Each year, the U.S. Department of Health and Human Services Office of Inspector General (OIG) releases a Work Plan that informs the public of planned audits, evaluations, and other legal and investigative activities that the agency plans to pursue during the current fiscal year. In its 2015 Work Plan released on October 31, 2014, OIG explained that much of of the agency's ongoing work will continue, including focusing on emerging payment, eligibility, management, and information technology systems security issues in Affordable Care Act programs, such as the health insurance marketplace. Of particular note to a wide range of providers, the Work Plan also explains how the agency will focus on key areas of HIPAA compliance.
OIG highlighted several areas of HIPAA compliance for special focus in the current year. OIG will, for the first time, review hospital policies and plans to determine the extent to which hospitals comply with contingency planning requirements. The HIPAA Security Rule requires covered entities to have contingency plans that establish policies and procedures for responding to emergencies or other occurrences that damage systems containing protected health information. The agency says that it will compare hospital plans to government and industry-related practices. OIG’s planned review of hospital contingency plans serves as a reminder to all health care providers to review their contingency plans to ensure compliance with the HIPAA security rule.
OIG also intends to investigate health care professionals’ and providers’ implementation of EHR technology under the meaningful use program to prevent erroneous incentive payments. Although the full extent of OIG’s review is unknown, it will likely include review of providers’ EHR systems and policies to ensure compliance with meaningful use requirements. EHR security is another area of focus, with OIG planning to closely investigate the security of certified EHR technology. Providers subject to an audit of their EHR systems can expect OIG to review relationships with business associates, in particular EHR cloud service providers, to determine whether adequate systems and policies are in place to protect electronic health information created or maintained by certified EHR technology. Audits will be performed of such “downstream” service providers to ensure compliance with contractual agreements (such as business associate agreements) and regulatory standards.
OIG’s focus on EHR security and the security of service providers serves as a reminder for every health care provider to review security measures, protocols and relationships with third-party vendors. Providers need to be especially careful to ensure that business associate agreements are in place with service providers, that such agreements are in accord with HIPAA security standards, and that the terms of agreements are being followed. Covered entity performance of ongoing security audits is also needed to demonstrate compliance, as electronic security of protected health information is likely to remain a strong focus for OIG in the years ahead.
Other Focus Areas
Some of OIG’s other key objectives for 2015 include the following:
The above is a sampling of the dozens of focus areas in OIG’s 2015 Work Plan. The full Work Plan is available at https://oig.hhs.gov/reports-and-publications/workplan/. Should you or your organization have any questions about the compliance areas identified in the Work Plan, please contact Peter Mellette (Peter@mellettepc.com), Harrison Gibbs (Harrison@mellettepc.com), or Nathan Mortier (Nathan@mellettepc.com) or call Mellette PC at (757) 259-9200.