The annual OIG Work Plan was published on November 2nd. The Work Plan each year identifies what the Office of the Inspector General (“OIG”) of the Department of Health and Human Services will review and provides insight into what the OIG contemplates as risk areas. Traditionally, the Work Plan often includes outlier billing concerns (consider longstanding kwashiorkor reviews) and other known fraud targets. However, the Work Plan also includes new areas of focus that are coming onto the OIG’s radar. From this perspective, health IT and related issues are starting to hit the big time.
The 2016 Work Plan includes a number of new initiatives that focus on health IT related items with security an integral component of those reviews. The growing focus on health IT should not be surprising given the number of news stories identifying compliance and fraud concerns. Consider the ever-increasing number of data breaches that hit the news almost daily, or fears the electronic medical records can be used to easily misreport or overrepresent services being provided. As such, the OIG wants to look deeper into these areas to determine where exposure exists.
With that background, the following are new reviews impacting health IT contained in the 2016 Work Plan:
- Use of Electronic Health Records to Support Care Coordination through ACOs: Many reports and studies suggest that the free flow of data among accountable care organization (“ACO”) participants is an essential element for the potential success of an ACO. However, it is not entirely clear just how much EHRs allow data to be exchanged. Accordingly, the OIG is reviewing the extent to which ACO providers, specifically Medicare ACOs, use EHRs to exchange health information in pursuit of care coordination. The review will sweep in whether information blocking is occurring in addition to other barriers, whether technical or financial.
- CMS Management of the ICD-10 Implementation: A lot of hand wringing occurred leading up to the switch from ICD-9 to ICD-10. There was concern about the ability of EHRs and other systems to accurately capture information needed and the ability to properly code services. The OIG intends to review management of the implementation by the Centers for Medicare and Medicaid Services. The review will consider what assistance was offered to hospitals, practice groups, and others and the impact on the claims submission process. If the general news is any indication, the transition did not result in any dire fallout for the healthcare industry.
- Controls over Networked Medical Devices at Hospitals: The previously ridiculed and science fiction like fear of a medical device being hacked or otherwise compromised is not so far-fetched anymore. As wired and wireless devices proliferate in hospitals, the level of risk climbs commensurately. However, no comprehensive review of security measures has been taken to determine whether adequate protections exist to ensure that protected and sensitive health information is not unnecessarily compromised. The OIG intends to assess the Food and Drug Administration’s oversight of networked medical devices, emphasizing whether devices and the information contained in the device is effectively protected. There is a significant risk to privacy and health if devices are no secure.
- Office for Civil Rights’ Oversight of the Security of Electronic Protected Health Information: Is OCR doing enough to oversee security efforts by those entities that need to comply with HIPAA? It is a serious question and one that is not easily answered. Notwithstanding that complication, the OIG will evaluate OCR’s efforts, especially since the OIG asserts that previous reviews have identified deficiencies in OCR’s operations that have not been remedied. If OCR continues to face internal government pressure to ensure the security of ePHI, it is almost a certainty that covered entities, business associates, and subcontractor will also feel that scrutiny. From one perspective, finding and penalizing violations is the only way for OCR to effectively oversee security that meets that standards required by HIPAA. OCR can try to educate and encourage training, but without a stick accompanying the carrot action is unlikely to occur.
The sampling of health IT focused reviews newly proposed by the OIG show increasing attention on all aspects of health IT and interactions within the healthcare realm. There are many risks areas and many opportunities for issues to arise. While it is not possible to anticipate all issues, healthcare organizations need to devote an appropriate level of focus on health IT. It is no longer a system or tool that can be ignored, the risks are too great.