OIG to more heavily scrutinize med devices

Medical devices now will be subject to scrutiny from the Office of the Inspector General, according to OIG's 2014 work plan.

The plan, published at the end of January, lays out all of OIG's hospital-related policies and practices, including billing and payments, quality of care, emergency preparedness and more--namely, policies related to medical device security, safety and efficacy.

"We will review Medicare claims to identify the costs resulting from additional utilization of medical services associated with defective medical devices and determine the impact of the cost on the Medicare Trust Fund," the plan states.  "[The context is that] CMS has previously expressed concerns about the impact of the cost of replacement devices, including ancillary cost, on Medicare payments for inpatient and outpatient services."

OIG also is concerned with portable devices containing protected health information. It plans on reviewing security controls implemented by Medicare and Medicaid contractors and by providers for loss prevention of PHI on portable devices, like laptops, jump drives, backup tapes and equipment considered for disposal.

Networked devices at hospitals will be subject to scrutiny, too.

"Medical device information security is an important area, and this may be the OIG activity that has the largest impact," attorney Adam Greene of the law firm Davis Wright Tremaine told HealthcareInfoSecurity. "OIG's findings in this area will bring more attention to this problem and could spur HHS and other regulators to increase their focus on this issue.

Green added that he'll be interested to see whether or not OIG addresses the roles of different agencies in improving device security.

OIG also will ramp up attention on the security and integrity of electronic health records in 2014, adding two new focus areas specific to EHRs and continuing its examination of their use in other areas.

The plan states that for the first time, OIG will examine the security controls over medical devices that network with EHRs, such as dialysis machines and medication dispensing systems. OIG also will audit providers receiving Meaningful Use incentive payments and their business associates--such as cloud services providers--to determine whether they adequately protect EHRs created or maintained by certified EHR technology. OIG points out that this requirement is a "core Meaningful Use objective."

To learn more:
- read the OIG report (.pdf)
- read the HealthcareInfoSecurity article

Suggested Articles

Nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses.

Veterans Health Administration medical facilities currently have a paper medical record backlog that if stacked up would be 5.15 miles high, according to the…

The Department of Health and Human Services announced proposed changes to privacy restrictions on patients' substance use treatment records.