OIG is Protecting PHI by Ramping Up Enforcement Oversight to Ensure Appropriate Risk Management Process
The 2009 enactment of the American Reinvestment and Recovery Act (ARRA) and the accompanying Health Information Technology for Economic and Clinical Health (HITECH) Act created a new and rapid adoption of Electronic Health Records (EHR) for hospitals and physician practices. The HITECH Act authorized roughly $36 billion worth of incentives for demonstrating meaningful use of EHR through healthcare technology. There are a number of requirements that need to be validated as to required functionality of a certified EHR healthcare technology solution to qualify for the incentive payments. One of these critical components is the validation and assurance that proper enterprise security risk management was performed including risk and security assessments to protect patient data, conducted and remediated on a regular basis. This further expanded into the new the Merit-Based Incentive Payment System (MIPS). This program was revised to reward or penalize outpatient Medicare payment adjustments for meeting certain quality and practice excellence. Along with this, there is also a significant portion to assure that security risk assessments were conducted. As thousands of hospitals and physician practices registered for the incentive payment programs, the Office of the Inspector General (OIG) recognized that it would not be feasible to audit all hospitals and medical practices; instead, OIG allowed organizations to self-report and attest that these risk assessments had been conducted. The OIG was providing an honor system but have consistently indicated that, as the program was developed, there would be more resources and services dedicated to enforcement and warned healthcare organizations that they would be severely penalized for any false reporting, as OIG’s goal is protecting PHI. Coffey Health’s recent $250k slap by the DoJ is a recent example of the increased OIG enforcement based on lack of appropriate enterprise security risk management. The allegations are that Coffey Health falsely attested to security risk analysis to meet EHR incentive program requirements. The OIG is following through on their commitment to make sure that providers are carrying out proper practices and will be focusing heavily on incentive payment roll backs and penalties. It is crucial for organizations to assure that a proper risk management process is in place and that risk assessments and remediations are conducted. Healthcare organizations often struggle with this because they perceive this to be resource intensive, time consuming, or do not have the expertise. However, these are not valid excuses in the eyes of the OIG and Department of Justice. These requirements can be mitigated but utilizing simple, easy to set up, and robust risk and security healthcare technology solutions that can conduct the risk assessments and assure proof to oversight bodies that they have not only been conducted, but also acted upon, to remediate risk. Find out how simple ongoing security and compliance monitoring can be. Download the Playbook for Corporate Compliance in Healthcare.