Electronic info is under special scrutiny.
Details related to electronic protected health information (ePHI) and electronic health records (EEHRs) will be under closer watch in 2016, thanks to information in the HHS Office of Inspector General (OIG) Work Plan. Read on for a heads-up on what to expect in the coming months.
Prepare for EHR Incentive Payment Double-Checks
`As part of its “Delivery System Reform” efforts, the OIG will review the extent to which providers participating in Accountable Care Organizations (ACOs) in the Medicare Shared Savings Program (MSSP) use EHRs to exchange health information in achieving care coordination goals. The OIG will also assess providers’ use of EHRs to identify best practices and possible challenges for exchanging and using health data, such as degree of interoperability, financial barriers, or information blocking.
Also on the OIG’s radar screen are the Medicare and Medicaid incentive payments for adopting EHRs. The OIG plans to review the incentive payment system, as well as CMS safeguards to prevent erroneous incentive payments.
Cost: As of July 2015, Medicare EHR incentive payments totaled more than $20 billion and Medicaid incentive payments totaled more than $9 billion. The OIG will review incentive payment data to identify payments to providers who should not have received incentive payments, for reasons such as they didn’t meet selected meaningful use criteria.
Be Forewarned: More Audits Are Coming
In addition, the OIG plans to perform audits of various CEs receiving EHR incentive payments from CMS to find out whether they adequately protect ePHI that the certified EHR technology creates or maintains. And one way the OIG will do this is by determining whether you’ve conducted a risk analysis.
Important: “A core meaningful use objective for eligible providers and hospitals is to protect electronic health information created or maintained by certified EHR technology by implementing appropriate technical capabilities,” the OIG stated. “To meet and measure this objective, eligible hospitals must conduct a security risk analysis of certified EHR technology as defined in Federal regulations and use the capabilities and standards of Certified Electronic Health Record Technology.”
Approximately 20 percent of physicians fail this objective, most often due to the lack of an adequate security risk analysis and appropriate remediation, according to a Nov. 4 analysis by consultant Gary Pritts of Eagle Consulting Partners.
There’s more: These newly announced audits are among several different audits that will occur in 2016, Pritts warned. You also have to prepare for the meaningful use audits by CMS contractor Figliozzi & Company next year, as well as the OCR Phase 2 audits, which are further delayed until the second quarter of 2016.
Clean Your Networked Medical Devices
Another area of interest is the controls over networked medical devices at hospitals, The OIG will examine whether the U.S. Food and Drug Administration’s (FDA’s) oversight of hospitals’ networked medical devices is sufficient to effectively protect associated ePHI and ensure beneficiary safety. This is a new initiative that the OIG is undertaking in FY 2016.
In particular, the OIG will look at computerized medical devices, such as dialysis machines, radiology systems and medication dispensing systems, which are integrated with electronic medical records (EMRs) and the larger health network.
The OIG cited medical device manufacturers’ Manufacturer Disclosure Statement for Medical Device Security (MDS2), so watch out for the OIG to scrutinize whether you’re using MDS2 forms to assess the vulnerabilities and risks associated with the ePHI that a medical device transmits or maintains.
Do this: “In highlighting the MDS2 forms, the OIG has effectively signaled that HIPAA-covered entities that use networked medical devices should document the ways in which they have considered the disclosure statements for such devices as part of their HIPAA security risk assessments and overall HIPAA compliance plans,” stated a Nov. 6 legal alert from McGuireWoods Consulting, LLP.
Also: Although not mentioned in the 2016 Work Plan, improper disposal of networked medical devices carries significant HIPAA risks, McGuireWoods cautioned. “Specifically, for any of these devices that store ePHI locally, there is a risk of a HIPAA violation if the device is not stripped of all ePHI or otherwise destroyed prior to disposal.”
For example, Affinity Health Plan, Inc., entered into a $1.2-million settlement agreement with HHS in 2013 for returning multiple photocopiers to a leasing agent without first erasing the data contained on the copiers’ hard drives.
Resource: To read the OIG’s FY 2016 Work Plan, go to http://oig.hhs.gov/reports-and-publications/archives/workplan/2016/oig-work-plan-2016.pdf.