OIG Security Audits of EHR Incentive Program Participants April 12-16, 2015 David G. Schoolcraft and Elana R. Zana Attorneys Ogden Murphy Wallace, P.L.L.C. 1 DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
Conflict of Interest David G. Schoolcraft, JD Elana R. Zana, JD Have no real or apparent conflicts of interest to report 2 HIMSS 2015
Learning Objectives Learning Objective 1: Analyze the questions posed by the Office of Inspector General (OIG) to determine how to maintain appropriate documentation to respond to their inquiries Learning Objective 2: Identify contractors that may be included in an OIG audit including how to design a combined response strategy in advance of an OIG audit Learning Objective 3: Discuss the path of an OIG audit from a hospital perspective to create resource allocation plans in advance of an OIG audit 3
An Introduction to the Benefits Realized for the Value of Health IT Prevention & Patient Education OIG Security Audit designed to evaluate hospital management and health information security including outside vendors Savings Hospitals implementing appropriate security audits and protections will avoid claw back of Meaningful Use dollars 4 http://www.himss.org/valuesuite
Digitized health files are jet fuel for medical identity theft. - Pam Dixon, World Privacy Forum Source: CBS News
OIG Work Plans Target HIPAA & EHR 2014 Work Plan Security of Certified Electronic Health Record Technology under Meaningful Use 2015 Work Plan Security of Certified Electronic Health Record Technology under Meaningful Use Hospitals electronic health record system contingency plan 6
Multiple Government Entities Auditing HIPAA Security 7
Security of Certified EHR Technology under Meaningful Use We will perform audits of various covered entities receiving EHR incentive payments from CMS and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology Furthermore, business associates that transmit, process, and store EHRs for Medicare/Medicaid providers are playing a larger role in the protection of electronic health information. Therefore, audits of cloud service providers and other downstream service providers are necessary to assure compliance with regulatory requirements and contractual agreements. 8
OIG Refuses Request For Information No information publicly available about: Audit Process How to prepare for an audit Penalties related to audit results Number of hospitals undergoing an audit Audit reports Benchmarks & best practices used as comparisons 9
EHR Incentive Program Audits: Double Jeopardy 10
EHR Incentive Program Audits: Double Jeopardy 11
CMS vs. OIG 1. Meaningful Use Core Measure: Protect Electronic Health Information 2. To measure the objective, eligible hospitals must conduct security risk analysis of certified EHR technology per federal regulations 3. Figliozzi requests copy of Security Risk Analysis does not analyze adequacy of Security Risk Analysis 4. Failure of CMS audit = Return of Meaningful Use $$$ 12
CMS vs. OIG 1. OIG deeper dive into EHR security 2. Business Associates with access to EHR 3. Focus on EHR cloud service providers & EHR vendor 4. On-site Audit (2-3 weeks) 5. Interviews 6. Failure of OIG Audit = Fraud??? 13
OIG Audit Questionnaire 17 areas of interest including: EHR Risk Assessment, Audits & Reports EHR Security Plan Organizational Chart Network diagram EHR websites & Patient Portals Policies and Procedures System Inventory Tools used to perform vulnerability scans Central Log and Event Reports EHR System Users List of contractors supporting EHR & Network Perimeter Devices 14
Audit Question: Network Diagram Provide the EHR network diagram (or network map) that shows your EHR network architecture including external connections. 15
Audit Question: EHR Web Sites Provide a description of internal or external web sites associated with the EHR system including patient portals. 16
Audit Question: Policies & Procedures Provide copies of policies related to: a. risk assessment b. plan of action and milestones/corrective action plans c. incident response d. encryption e. patch management f. access controls g. audit logging and/or audit controls 17
Audit Question: System Inventory For all network servers provide: a. server name b. operating system and version c. primary function/service (e.g. database, file, backup) d. name of system manager 18
Audit Question: EHR Network Devices Information Request for: a. manufacturer and model number b. software version c. primary function 19
Target of the Investigation? MU Participants Investigation Recipient Hospitals & EPs EHR Vendors Business Associates Ex: NextGen Cloud Services Subcontractors Ex: Dell, AWS 20
Audit Readiness Plan 1. Gather information consistent with OIG Audit Questionnaire 2. Evaluate health IT vendors and related contract terms 3. Identify team that will respond to an OIG audit request 4. Conduct a mock audit to fully assess readiness 21 http://www.himss.org/valuesuite
Questions Speakers: David G. Schoolcraft, Attorney Elana R. Zana, Attorney Ogden Murphy Wallace, P.L.L.C. dschoolcraft@omwlaw.com ezana@omwlaw.com Website: omwhealthit.com Blog: omwhealthlaw.com Twitter: @ezhealthlaw @hitech_lawyer 22