The Department of Health & Human Services (HHS) Office of Inspector General (OIG) has laid out its work plan for fiscal year 2014 reiterating its continued review of meaningful use incentives as well as adding a new wrinkle to its scrutiny of the EHR Incentive Programs.
In terms of the adoption of EHR systems, OIG has made clear its role in reviewing Medicare and Medicaid EHR incentive payments to eligible professionals and hospitals. For Medicare, this work entails an extensive look at data extending back to 2011 to identify payments made to providers who did not truly achieve meaningful use. Likewise, OIG’s role will include a review of the Centers for Medicare & Medicaid Services (CMS) and its oversight of the program and disbursement of erroneous payments.
Similar to the Medicare EHR Incentive Program, OIG will assess whether eligible providers have met the Medicaid EHR Incentive Program criteria for adopt, implement, or upgrade (AIU), a key feature of the program during its earliest stage. Additionally, OIG’s plan will evaluate how to the state-administered programs have taken the measures necessary to warrant funding from the federal government.
So where is the wrinkle? It is a new component associated with meaningful use falling under the category of “Systems and Information Security.” OIG intends to play a role in auditing the security of certified EHR technology (CEHRT), the systems and services necessary for eligible providers to achieve meaningful use.
“We will perform audits of various covered entities receiving EHR incentive payments from CMS and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology,” states the federal agency.
Presumably as a result of the HIPAA Omnibus Rule released more than a year ago, OIG has concerns about cloud-based technologies and the business associate agreements these health IT systems and services necessitate.
“Furthermore, business associates that transmit, process, and store EHRs for Medicare/Medicaid providers are playing a larger role in the protection of electronic health information,” the work plan continues. “Therefore, audits of cloud service providers and other downstream service providers are necessary to assure compliance with regulatory requirements and contractual agreements.”
When CMS began its meaningful use audits following Stage 1 Meaningful Use, the security risk analysis was a key component of its auditors’ reviews of eligible providers receiving EHR incentive payments. It appears that the increased adoption of cloud-based EHR technologies — athenahealth did just unseat Epic Systems as the Best in KLAS overall vendor — has raised concerns about their security safeguards.
This is curious given that heretofore a cloud-based technology has not been the cause of a health data breach. Given that this technology is more often used by ambulatory providers, perhaps the federal government will be shifting its focus away from the inpatient side of healthcare.
The full work plan is available here.