On November 2, 2015, the Office of Inspector General (OIG) for the Department of Health and Human Services (HHS) announced its Work Plan for Fiscal Year 2016 (2016 Work Plan), which describes the OIG’s investigative focus for the upcoming year. Although the OIG’s 2016 Work Plan addresses the gamut of HHS programs, this alert focuses specifically on the privacy and security aspects of the plan.
Continued Focus on EHR
In its 2015 Work Plan, the OIG included an initiative to review hospitals’ contingency plans for electronic health record (EHR) systems. The HIPAA Security Rule requires covered entities, such as hospitals, to develop policies and procedures as part of a plan to respond to an emergency or other situation that might damage systems containing protected health information (PHI). This remains an area of review for 2016 as the OIG will continue, according to the 2016 Work Plan, to compare hospitals’ contingency plans against the best practices recommended by industry and government.
The OIG also will continue a review initiative it began in 2014 to perform audits of (1) various covered entities that receive “meaningful use” incentive payments from the Centers for Medicare and Medicaid Services and (2) business associates such as EHR cloud service providers. These audits seek to determine whether covered entities, business associates and other downstream service providers are adequately protecting electronic PHI (ePHI) created or maintained by certified EHR technology, which is a core meaningful use objective.
New Focus on FDA Accountability, the Internet of Things
New for 2016, the OIG announced an initiative to examine the sufficiency of the Food and Drug Administration’s (FDA’s) oversight of hospitals’ networked medical devices to determine whether ePHI associated with these devices is effectively protected. Although this initiative was first announced in its 2014 Work Plan, the review at that time focused on the hospitals and the security controls they implemented over networked medical devices. With the upcoming focus on the FDA, the OIG is signaling that it is serious about holding the FDA accountable for its oversight of computerized medical devices that are integrated with electronic medical records and the larger health network.
Recognizing the growing threats to the privacy and security of ePHI posed by networked devices and the inevitable increase in their adoption moving forward, the OIG also announced in the 2016 Work Plan an intent “to broaden its portfolio regarding information privacy and security, including issues that arise from the continuing expansion of the Internet of Things.” Wilson Elser attorneys have examined the threats posed by the Internet of Things in other industries where devices may serve as a weak-link entry point for hackers to gain access to larger networks.
In addition to the security review areas discussed above, the OIG has set its sights on a broad inquiry into the adequacy of the regulatory oversight provided by the Office of Civil Rights (OCR) of covered entities’ compliance with the HIPAA Security Rule. The OIG has in the past conducted similar inquiries into OCR’s oversight of covered entities’ compliance with the HIPAA Privacy Rule and follow-up of breaches under the HIPAA Breach Notification Rule. The resulting reports from those inquiries were released by the OIG in September 2015, and both were critical of OCR’s oversight and investigation roles.
Notably, the OIG report on OCR’s reactive approach to Privacy Rule enforcement and lack of a fully implemented audit program has spurred OCR to launch a second round of HIPAA audits, following the pilot program established in 2011. OCR has selected a contracted vendor to conduct the audits, which it has said will begin in early 2016. While OCR prepares over the coming months by updating its audit protocol and finalizing the list of potential audit subjects, industry also must prepare. At a minimum, this should include a comprehensive internal review of an organization’s policies and procedures to assess HIPAA compliance. Notably, the most common aspect of noncompliance reported by the pilot audit program was a failure on behalf of covered entities to conduct a security risk assessment.
Industry should therefore pay particular attention to the outcome of this new OIG inquiry into oversight of compliance with the HIPAA Security Rule and other OIG review initiatives that focus on privacy and security, given recent reports confirm the OIG can spur enforcement action at OCR.