This New Year, the OIG gives you another reason to reinstate your focus on HIPAA compliance.
Amongst other things, the OIG 2016 work plan has put a special impetus on compliance relating to electronic protected health information (ePHI) and electronic health records (EHRs), so prepping now to cover any compliance gaps in these and some other key areas will be crucial.
“The OIG is correct in being concerned about this issue, both as a technical and an oversight issue for the OCR,” says Duane C. Abbey, PhD, president of Abbey and Abbey Consultants Inc., in Ames, IA. “Hospitals need to look both internally and externally at security measures of the ePHI.”
Here’s a low down on what you can expect in the coming year from the OIG.
Get Watertight on ePHI Security
In FY 2016, the OIG will take a hard look at whether the HHS Office for Civil Rights (OCR) is providing adequate oversight of ePHI security.
Background: Prior OIG audits discovered that OCR has not assessed the risks, established priorities, or implemented controls for its Health Information Technology for Economic and Clinical Health (HITECH) Act requirement to provide for periodic audits of covered entities (CEs) and business associates (BAs) to ensure compliance with the Act and HIPAA requirements.
Therefore, OCR had limited assurance that CEs and BAs adequately protected ePHI in the past, according to the OIG. Prior OIG audits also found numerous vulnerabilities in the systems and controls to protect ePHI.
Impact to you: “Internally, this would normally be handled by the IT department,” tells Abbey. “However, health information personnel along with billing personnel need to be involved in establishing and following proper policies and procedures in this area. Probably the greatest concern is with BAs, that is, what security P&Ps are in place with the BAs that receive and use the ePHI. For instance, how do they (BA) erase ePHI after they are done with work?”
Expect Scrutiny of Your EHR Incentive Payments, Too
As part of its “Delivery System Reform” efforts, the OIG will scrutinize providers participating in Accountable Care Organizations (ACOs) in the Medicare Shared Savings Program (MSSP) to know about:
Use of EHRs to exchange health information in achieving care coordination goals
Providers’ use of EHRs to identify best practices
Possible challenges the provider face in exchanging and using health data, such as degree of interoperability, financial barriers, or information blocking.
The OIG plans to review the CMS incentive payment system. What’s more, CMS plans to oversee incentive payments and corrective actions it’s taken regarding erroneous incentive payments will also be under the microscope.
Here’s why: As of July 2015, Medicare EHR incentive payments totaled more than $20 billion and Medicaid incentive payments totaled more than $9 billion. The OIG will review incentive payment data to identify payments to providers who should not have received incentive payments, for reasons such as they didn’t meet selected meaningful use criteria.
Show Them You Deserved Your EHR Incentive
The OIG plans to audit CEs receiving EHR incentives to confirm whether they adequately protect ePHI that is contained in their EHRs. And one way the OIG will do this is by determining whether you’ve conducted a risk analysis. This is the most common reason for failure, because most providers tend to have a lack of an adequate security risk analysis and appropriate remediation.
“Make certain that your hospital has a well-documented security plan that includes an on-going risk assessment component,” advises Abbey. “Risk assessment is not a one-time activity. Be certain that you can justify any incentive payments with an appropriate risk assessment process.”
The OIG says…
“A core meaningful use objective for eligible providers and hospitals is to protect electronic health information created or maintained by certified EHR technology by implementing appropriate technical capabilities.
To meet and measure this objective, eligible hospitals must conduct a security risk analysis of certified EHR technology as defined in Federal regulations and use the capabilities and standards of Certified Electronic Health Record Technology.”
Hospitals: Your Contingency Planning Is Under Scrutiny
In FY 2016, the OIG will also crack down on hospitals’ compliance with the HIPAA Security Rule’s requirements for contingency planning. Specifically, the OIG will compare hospitals’ contingency plans with government- and industry-recommended practices.
The implementation specifications include the following five elements:
1. Data backup plan
2. Disaster recovery plan;
3. Emergency mode operation plan
4. Testing and revision procedure
5. Applications and data criticality analysis.
Impact to you: Most certainly, a good Backup/Recovery/Contingency Plan is a must for all hospitals and would help you not only with the HIPAA perspective but with other regulatory requirements too. It’s time now to invest in a proper contingency plan if you are still thinking about alternative approaches.
Even though “most of this will involve the IT department at the hospital, other departments (e.g., health information, patient financial services and clinical areas) should also be involved in creating and understanding the P&Ps for activities such as backing up data, disaster recovery and emergency mode operation,” opines Abbey. “These departments should anticipate that they will have to participate in training and testing of associated P&Ps.”
Another New Target: Networked Medical Devices
A new initiative that the OIG is undertaking in FY 2016 is the scrutiny of adequacy of U.S. Food and Drug Administration’s (FDA’s) measures to protect the ePHI and ensure beneficiary safety associated with hospitals’ networked medical devices.
In particular, the OIG will look at computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network, to assess the vulnerabilities and risks associated with the ePHI that a medical device transmits or maintains.
Watch out: The OIG cited medical device manufacturers’ Manufacturer Disclosure Statement for Medical Device Security (MDS2), so expect the OIG to scrutinize whether you’re using these MDS2 forms.
Impact to you: In highlighting the MDS2 forms, the OIG has effectively signaled that HIPAA-covered entities that use networked medical devices should document the ways in which they have considered the disclosure statements for such devices as part of their HIPAA security risk assessments and overall HIPAA compliance plans.
Dispose the device carefully: Although not mentioned in the 2016 Work Plan, improper disposal of networked medical devices also carries significant HIPAA risks. There is a risk of a HIPAA violation for any devices that store ePHI locally but are not stripped of all ePHI or otherwise destroyed prior to disposal.
“Erasing, wiping, or electronic shredding of data is really the goal and there are a number of government standards by which electronic shredding can take place,” enlightens Abbey. “This involves overwriting the data a number of times with random characters.”
Here’s why: In 2013, Affinity Health Plan Inc. was slapped with a $1.2-million settlement agreement with HHS. The reason? They tried to return photocopier machines to their leasing agent without erasing the patient data contained on the copiers’ hard drives.
Final takeaway: The OIG’s Work Plan should not be the only compliance guidelines you use for internal initiatives, but OIG’s focus on specific initiatives can help you shape your organization’s compliance program for the year 2016.
“The main imperative is to take the time to assess where PHI is stored electronically,” stresses Abbey. “Once you have determined where it is stored, even if only temporarily, then you can develop appropriate policies and procedures to address issues such as security and data disposal. Also, expand your thinking to include the greater use of cellular or telemetry data that may be gathered from a variety of sources including patients themselves.”
Link: To read the OIG’s FY 2016 Work Plan, go to http://oig.hhs.gov/reports-and-publications/archives/workplan/2016/oig-work-plan-2016.pdf.