This week the HHS Office of the Inspector General (OIG) released its Work Plan for Fiscal Year 2016. Combing through this 76 page document revealed some items of interest relating to HIPAA and Meaningful Use. In particular, we note two areas of investigation:
1) Hospitals’ electronic health record system contingency plans. They will determine the extent to which hospitals comply with contingency planning requirements of HIPAA. They specifically reference 45 CFR 164 308(7)(i). Eagle’s opinion is that this requirement is one of the most important of the HIPAA regulations. The implementation specifications include the following five elements:
- Data Backup Plan
- Disaster Recovery Plan
- Emergency mode operation plan
- Testing and revision procedure
- Applications and data criticality analysis
2) Security of certified electronic health record technology under Meaningful Use. The OIG will perform audits of various covered entities receiving EHR incentive payments to determine whether they adequately protect ePHI created or maintained by the EHR systems. They note that a security risk analysis, consistent with the risk analysis requirement in the HIPAA regulations, 45 CFR 164.308(a)(1), and that providers are required to use the privacy and security-related features of their electronic record system. From a Freedom of Information Act release regarding Meaningful Use audit results, we know that 20% of physicians fail, and that the most common reason for failure is the lack of an adequate security risk analysis and appropriate remediation. For more details, consult fellow consultant Steve Spearman’s infographic here: Health Security Solutions Audit Infographic.
First, note that these audits are among several different audits that will be occurring in 2016. See also the OCR Phase 2 audits at HHS Provides details on Phase 2 of random HIPAA audit program and Preparing for the new OCR Audits and further note that these audits have been further delayed and will not be underway until second quarter 2016. And providers also must contend with the audits conducted by CMS contractor Figliozzi & Company described in Meaningful Use Audits Evolve to Require Security Corrective Actions to be Complete.
What are the takeaways? Certainly, a robust Backup / Recovery / Contingency Plan is appropriate for all hospitals and is required not only by HIPAA but other regulatory requirements. Our experience with hospitals is that some have been unable (or unwilling) to make the investment in a proper contingency plan. One community hospital, for example, needed an investment of about $1M for a backup data center and, in the face of challenging financial circumstances, decided that it was unable to make this investment. The challenging financial times for hospitals across the country are leading to the increase in mergers and affiliations, hospital closures and and in some cases, conversions from inpatient facilities to outpatient-only facilities.
Regarding the security of the electronic record systems, we have written extensively about the HIPAA Security Risk Analysis as the foundation for effective security and the HIPAA Security Rule. We refer the interested reader to the following for information on the requirements and importance of the security risk analysis:
Achieving Meaningful Use Stage 1 for Privacy and Security
Meaningful Use and the Evolution of the Privacy and Security Objective
Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
