OIG’s 2015 Work Plan Suggests Increased Focus on EHRs
November 5, 2014 in News
For example, OIG for the first time will review hospitals’ EHR contingency plans.
Under the HIPAA Security Rule, hospitals must have plans in place that outline procedures for responding to emergencies that damage systems containing protected health information.
In fiscal year 2015, OIG will determine whether hospitals comply with HIPAA’s contingency plan requirements.
The work plan also stated that OIG will compare contingency plans with government and industry standards (Walsh, Clinical Innovation Technology, 11/4).
In addition to the new contingency plan reviews, OIG said it will continue to conduct several EHR reviews to examine:
- CMS’ oversight of hospitals’ security controls regarding networked medical devices that are integrated with EHR systems;
- CMS’ oversight of meaningful use payments;
- Whether meaningful use incentive payments recipients were eligible for such payments; and
- Whether covered entities and business associations are sufficiently protecting PHI maintained by certified EHR technology.
Under the 2009 economic stimulus package, health care providers who demonstrate meaningful use of certified EHR systems can qualify for Medicaid and Medicare incentive payments.
OIG also signaled the possibility of reviewing electronic health information exchanges in the future.
However, OIG has dropped two EHR-related reviews included in past work plans regarding the security of portable devices containing PHI and whether EHRs have vulnerabilities in evaluation and management coding. According to FierceEMR, it is unclear whether these two areas are no longer priorities for the agency or whether it has already completed such reviews (Durben Hirsch, FierceEMR, 11/2).