, such as dialysis machines and medication dispensing systems. The work plan specifically alerts providers that it will, among other things, be looking at whether providers are availing themselves of the device manufacturers' Medical Device Security Forms to reduce vulnerabilities.

OIG also will, for the first time, audit providers receiving Meaningful Use incentive payments and their business associates--such as cloud services providers--to determine whether they adequately protect EHRs created or maintained by certified technology. The work plan states that the security risk analysis objective is very important and that OIG will be looking to see if cloud service providers are complying with both regulatory requirements and contractual obligations. 

Note that these are in addition to EHR-related issues that OIG already is investigating, including documentation/billing issues, the security of portable devices, and the Office for Civil Rights' oversight of HIPAA's privacy and breach notification rules.

No, what we're really all doing is waiting for the other shoe to drop.  

We know the what. What we don't know is the whom.

That's the burning question.

Who will be the hapless provider that becomes the poster child for OIG? The one that becomes the teachable moment.

"Don't do what this hospital/practice/business associate did." The one that got caught. The one that suffers the blow to its reputation, the negative publicity, the thousands (or millions) of dollars in fines and legal fees.

I don't have a crystal ball. But I'd predict, especially since this is new ground for OIG, that the agency is going to go for low hanging fruit to set an example for the rest of the industry. Last year was filled with big-money settlements with the pharmaceutical industry: Johnson & Johnson. GlaxoSmithKline. Abbott. The Department of Justice set record numbers for healthcare prosecutions. There were $2.6 billion in health care fraud recoveries.

This year may be the year of the EHR fraud backlash. The government is going to try to go big. Capture a big violation. Teach a lesson.

Providers--and to some extent EHR vendors--OIG has put you on notice. Consider yourselves warned. You don't want to be the government's poster child.

You want the predictable happy ending. - Marla (@MarlaHirsch @FierceHealthIT)