Category: Health Information Technology

Chip-Enabled Point of Sale Terminal – Deadline: October 1, 2015

0

Hospitals and other health care providers may be liable for fraudulent use of credit cards at their facilities effective October 1, 2015 if they do not upgrade their credit card terminals. The major credit card issuers have been busy issuing to all cardholders new chip-enabled credit cards (“EMV Cards”) to address the growing concern with data breaches and stolen credit card information. The EMV Card generates a unique, one-time code for each transaction. Effective October 1, 2015, there will be a new EMV Card standard for face-to-face or in-store payments. After October 1, liability for fraudulent use of a credit card will fall on the party that has not upgraded their systems (meaning the POS terminals that can process EMV Cards) if chip technology could have prevented the fraud. This standard is managed by EMV Co., a consortium between Europay, Visa, JCB, Discovery, Mastercard and China Union Pay. To avoid liability for fraudulent charges, now is the time to audit your hospital and clinic payment processing  systems, inventory the POS systems and initiate deployment of chip-enabled terminals. If you have any questions, please contact Carol Romej at cromej@hallrender.com or your regular Hall Render attorney.


CMS Releases Eligible Hospital Hardship Exception Application

Recently, the Centers for Medicare & Medicaid Services (“CMS”) published additional guidance for Medicare eligible hospitals seeking to avoid the 2016 Medicare EHR Incentive Program payment adjustment.

Medicare eligible hospitals can avoid the 2016 payment adjustment by taking action by April 1 and applying for a 2016 hardship exception.

The hardship exception application and instructions for Medicare eligible hospitals are available on the EHR Incentive Programs website and outline the specific types of circumstances that CMS considers to be barriers to achieving meaningful use and how to apply.

To file a hardship exception, Medicare eligible hospitals must:

  • Show proof of a circumstance beyond the eligible hospital’s control; and
  • Explicitly outline how the circumstance significantly impaired the eligible hospital’s ability to meet meaningful use.

Supporting documentation must also be provided. CMS will review applications to determine whether or not a hardship exception should be granted.

As a reminder, the application must be submitted electronically or postmarked no later than 11:59 p.m. ET on April 1, 2015 to be considered.

If approved, the exception is valid for one year. If the eligible hospital claims a hardship exception for the following payment year, a new application must be submitted.

If you have questions regarding the hardship exception, please contact:


FDA Finalizes Guidance on Medical Device Data Systems

On February 6, the Food and Drug Administration (the “FDA” or “Agency”) released a finalized guidance (the “Guidance”) informing the public that the Agency does not intend to enforce any regulatory requirements applicable to several types of devices and software that transfer, store, convert, format and display medical data, specifically including medical image storage (“MIS”) devices, medical image communications (“MIC”) devices and medical device data systems (“MDDS”).   The Guidance finalizes a draft guidance issued by the Agency in June of 2014, which in turn also finalizes related changes to a separate guidance on mobile medical applications. To read Hall Render’s article assessing the draft Guidance, click here; or to read our article discussing the mobile medical applications guidance, click here.

The elimination of FDA regulatory requirements for these products could have significant positive impacts for developers and end users of these devices within the emergent areas of home health, personal health and telemedicine. The FDA’s move is particularly designed to support initiatives driving interoperability among medical devices and various health IT systems, including electronic health records.

A few examples of MDDS products include:

  • Software that collects output from a ventilator about a patient’s CO2 level and transmits the information to a central patient data repository;
  • Software that stores historical blood pressure information for later review by a health care provider;
  • Software that converts digital data generated by a pulse oximeter into a digital format that can be printed;
  • Software that displays a previously stored electrocardiogram for a particular patient; and
  • A telemedicine cart that uses two-way audio/video technology to capture and transmit patient-specific data.

Although technically these products will remain regulated as medical devices, the FDA will exhibit “enforcement discretion,” meaning the Agency will neither expect compliance nor enforce regulations for these products.  However, because the Guidance is not binding and conveys no rights of any kind, the Agency may at any point reverse its thinking and begin enforcing the regulations, a situation that could arise if it appears any products in these classes are negatively impacting patient safety.  For Hall Render’s article on the safety of products with health IT components,  click here.

Additionally, in order for a product to be eligible to take advantage of the Agency’s enforcement discretion, the product must not modify medical device data, control any other connected medical devices or be used in connection with active patient monitoring. As an example of a device used to perform monitoring that does not rise to the level of “active patient monitoring,” the Agency identified software that displays data from a blood glucose meter when the software simply provides viewing of that data and not when immediate clinical action is anticipated as a result. This distinction should give pause to software developers, whether from medical device companies, IT consultants or health care providers, who are developing programs to sync data from patient wearables and other home-use devices to electronic health records and provide alerts to clinicians if that data falls outside of desired norms, as the FDA may continue to actively regulate such programs.  The FDA recently released a draft guidance discussing the approach it intends to take regarding “general wellness” devices. For Hall Render’s article on the wellness devices draft guidance, click here.

On February 24, 2015, the FDA will hold a webinar to discuss the finalized MDDS Guidance and two new draft guidance documents applicable to general wellness devices and medical device accessories.  More information about the webinar is available on the FDA’s website.

Practical Takeaways

Because the FDA’s action comes in the form of a guidance rather than a regulation, every potential developer of MDDS, MIC and MIS products will have to decide whether it is comfortable accepting the risk that the FDA could change its opinion at any time.  Many software developers, particularly those looking to make data from wearable and home use devices more actionable to clinicians, may still find it difficult to take on that risk.

Both product developers and end users should also remain cognizant of the limited scope of the FDA’s enforcement discretion, which does not extend to products that contain MDDS, MIC or MIS functions when they also contain other functions and intended uses that are regulated under separate FDA rules.  The transfer, storage, conversion, formatting and display of medical data are common functions in medical devices and will be increasingly so if interoperability efforts are realized. Both developers and end users of such products should continue to diligently scope the full functionality and intended use of products in order to determine the full scope of regulatory requirements.

If you have any questions about the regulation of health IT or medical devices or would like additional information about this topic, please contact Mark R. Dahlby at (414) 721-0902 or mdahlby@hallrender.com or your regular Hall Render attorney.

Please visit the Hall Render Blog at http://blogs.hallrender.com/ for more information on topics related to health care law.


New Guidance Documents from FDA Seek to Clarify Regulation for Wellness Devices and Medical Device Accessories

On January 20, 2015, the Food and Drug Administration (the “FDA” or “Agency”) published two draft guidance documents designed to fulfill promises it made in the multi-agency Food and Drug Administration Safety and Innovation Act (“FDASIA”) Health IT report. The first draft guidance is intended to promote the innovation of general wellness devices and software applications by identifying certain types of low risk products for which the FDA will not enforce any regulatory requirements. The second draft guidance proposes to regulate medical device accessories based on the risks they present when used as intended, rather than the risks presented by the parent medical device with which the accessory is used.

Background

The Federal Food, Drug and Cosmetic Act authorizes the FDA to regulate as a medical device any instrument, machine, software or other type of product, including component parts and accessories, intended or promoted for use in the diagnosis of disease or other conditions; in the cure, mitigation, treatment or prevention of disease; or intended to affect the structure or any function of the body of man or other animals. Because the definition of a medical device is broad, it captures many types of health IT, arguably including many consumer-facing general wellness products like Apple iWatch, calorie-tracking software and FitBit.

Responding to pressure from industry over the past decade, the FDA has begun clarifying the regulatory environment applicable to many new types of medical software and related products. For example, in 2013, the FDA finalized a guidance on Mobile Medical Applications, in which the Agency wrote it would not enforce regulatory requirements on mobile software applications that pose a low risk to users, provided the products do not make disease-specific claims. In April 2014, the FDASIA Health IT report was issued, in which the FDA again agreed to refrain from actively regulating low risk health IT products and further promised to provide clarity on questions regarding when software may qualify as a regulated medical device accessory and on the regulation of clinical decision support software generally. For Hall Render’s article discussing the Mobile Medical Apps Guidance and the FDASIA Health IT report, click here. The following June, the FDA proposed in another draft guidance document that medical device data systems (“MDDS”), which are devices used to transfer, store, convert, format and display data from other medical devices, should also be exempt from all regulatory requirements. On February 6, 2015, the FDA finalized that MDDS Guidance. To read Hall Render’s article discussing the new MDDS Guidance, click here.

Wellness Devices

In the new draft guidance document entitled General Wellness: Policy for Low Risk Devices (the “draft Wellness Devices Guidance”), the FDA explains that it “does not intend to examine low risk general wellness products to determine whether they are [medical] devices . . . or whether they comply with the premarket review and post-market regulatory requirements for [medical] devices.” The Agency describes general wellness products as having either: (1) an intended use that relates to maintaining or encouraging a general state of health or a healthy activity (i.e., no correlations to or marketing for specific disease states); or (2) an intended use that associates the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in health outcomes for the disease or condition.

According to the Agency, products in the first category include exercise equipment, audio recordings, video games and generally many software programs and devices commonly obtained from retail establishments. Examples of physical conditions for which they may be promoted to assist include weight management, physical fitness, stress management, mental acuity, self-esteem, sleep management and sexual function. Products will fit the second category of general wellness devices only if claims that healthy lifestyle choices may reduce the risk or impact of a chronic disease or medical condition are well understood. According to the FDA, examples of chronic diseases for which a healthy lifestyle is associated with risk reduction or help in living well with that disease include high blood pressure, heart disease and type 2 diabetes. Although “well understood” is not defined, the FDA writes that an acceptable association between disease state and lifestyle would typically be found in peer-reviewed scientific publications. Based on the Federal Trade Commission’s interpretation of the Federal Trade Commission Act, it is likely that at least one well-controlled clinical investigation is required in order to make such claims.

Regardless of the category, the product must also present “a very low risk to users’ safety,” meaning that it may not be invasive (e.g., penetrate or pierce the skin), pose a risk to a user’s health (e.g., exposure to lasers or radiation) or raise biocompatibility questions. The FDA also wrote that a product will not be deemed “low risk” if it “raises novel questions about usability,” although the Agency did not provide examples of “novel questions.”

Accessories to Medical Devices

In the other draft guidance document, entitled Medical Device Accessories: Defining Accessories and Classification Pathway for New Accessory Types (the “draft Accessories Guidance”), the FDA attempts for the first time to clarify what the Agency deems to be “accessories” to medical devices. FDA proposes that an “accessory” is an item intended to support, supplement, and/or augment the performance of one or more medical devices. An example of an accessory could be a smartphone app that is a companion to a medical device.

The Agency further proposes to regulate medical device accessories based on the risks they present when used as intended with their parent devices and not based on the risks of the parent devices. Often the risk of the parent device may be higher than that of the accessory. As an example, the Agency states that “if a parent device warrants regulation as a Class II device but an accessory to the parent device presents lower risks, we would regulate the accessory as a Class I rather than a Class II device.” This proposal would be a substantial departure from the Agency’s current thinking, which has historically been that the risks of the parent device are automatically assigned to its accessories.

Unlike in both the Mobile Medical App Guidance and the draft Wellness Devices Guidance, the FDA did not provide examples of accessories that would or would not be regulated as medical devices. Rather, the Agency encourages manufacturers of accessories to use FDA’s “de novo” classification process to request that the Agency perform a risk-based review of accessory types that are not currently classified. As such, the draft Accessories Guidance provides little actual guidance to developers or users of medical device accessories. Other issues that the FDA did not address as requested by industry stakeholders include:

  • Provide assurance that interoperability claims will not automatically characterize a product as a medical device accessory;
  • Describe how FDA will differentiate between accessories and non-regulated components of a system; and
  • Provide guidance on how the agency intends to regulate claims associated with accessories.

Practical Takeaways Although both draft guidance documents indicate that the FDA remains generally committed to allowing many low risk health care-related products to be developed without active oversight by the Agency, substantial questions remain. For example, clarity is needed on what may trigger “novel questions about usability” such that a wellness device may become subject to higher scrutiny.   Additionally, as clinical decision support tools become more prevalent in both the home and hospital environments, the limited exemption from FDA oversight for wellness devices may soon be outdated. Uncertainty as to regulatory status may also cause confusion as to what rules must be followed (e.g., payment of medical device tax, unique device identification) for not only product developers but also health care providers, which have separate obligations (e.g., adverse event reporting, meeting standards of The Joint Commission) of their own.

The Agency is seeking comments from the public on both proposed guidance documents until April 20, 2015.

If you have any questions about the FDA’s regulation of medical devices or the regulation of health IT generally or are interested in submitting comments to the FDA, please contact Mark R. Dahlby at (414) 721-0902 or mdahlby@hallrender.com or your regular Hall Render attorney.

Please visit the Hall Render Blog at http://blogs.hallrender.com/ for more information on topics related to health care law.


Report Details Safety Issues with Health IT

In November 2014, the ECRI Institute¹ issued a report discussing issues of patient safety and adverse events linked to health information technology (“IT”) products. The report comes in the form of an annual list of top ten health technology safety hazards.

According to the ECRI Institute, although many facets of health IT have a positive impact on patient outcomes, such as automated reminders that improve medication adherence, technologies can also have an adverse effect on patient safety. The top 10 list addresses all health technologies and not just health IT. However, the ECRI Institute pointed out that health IT is a prominent component in many of the technologies that are experiencing safety issues. The health IT-related technologies making the list in ranked order are:

#1. Alarm hazards, including inadequate alarm configuration policies and practices (e.g., failure to reset medical device to default alarm limits when a new patient is connected);

#2. Data integrity, including incorrect or missing data in electronic health records and other health IT systems (e.g., appearance of one patient’s data in another patient’s record because the clinician entering data has two health records simultaneously open and misdirects the entry);

#5. Ventilator disconnections not caught because of mis-set or missed alarms (e.g., alarm volume is too low relative to competing ambient noise);

#7. Unnoticed variations in diagnostic radiation exposures (e.g., “dose creep” where radiographic technologists may increase the exposure parameters to get a better quality image notwithstanding the dose is higher than industry-recommended exposure levels);

#8. Robotic surgery complications from insufficient training (e.g., surgeons located at a control console several feet away from the patient must be able to proficiently manipulate hand and foot controls to position and operate robotic arms while viewing real-time 3D video of the surgical site);

#9. Cybersecurity, including insufficient protections for medical devices and IT systems (e.g., devices that became infected with malware caused a hospital to have to temporarily shut down its catheterization lab); and

#10. Overwhelmed recall and safety alert management programs where due to the significant increase in volume of “safety alerts,” the hospital may not be keeping up with identification/remediation of affected devices.

As the purpose of the report is to help hospitals recognize and prioritize patient safety issues, it also includes detailed recommendations for how hospitals can mitigate safety issues. In creating its report, the ECRI Institute drew from its experience providing services to health care providers, specifically including health technology-related problem reports received through its Problem Reporting Network and its patient safety organization (“PSO”). The ECRI Institute PSO’s website contains additional details about its experience with health IT safety matters.

In November 2014, the Office of the National Coordinator for Health Information Technology (“ONC”) coordinated with the ECRI Institute PSO and United Healthcare’s (“UHC’s”) PSO to publish a report entitled, Health Information Technology Adverse Event Reporting: Analysis of Two Databases. The report studied the role of health IT in hundreds of thousands of reported adverse events in order to identify the most common incidences implicating health IT. Although the analysis determined that incidents involving health IT were overall less likely to result in harm when compared to those events that were not health IT-related, significant issues were identified, including the following:

  • The most common contributing factors to health IT-related events were communication among staff and team members (40-42%), staff inattention (33-34%), accuracy of the data (21-23%) and availability of data (10-12%).
  • Medication-related events were the most common health IT-related event type, accounting for about one-third of these events.
  • More than half of the health IT-related events were categorized in the Common Formats “other” report category making it difficult to determine the clinical problem involved in these events from these data.
  • About 60% of the events involving health IT were categorized as an incident (i.e., they reached a patient although they may not have resulted in harm to the patient), 14% as near miss event and 26% as an unsafe condition.
  • The UHC data showed that clinical documentation systems, computerized provider order entry and laboratory information systems are among the types of IT most commonly involved in adverse events. Health IT-related issues were common in the interfaces among different software components that make up health IT systems.

The ONC is the agency tasked with implementing a plan issued in 2013 by the Department of Health and Human Services to address the role of health IT in ensuring patient safety. The ONC is working with The Joint Commission to implement the plan, which is entitled the Health IT Patient Safety Action and Surveillance Plan and is built on recommendations from the 2011 Institute of Medicine report entitled Health IT and Patient Safety: Building Safer Systems for Better Care.

It was also proposed in the Food and Drug Administration Safety and Innovation Act (“FDASIA”) Health IT report from 2014 that ONC should run a Health IT Safety Center in collaboration with the FDA, the FCC and the Agency for Healthcare Research and Quality, along with other federal agencies and private stakeholders. The center, for which funding is proposed in the White House’s Fiscal Year 2016 budget, would initially focus on data collection and analysis of health IT-related adverse events, including those tied to the use of electronic health records. Thereafter, it is intended that the center would assist in identifying and implementing a framework for oversight of medium-risk health IT products. (To read Hall Render’s article on the multi-agency FDASIA health IT report, click here.)

If you have any questions about patient safety issues related to health IT or matters pertaining to the regulation of health IT or medical devices, please contact:

Please visit the Hall Render Blog at http://blogs.hallrender.com/ for more information on topics related to health care law.

¹ ECRI Institute is a 45-year old nonprofit organization that does research to determine which medical procedures, devices, drugs and processes are best in order to improve patient care. It claims more than 5,000 members and clients including hospitals, health systems, public and private payers, federal and state government agencies, accrediting agencies.


Anthem Data Breach: What You Need to Know Now

Health care data breaches are not new. The breach announced by health insurer Anthem on February 5, 2015 is notable mostly for its scope. According to Anthem’s statement, hackers utilized a very sophisticated cyber attack to gain access to the information of potentially 80 million current and former Anthem members. The information accessed included names, birthdays, medical IDs, Social Security numbers, addresses, email addresses, employment information and income data of current and former members, including Anthem employees. At the time of Anthem’s statement, there was no evidence that credit card or medical information, such as claims, test results or diagnostic codes, were targeted or compromised. The breach appears to be the largest cyber attack ever disclosed by a health care company.

Data breaches are complex and often are confusing for potentially affected individuals. As with any major event, there will be information published that is accurate and some that is inaccurate. It is important for all involved to operate based on accurate information. To aid in that effort, we offer the following information:

  • It is widely accepted and reported that medical information is 10 to 20 times more valuable on the black market than credit card numbers. This makes health care organizations attractive targets for criminals seeking to profit from such information. Most health care organizations make reasonable efforts to prevent unauthorized access to identifiable information, but staying ahead of the hackers has proven to be a complicated task.
  • Anthem is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); therefore, to the extent the identifiable information accessed by the hackers was provided to Anthem in its role as a health plan or as a third-party administrator of a health plan, it has obligations under HIPAA with respect to that information. HIPAA requires that written notice of a breach be provided to each affected individual and to the federal government. Because the breach involves more than 500 individuals, it will be subject to a mandatory investigation by the federal government. If the government investigation finds that Anthem did not have reasonable and appropriate safeguards in place or otherwise violated HIPAA, it may impose a civil monetary penalty.
  • Many states have data breach laws that may also apply to Anthem based on where the affected individuals reside. The requirements of those state laws generally are similar to HIPAA but may require notification on a shorter time frame and to the state’s Attorney General or other agency. States where affected individuals reside are also likely to investigate the breach and may impose a financial penalty if it is found that Anthem did not have reasonable procedures in place to protect and safeguard the information.
  • Individuals do not have the ability to sue for violations of HIPAA or most state data breach laws, but there have been several cases recently where individuals have sued health care organizations under common law theories of liability such as invasion of privacy or breach of fiduciary duty. In a breach the size of the Anthem breach, class action lawsuits based on one of these theories are likely to occur. In fact, it is our understanding that one was filed in Indiana on the same day that Anthem announced the breach.
  • It is likely that the majority of individuals affected will not experience any identity theft or other adverse effects from the Anthem breach. In addition, if an individual does experience identity theft subsequent to this breach, it may be difficult in many cases to identify which breach was the source for the information that led to the identity theft given the number of large breaches recently in the retail sector and the various other means that criminals have to access information. This could also hinder individuals from establishing the damages needed for a successful lawsuit.
  • Entities that suffer data breaches, including Anthem, typically offer to pay for credit monitoring services for all affected individuals, which can be an effective component of monitoring for unauthorized activity. The most effective action that any individual can take is to always be vigilant in monitoring activity on financial accounts and to notify your financial institutions immediately of any suspicious activities. Furthermore, whenever a breach involves a health care institution, individuals should closely monitor their Explanation of Benefit forms and any communications or information from their health care providers and insurers that may indicate that medical identity theft has occurred and report any suspicious activity to their health care provider or insurer.

Anthem has established a website, www.anthemfacts.com, to provide information about the breach. As well, current and former members can call (877) 263-7995 for additional information.

If you have questions regarding the data breaches or information security, please contact:


Massachusetts Requires EHR Proficiency for Physician Licensure

0

In December of 2014, Massachusetts finalized a state law that requires physicians to demonstrate proficiency in using EHRs and/or being a “meaningful user” under the Department of Health and Human Services’ Meaningful Use Electronic Health Record Incentive Program (“Meaningful Use Program”) as a condition of licensure.

Massachusetts’ changes to the license requirements are another indication of how the Meaningful Use Program is shifting from an incentive program to a long-term compliance program.  Health care providers, including those outside of Massachusetts, should weigh the importance of a compliance initiative for the Meaningful Use Program and have a firm understanding of how the Meaningful Use Program will affect clinical operations.

If you have questions regarding the Meaningful Use Program, please contact:


Proposed New Regulations for Meaningful Use Stage 3 and 2015 Editions Base EHR Definition

0

Two proposed regulations under the Medicare & Medicaid EHR Incentive Program (“MU Program”) were submitted to the Office of Management and Budget (“OMB”) on December 31, 2014.  The two related proposed regulations relate to Stage 3 and the submission to OMB represents the first step toward the proposed regulations being published and available for review by the public.  Given the filing and typical processes, it is anticipated that the regulations will be published sometime in February.

The first of the two proposed regulations were submitted by the Centers for Medicare & Medicaid Services and represent the criteria for Stage 3 of the MU Program.  The OMB website provides the following statement with respect to the proposed regulations, “Stage 3 will also propose changes to the reporting period, timelines, and structure of the program, including providing a single definition of meaningful use. These changes will provide a flexible, yet, clearer framework to ensure future sustainability of the EHR program and reduce confusion stemming from multiple stage requirements.”  The statement of changes to reporting periods and providing a single definition of meaningful use are interesting and could mean many things, but changes that simplify the process would certainly be welcomed by hospitals and providers.

The second of the two proposed regulations were submitted by the Office of the National Coordinator for Health IT (“ONC”) and propose a new 2015 Edition Base Electronic Health Record definition (“2015 EHR”) and changes to the ONC certification program.  While details are still forthcoming, the changes will focus on making “it more broadly applicable to other types of health IT health care settings and programs.”  The 2015 Edition also establishes the technical capabilities and detail the related standards and implementation specifications that Certified Electronic Health Record Technology would need to include to support the achievement of meaningful use by eligible professionals, eligible hospitals and critical access hospitals under the MU Program.

Typically, no further information about the proposed regulations will be made available until they are released by OMB and published in the Federal Register.

If you have questions regarding meaningful use, please contact:


CMS Extends EHR Attestation Deadline for Eligible Hospitals

This week, the Centers for Medicare & Medicaid Services (“CMS”) announced that it is extending the deadline for eligible hospitals and critical access hospitals (“CAHs”) to attest to meaningful use for the Medicare Electronic Health Record  Incentive Program for the 2014 reporting year from 11:59 PM EST on November 30, 2014 to 11:59 PM EST on December 31, 2014.

This extension will allow more time for applicable hospitals to submit their meaningful use data and receive an incentive payment for the 2014 program year, as well as avoid the 2016 Medicare payment adjustment.

CMS is also extending the deadline for eligible hospitals and CAHs that are electronically submitting clinical quality measures to meet that requirement of meaningful use and the Hospital Inpatient Quality Reporting program. Hospitals now have until December 31, 2014 to submit their eCQM data via Quality Net.

If you have questions regarding meaningful use attestation deadlines, please contact:


OIG Fiscal Year 2015 Work Plan

On October 31, 2014, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) released the Work Plan for Fiscal Year 2015 (“Work Plan”). The Work Plan confirms OIG will continue to concentrate a great deal of their enforcement efforts on the security and vulnerabilities of protected health information (“PHI”) contained in electronic health records (“EHRs”). The continued focus on data security contained in EHRs aligns with the goals of the OIG Strategic Plan 2014-2018, where OIG identified EHRs as one of its key focus areas until at least 2018.

Given the increased frequency and publication of health information breaches, it is no surprise the OIG for the first time indicated it plans to examine hospitals’ contingency plan policies and procedures to determine if adequate safeguards are in place in the event systems containing PHI are damaged. OIG also indicated it will continue to examine the Centers for Medicare & Medicaid Services’ (“CMS”) oversight of hospitals’ security controls over networked medical devices, such as dialysis machines, radiology systems and medication dispensing systems. OIG will also continue to conduct audits of eligible hospitals and professionals who received Medicare and Medicaid Meaningful Use Incentive payments to determine whether such payments were proper.

It is worth noting the Work Plan did not include assessing the security and vulnerabilities of portable devices containing PHI as a priority. This may be an indication  OIG has completed its review of the issue.

Click here to read OIG’s Work Plan.

If you have any questions or would like additional information about these topics, please contact: