OIG Work Plan Highlights, Privacy and Security Measures – Part 1
The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) Work Plan for fiscal year 2014 was published on January 31st. It includes several measures related to privacy and security, which we will summarize and discuss in our next few posts.
For years, covered entities have had to worry about the HHS Office of Civil Rights as the main HIPAA regulatory body. More recently, they’ve also had to worry about the Centers for Medicare & Medicaid Services auditing Meaningful Use and verifying their Meaningful Use Risk Assessment is performed appropriately. And, now health care providers need to worry about a third Federal agency that will be scrutinizing compliance with privacy regulations and security guidelines—the OIG.
The first area of the OIG Work Plan that relates to privacy and security is the security of portable devices containing ePHI.We can only speculate as to how they will “review security controls implemented by Medicare and Medicaid contractors and at hospitals” and “assess and test contractor’s and hospitals policies and procedures” as we do not have the details of these new audits, how many organizations will be audited, or the extent of the audits. 
We also don’t know the ramifications of a failed audit. We do know, however, that breaches involving secure devices containing the ePHI of patients (laptops and portable electronic devices) represent 37% of the large data breaches that have occurred as of January 31, 2014.
Consequently, this has caused the OIG to now want to take a look at what health care providers are doing to secure and protect the ePHI located on laptops, tablets, portable hard drives and portable storage devices. The OIG Work Plan also includes a measure to “assess and test contractors’ and hospitals’ policies and procedures for electronic health information protections, access, storage, and transport,” stressing the importance of proper disposal of portable devices, and any device containing electronic data, as recommended in the standards of the National Institute of Standards and Technology’s Special Publications 800-53 and 800-53A.
For years, Eagle Consulting Partners has recommended encryption to protect sensitive information. This is because by definition, information that is encrypted does not constitute a breach. A Meaningful Use Risk Assessment can help identify best practices for encryption and proper disposal of all electronic data, on portable devices and elsewhere, to protect your organization.
