Greater scrutiny over the security for medical devices and electronic health records are just two of the new priorities for the Office of Inspector General for the Department of Health and Human Services, according to its work plan for fiscal 2016.
The plan, published earlier in November, offers hospitals, medical practices, nursing facilities, drug makers, and medical device makers a glimpse into where regulators will focus their attention in the coming year—and thus, where compliance officers and internal auditors should focus their risk management and internal auditing efforts.
“The work plan can show new areas that the OIG has identified as emerging risks, or it can provide a window into what areas the OIG will focus on based on the data analytics the OIG has been doing,” says Tony Maida, a partner in the law firm McDermott, Will & Emery. At the least, the work plan gives the healthcare and pharmaceutical industries a sense of how to set their own internal audit programs, he says.
The OIG said in its work plan that its “largest body of work” involves investigating matters related to Medicare and Medicaid, such as billing for services not rendered or medically unnecessary and services. Other hot topics include off-label marketing of prescription drugs and the solicitation and receipt of kickbacks, according to its work plan.
One brand new priority in 2016: a review the Food and Drug Administration’s oversight of medical devices networked to electronic health records (EHRs). “We will examine whether FDA’s oversight of hospitals’ networked medical devices is sufficient to effectively protect associated electronic protected health information (ePHI) and ensure beneficiary safety,” the OIG said in its work plan.
Medical devices—dialysis machines, radiology systems, and medication dispensing systems, for example—that are integrated with electronic medical records and the larger health network “pose a growing threat to the security and privacy of personal health information,” the OIG said. “Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications.”
Compliance officers at healthcare providers and medical device makers should be aware that handing over enforcement authority to the FDA marks a shift in authority from the OIG’s fiscal year 2015 work plan, when the Centers for Medicare & Medicaid Services had oversight authority of medical devices networked to EHRs.
“The work plan can show new areas that the OIG has identified as emerging risks, or it can provide a window into what areas the OIG will focus on based on the data analytics OIG has been doing.”
Tony Maida, Partner, McDermott, Will & Emery
“The FDA is actively working to ensure a collaborative approach to addressing medical device cyber-security across all stakeholders, including researchers, manufacturers, government, and healthcare facilities,” says Angela Stark, a spokesperson for the FDA. “The FDA encourages these stakeholders to work together to openly identify challenges and discuss strategies and best practices for addressing medical device cyber-security in order to protect patient safety and promote public health.”
As more wireless devices become integrated into healthcare systems, “providers and manufacturers have to be really diligent about making sure their systems are secure,” says Nathan Kottkamp, a partner with law firm McGuire Woods.
The OIG also said it will step up its review of how the Office for Civil Rights oversees the security of ePHI. (OCR is the agency responsible for policing the privacy and security requirements of the Health Insurance Portability and Accountability Act.)
According to the OIG, previous audits found that OCR “had not assessed the risks, established priorities, or implemented controls” required under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH requires periodic audits of compliance with HIPAA’s privacy, security, and breach notification rules.
HHS-OIG FY 2016 WORK PLAN
Below, the OIC details what agencies it reviews during a public health inspection and what is the agency’s primary focus.
Hospitals’ electronic health record system contingency plans
We will determine the extent to which hospitals comply with contingency planning requirements of the Health Insurance Portability and Accountability Act (HIPAA).We will also compare hospitals’ contingency plans with government- and industry-recommended practices. The HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information.
Controls over networked medical devices at hospitals
We will examine whether FDA’s oversight of hospitals’ networked medical devices is sufficient to effectively protect associated electronic protected health information (ePHI) and ensure beneficiary safety. Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network, pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications. Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device.
Office for Civil Rights’ oversight of the security of electronic protected health information
We will determine the adequacy of the Office for Civil Rights (OCR) oversight over the security of electronic protected health information (ePHI). Prior OIG audits reported that OCR had not assessed the risks, established priorities, or implemented controls for its HITECH Act requirement to provide for periodic audits of covered entities and business associates to ensure compliance with HITECH Act and HIPAA Rule requirements and, therefore, had limited assurance that covered entities and business associates adequately protected ePHI. Prior OIG audits have also summarized numerous vulnerabilities in the systems and controls to protect ePHI at selected covered entities.
Such gaps in oversight provided “limited assurance” that businesses and third parties were adequately keeping ePHI secure, the OIG said. Previous audits also found “numerous vulnerabilities in the systems and controls to protect ePHI at selected covered entities,” the work plan said.
From a practical standpoint, depending on what the OIG’s review finds, “it may influence OCR’s activities going forward,” Maida says. “It may result in OCR pursuing more cases.”
The OIG said it also plans to determine the extent to which hospitals comply with contingency planning requirements of HIPAA. The HIPAA Security Rule requires covered entities (such as hospitals) to have a contingency plan that establishes policies and procedures for responding to an emergency or adverse event that damages systems containing protected health information.
Even though hospitals must have a contingency plan in place, the HIPAA Security Rule doesn’t specify what that contingency plan should look like. “It’s hard to know what is deemed to be acceptable,” Kottkamp says.
Healthcare providers would be well served to take a look at other industry-recognized standards and best practices, such as those used by the financial services industry, Kottkamp says. He further recommends that healthcare companies test those disaster relief plans: “Have you done a real-life fire drill where you shut down access to your main servers? If so, what backup information is available? How long does it take to retrieve?”
Also in 2016, healthcare organizations can expect more enforcement actions as HHS prepares to launch its new HIPAA compliance audit program.
HHS launched a pilot audit program in 2012, carried out by KPMG, which under contract with HHS conducted reviews of HIPAA compliance at 115 covered entities. “HIPAA audits were supposed to start sometime in 2015, but they were delayed,” Kottkamp says. “My guess is that they’re not going to start until 2016.”
The HIPAA compliance audit program took a step forward in September, when government services firm FCi Federal announced that it had been awarded a contract to provide HIPAA auditing services to support HHS. FCi Federal said the $1 million contract was awarded for an 18-month performance period.
“This is the first task order granted on this contract to provide support to 13 nationwide HHS-OCR offices in the areas of monitoring, investigation, and enforcement of anti-discrimination and privacy laws; health information protection; and civil rights policy development, planning, education, and outreach,” the company said in a statement.
Overall Enforcement Trends
Enforcement efforts against fraud in the healthcare industry show no signs of abating. For fiscal year 2015 (which ended on Sept. 30), the OIG reported expected recoveries of more than $3 billion, consisting of nearly $1.13 billion in audit receivables and $2.2 billion in investigative receivables, according to the work plan.
The work plan also reported exclusions of 4,112 individuals and entities from participation in federal healthcare programs in 2015; 925 criminal actions against individuals or entities that engaged in crimes against HHS programs; and 682 civil actions.
The numbers alone make enforcement efforts a lucrative activity for the government, and all signs are that HHS will continue to expand its caseload.