The 2015 Work Plan of the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) posted on Friday, October 31, 2014, includes initiatives focused on testing information security controls related to Affordable Care Act health insurance marketplaces and entities that receive Medicare “meaningful use” incentive payments for adoption of electronic health record (“EHR”) technology.

Noting that it previously had conducted a review of information security of, OIG intends next to determine whether information security controls for the systems outside of the Federally Facilitated Marketplace containing and storing consumer information have been implemented in accordance with federal requirements and recognized industry best practices. OIG stated that it may conduct vulnerability scans, when feasible, using automated tools that seek to identify known security vulnerabilities and discover possible methods of attack that can lead to unauthorized access or the exfiltration of data. This review will include examination of State-based marketplaces in addition to the two State-based exchanges reviewed by OIG previously.

OIG also announced that it will perform audits of HIPAA covered entities receiving EHR incentive payments under the Medicare program as well as their business associates. According to the 2015 Work Plan, a core meaningful use objective for eligible providers and hospitals is to protect electronic health information created or maintained by certified EHR technology and, in furtherance of this objective, to conduct a security risk analysis of certified EHR technology. In addition to the covered entities, OIG noted that their business associates increasingly are playing a larger role in the transmission, storage and processing of electronic health information. Accordingly, OIG states that audits of cloud service providers and other downstream service providers are necessary to ensure compliance with regulatory requirements and contractual agreements.

For a copy of the 2015 Work Plan, please click here.