HITECH Payments to be ScrutinizedInspector General Also to Review HIPAA Enforcement
A government watchdog unit plans to scrutinize whether any HITECH Act electronic health record incentive payments have been inappropriately issued and review HIPAA compliance enforcement efforts.
The Office of Inspector General in the Department of Health and Human Services revealed the planned reviews in its fiscal 2013 work plan that was released earlier this month.
In scrutinizing the HITECH program, OIG will take a close look at the Centers for Medicare & Medicaid Services' safeguards to prevent erroneous incentive payments.
"We will review Medicare incentive payment data from 2011 to identify payments to providers that should not have received incentive payments - for example, those not meeting selected meaningful use criteria," the work plan states. "We will also assess CMS's plans to oversee incentive payments for the duration of the program and actions taken to remedy erroneous incentive payments."
In recent weeks, a group of eight Republican legislators have criticized the HITECH incentive program. For example, they questioned whether HITECH Stage 2 requirements for interoperability and data exchange are too weak and whether EHRs are being used by providers to submit fraudulent bills (see: GOP Legislators Question HITECH Merits).
The OIG, in its work plan issued before the GOP complaints were aired, says it will work "to identify fraud and abuse vulnerabilities in electronic health records systems as articulated in literature and by experts and determine how certified EHR systems address these vulnerabilities."
The OIG work plan outlines dozens of other studies the office plans to conduct. OIG determines its yearly work plan and studies based on various needs and trends, a spokesman says. For example, after the Sept. 11, 2011, terrorist attacks, OIG added reviews of bioterrorism preparedness, he notes.
In addition to reviewing the HITECH incentive payments, the OIG plans to assess the HIPAA compliance enforcement efforts of the HHS Office for Civil Rights.
"We will review OCR's investigation policies and assess OCR's oversight to ensure that covered entities are complying with the HIPAA Privacy Rule," the OIG document states.
The inspector general also will review OCR's oversight of the HITECH breach notification rule, which went into effect in September 2009. "We will review OCR's policies for investigating breaches reported by covered entities and determine whether Medicare Part B-covered entities have policies or plans in place to mitigate breaches," the work plan states.
Adam Greene, a former HHS Office for Civil Rights official who now is a partner at the law firm Davis Wright Tremaine, says the OIG scrutiny of HIPAA enforcement is already well under way. The OIG's 2011 work plan also highlighted review of HIPAA Privacy Rule compliance, he notes.
"Around April, I heard of a number of organizations who received surveys from the OIG with questions about their compliance with the privacy and breach notification rules and their interactions with OCR," Greene notes.
Earlier, OIG conducted a handful of site visits to covered entities before issuing a March 2011 report outlining a lack of HIPAA Security Rule compliance. "As a result, OIG criticized CMS for a lack of oversight of the security rule," Greene notes.
While Greene expects the OIG will find that compliance with the HIPAA Privacy Rule is relatively high, he anticipates the office may find problems with breach notification rule compliance. "Many organizations may not yet have breach notification policies in place," Greene says.
Other Key Issues
In its work plan, OIG also describes planned reviews of security controls designed to protect sensitive healthcare information. Those include controls within:
- CMS information systems;
- Systems used by Medicare and its Part D contractors;
- Statewide health information exchanges;
- Systems at community health centers;
- The Administration for Children and Families' Grants Administration Tracking Evaluation System.
On Oct. 24, OIG will release on its website a 30-minute video featuring several of its leaders discussing OIG's 2013 review plans.