The 2017 OIG Work Plan is again addressing information technology, with special emphasis on certified electronic health records systems (EHR). On November 15, 2016, the Office of Inspector General (OIG) released the 2017 OIG Work Plan. Totaling over 100 pages this year, you can download the OIG 2017 Work Plan here on our website. It’s all about the established Medicare and Medicaid incentive programs which were rolled out to promote adoption of certified EHR systems. The focus is to ensure adequate protection of electronic health information (ePHI) to be created or maintained by certified technology. Out of many areas of focus in the 2017 OIG Work Plan, here are two key areas for your compliance focus.
The 2017 OIG Work Plan and “Meaningful Use” Audits
The government’s efforts to audit meaningful use incentive programs continues: “the federal government promotes the use of certified EHR technology by healthcare professionals and hospitals . . . $30 billion in incentive payments have been paid”.
The 2017 OIG Work Plan elaborates on the identification of improper incentive payments as being a high risk area. These Medicare/caid – based incentive payments to eligible healthcare professionals and hospitals are areas to be reviewed and audited due to numerous erroneous incentive payments already identified.
Over a five-year period, physicians and hospitals have demonstrated meaningful use of certified EHR technology and they have continued to do so in 2016. Payment reductions to healthcare professionals who failed to become meaningful users of EHR began in 2015. This is in addition to asking for incentive payments to be returned, plus fees/fines . . . not a good situation to be in!
The 2017 OIG Work Plan and Required HIPAA Risk Assessment
A HIPAA Risk Assessment focused on the security rule, is part of the requirements of the meaningful use attestation. Some providers did not perform and document a HIPAA Risk Assessment. Yet they attested to meeting all the applicable Meaningful Use criteria! Incentive payments received by these providers may be considered “fraudulent billing”, and treated as such. Some Eligible Providers or Business Associates have not understood the significance of performance of a HIPAA Risk Assessment. It is not enough to hear an EHR system vendor say their system is “HIPAA compliant”. You must assess (preferably in writing so you can show it to an auditor) your compliance with the HIPAA Security Rule requirements, and your plan for addressing any gaps or deficiencies.
The 2017 OIG Work Plan announces the a review to determine if providers should not have received incentive payments. Audits and reviews will continue to recover incentive payments already provided.
Providers have engaged The Fox Group, LLC to assist in reviewing, verifying, and updating all required activities for incentive payments received before. This includes the required HIPAA Risk Assessment. We have helped providers “figure out what to do” if prior payments received were based on an attestation which was incomplete or incorrect. It’s not good to wait to be audited, be safe and make sure you are compliant now!
Findings of a 2016 OIG Work Plan Audit of EHR Contingency Plans
Sometimes it takes years for the OIG to complete an audit, so it is worth noting the findings of an audit of hospitals’ EHR contingency plans completed in 2016. About two-thirds of hospitals audited had contingency plans that addressed the four HIPAA requirements reviewed. Over half of hospitals reported unplanned disruption of their EHR systems, and a quarter reported delays in patient care as a result. With cyber attacks and ransomware being deployed against hospitals, it is imperative to have a contingency plan, with back-ups that cannot be corrupted by ransomware. And as scary as it is, doing a restore from your back-up at least once a year is also highly recommended. You must be assured these plans work!