HHS’s Plan to Target Data Security in 2015 Means More Audits

The Department of Health and Human Services plans raise the bar on data security in the healthcare industry in the year ahead. The renewed focus likely means more audits and enforcement actions for providers and insurers.

In its Work Plan for fiscal year 2015, the Office of Inspector General for HHS said it will focus heavily on such areas as the security of protected health information contained in electronic health records (EHRs), the use and exchange of health information technology, and emergency preparedness and response for protecting electronic health information. In its Strategic Plan, the OIG stated that it will continue to focus on EHRs through at least 2018.

“Technology is certainly on the table in this work plan in a big way,” Emily Root, a senior associate with Squire Patton Boggs, says.

The OIG is charged with overseeing whether programs under HHS, including the Center for Medicare and Medicaid Services, are fulfilling their obligations to fight waste, fraud, and abuse. The Office of Civil Rights, which enforces HIPAA, is another part of HHS overseen by OIG.  Thus, compliance and legal officers in the healthcare industry will want to pay attention to the Work Plan, as it serves as a roadmap for the OIG’s new and ongoing audit and enforcement priorities, Root says.

Contingency Planning

Starting next year, the OIG for the first time ever will began examining the extent to which hospitals comply with contingency planning requirements under the Health Insurance Portability and Accountability Act’s Security Rule. That rule requires health companies to have a contingency plan that establishes policies and procedures for responding to an emergency in the event that systems containing personal health information are damaged. “We will also compare hospitals’ contingency plans with government- and industry-recommended practices,” the OIG said.

“If the hospital burns down, or if something else happens, are those electronic health records still available somehow?” says Root. That’s one new issue hospitals should be paying attention to, making sure that they have a contingency plan in place and, furthermore, that it’s documented, she says.

The OIG also said it will begin performing audits of various covered entities that receive EHR incentive payments from the Centers for Medicare & Medicaid Services’ and their business associates—such as EHR cloud service providers—to determine whether they “adequately protect electronic health information created or maintained by certified EHR technology,” OIG said.

“General counsel and compliance officers would be well advised to consider adding to their own internal reviews or audit plans some of the areas identified in the OIG Work Plan.”
Lawrence Freedman, Member, Mintz Levin

“A core meaningful-use objective for eligible providers and hospitals is to protect electronic health information created or maintained by certified EHR technology by implementing appropriate technical capabilities,” the OIG said. To meet this objective, hospitals must conduct a security risk analysis of certified EHR technology.

The Work Plan also noted that third-party business associates that transmit, process, and store EHRs for Medicare and Medicaid providers are playing a larger role in the protection of electronic health information. “Audits of cloud service providers and other downstream service providers are necessary to ensure compliance with regulatory requirements and contractual agreements,” the OIG said.

Medical Device Security

The OIG also said it will continue to examine the CMS’s oversight of hospitals’ security controls over computerized medical devices—such as dialysis machines, radiology systems, and medication dispensing systems—that are integrated with electronic medical records and health networks.

“We will examine whether CMS oversight of hospitals’ security controls over networked medical devices is sufficient to effectively protect associated electronic protected health information,” the OIG said.

Root advises companies not to overlook this section of the Work Plan. “I always tell people don’t skip that part, because that’s what is coming down the road,” she says. “If the OIG says the CMS needs to do a better job in its oversight, then that means next year the CMS is going to do a better job in its oversight.”

Healthcare providers that want to be proactive in this space need to pay attention not only to what OIG is requiring of them, but what it’s requiring of CMS, Root adds. “So if there are changes, you can get your ducks in a row before the issue comes to the forefront,” she says.

The OIG is not the only federal agency intensifying its focus on the security of medical devices. The Food and Drug Administration last month issued a final guidance recommending that medical device makers take into consideration cyber-security risks when designing and developing their products.

“The need for effective cyber-security to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet-, and network-connected devices, and the frequent electronic exchange of medical device-related health information,” the FDA guidance stated.

OIG GOALS

Below is an excerpt from the Office of Inspector General’s Work Plan, discussing plans to examine oversight of hospital security controls for medical devices and ensure hospitals are complying with contingency plans.
Controls over networked medical devices at hospitals
We will examine whether CMS oversight of hospitals’ security controls over networked medical devices is sufficient to effectively protect associated electronic protected health information (ePHI) and ensure beneficiary safety. Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network, pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications. To participate in Medicare, providers such as hospitals are required to secure medical records and patient information, including ePHI. (42 CFR § 482.24(b).) Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device. (OAS; W-00-15-42020; various reviews; expected issue date: FY2015)
Hospitals’ electronic health record system contingency plans (new)
We will determine the extent to which hospitals comply with contingency planning requirements of the Health Insurance Portability and Accountability Act (HIPAA).We will also compare hospitals’ contingency plans with government—and industry—recommended practices. The HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information (45 CFR, Part 164 § 308(7)(i)). (OEI; 01-14-00570; expected issue date: FY 2015)
Source: Office of Inspector General.

Healthcare providers should know what medical devices are feeding into their EHRs, Root says. They should also be sure to get information from the medical device makers themselves on what security safeguards they have in place, she says.

FCA Cases

False Claims Act cases also will continue to be an area of enforcement focus for the OIG. Lawrence Freedman, a member of the law firm Mintz Levin, says healthcare entities will want to pay attention to the OIG Work Plan because it may provide some indication of the type of FCA cases that could gain traction with the OIG and the Department of Justice in the year ahead.

Clearly, FCA enforcement continues to be a priority area for both OIG and the Justice Department. In fiscal year 2014, for example, OIG said it brought 971 criminal actions and 533 civil actions against individuals or entities that engaged in crimes against HHS, including for FCA violations. Additionally, the Justice Department has recovered more than $22.4 billion from FCA cases since 2009.

By being armed with information from the Work Plan, healthcare entities can take proactive measures to avoid potential FCA violations. “General counsel and compliance officers would be well advised to consider adding to their own internal reviews or audit plans some of the areas identified in the OIG Work Plan,” Freedman says.

Overall, compliance and legal executives of healthcare entities should carefully review the Work Plan to ensure they’re addressing relevant risk areas identified by the OIG. IT departments may also need to be looped in about any new security enhancements that may need to be addressed.

Additionally, healthcare entities will want to make sure their employee training is up-to-date, reflecting any new areas of audit or enforcement focus for the OIG.  “Training is really important for ensuring you’re actually putting policies into practice,” Root says, “and that they’re not just a binder sitting on a shelf.”