Management Issue 5:
Integrity and Security of Information Systems and Data
Why This Is a Challenge
As health care providers modernize their medical recordkeeping and billing systems, the adoption of EHRs and other innovations offers tremendous opportunity for improved patient care and more efficient practice management. However, as growing quantities of personal medical information are stored in electronic format, protecting the privacy and security of these data should be prioritized. A series of OIG audits revealed that some hospitals lack sufficient security features, potentially exposing patients' electronic protected health information to unauthorized access. Vulnerabilities included unsecured wireless access, inadequate encryption, authentication failures, and other access control vulnerabilities.
Protecting beneficiaries' and providers' identifying information is critical because fraud perpetrators often use stolen beneficiary and/or physician identities to submit false claims to the programs. In one recent example, OIG investigated fraudulent medical clinics in California that used provider numbers of unaffiliated physicians to submit false claims to Medicare for medical equipment that the physicians did not order and for services that the physicians did not render. The perpetrators pleaded guilty to defrauding Medicare and the operation has been shut down.
Additionally, the Department must ensure the integrity of incentive payments to encourage providers to adopt electronic prescribing and EHRs. In particular, the Department must ensure that recipients of Medicare and Medicaid EHR incentives truly qualify for these payments and that these payment policies effectively promote adoption of desirable technological practices. OIG found that the lack of sufficient data limits State Medicaid agencies' ability to verify both eligibility requirements prior to payment and the completeness of those verifications. Between 2009 and 2021, the federal government will spend an estimated $20.6 billion on the Medicare and Medicaid EHR incentive programs.
Finally, EHRs should facilitate more accurate billing and support better quality of care, but when misused may promote fraudulent billing or wasteful or inappropriate care. For example, cut-and-paste features and auto-fill templates can reduce paperwork burdens, but can also be misused to fabricate information, which results in improper payments and leaves inaccurate and potentially dangerous information in the patient record. Similarly, well-designed decision support tools can help physicians select the best care for their patients, but inappropriately designed decision support tools can drive overutilization of services and lower the quality of care.
Progress in Addressing the Challenge
The Department has promulgated various rules that address privacy and security of patient information, encourage health care providers to use EHRs, and ensure that record systems are interoperable and facilitate accurate and secure exchange of information between authorized users. The Department has provided guidance to help covered entities comply with privacy and security rules mandated by the Health Insurance Portability and Accountability Act of 1996 and pursued enforcement actions against entities that have failed to do so. The Department has also addressed, in limited ways, privacy and security matters in its regulations governing Medicare and Medicaid EHR incentive payments. The Department has implemented numerous recommendations to make its own electronic data more secure.
In addition, OIG has undertaken educational initiatives, including direct outreach by special agents and distribution of an identity theft brochure, to help beneficiaries and providers protect themselves from medical identity theft.
What Needs To Be Done
The Department needs to heighten its focus on oversight and enforcement of privacy and security protections to ensure that hospitals and other health care providers, as well as the Department's own contractors, effectively safeguard individuals' protected health information when stored in electronic formats. This should entail continued compliance reviews to ensure adoption of adequate privacy and security standards. The Department should also provide additional guidance on general information technology security standards and best practices the health care industry should adopt for EHRs. As providers begin claiming financial incentives for adoption of electronic record and prescribing technologies, strict oversight, including prepayment verification and postpayment auditing, will be essential.
Key OIG Resources
- Early Review of States' Planned Medicaid Electronic Health Record Incentive Program Oversight (OEI-05-10-00080)
- Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight (A-04-08-05069)
- Audit of Information Technology Security Included in Health Information Technology Standards (A-18-09-30160)
Management Issue 6: Availability and Quality of Data for Effective Program Oversight
Let's start by choosing a topic
Priority recommendations summarized.
FY 2014 Work Plan
OIG projects planned for 2014.
Significant OIG activities in 6-month increments.