On October 31, 2014, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) released the Work Plan for Fiscal Year 2015 (“Work Plan”). The Work Plan confirms OIG will continue to concentrate a great deal of their enforcement efforts on the security and vulnerabilities of protected health information (“PHI”) contained in electronic health records (“EHRs”). The continued focus on data security contained in EHRs aligns with the goals of the OIG Strategic Plan 2014-2018, where OIG identified EHRs as one of its key focus areas until at least 2018.

Given the increased frequency and publication of health information breaches, it is no surprise the OIG for the first time indicated it plans to examine hospitals’ contingency plan policies and procedures to determine if adequate safeguards are in place in the event systems containing PHI are damaged. OIG also indicated it will continue to examine the Centers for Medicare & Medicaid Services’ (“CMS”) oversight of hospitals’ security controls over networked medical devices, such as dialysis machines, radiology systems and medication dispensing systems. OIG will also continue to conduct audits of eligible hospitals and professionals who received Medicare and Medicaid Meaningful Use Incentive payments to determine whether such payments were proper.

It is worth noting the Work Plan did not include assessing the security and vulnerabilities of portable devices containing PHI as a priority. This may be an indication  OIG has completed its review of the issue.

Click here to read OIG’s Work Plan.