Management Issue 9:
Integrity and Security of Health Information Systems and Data
Why This Is a Challenge
As health care providers modernize their medical recordkeeping and billing systems, the adoption of electronic health records (EHR) and other innovations offer opportunities for improved patient care and more efficient practice management. However, as growing quantities of personal medical information are stored in electronic format, protecting the privacy and security of these data and ensuring the integrity of EHRs is critical. In addition, ensuring the integrity, privacy, and security of sensitive data will be critical to the successful administration of the ACA Exchanges and related programs, including the premium tax credit program.
Data Security. A series of OIG audits revealed that some hospitals lack sufficient security features, potentially exposing patients' electronic protected health information to unauthorized access. Vulnerabilities included unsecured wireless access, inadequate encryption, authentication failures, and other access control vulnerabilities. OIG also found security breaches in data stored by CMS's contractors.
Over 5,000 Medicare physician identifiers and almost 300,000 Medicare beneficiary numbers are known to be compromised. Protecting beneficiaries' and providers' identifiers is critical because fraud perpetrators often use stolen beneficiary and/or physician identities to submit false claims. For example, OIG investigated fraudulent medical clinics in California that used stolen physician identifiers to falsely bill Medicare for equipment the physicians did not order and services the physicians did not render. The perpetrators pleaded guilty to Medicare fraud and the operation was shut down.
Integrity of EHRs and EHR Investments. Between 2009 and 2021, the Federal Government will spend over $20 billion on the Medicare and Medicaid EHR incentive programs. The Department must ensure that recipients of Medicare and Medicaid EHR incentive payments truly qualify for payment and that policies effectively promote desirable technological practices and outcomes. OIG found shortcomings in Medicaid agencies' ability to ensure the integrity of their EHR incentive programs and eligibility of providers receiving incentive payments. More than half of Medicare physicians currently use electronic health record systems. Beginning in 2015, the Department must implement Medicare payment reductions for physicians who cannot demonstrate meaningful use of certified EHR systems.
Finally, EHRs should facilitate more accurate billing and support better quality of care but, when misused, may promote fraudulent billing or inappropriate care. For example, cut-and-paste features and auto-fill templates can reduce paperwork burdens, but can also be misused to fabricate information, generating improper payments and corrupting patients' records with inaccurate and potentially dangerous information. Similarly, well-designed decision support tools can help physicians select the best care for their patients, but inappropriately designed decision support tools can promote waste and inappropriate care.
Progress in Addressing the Challenge
The Department has promulgated various rules that address privacy and security of patient information, encourage health care providers to use EHRs, and ensure that record systems are interoperable and facilitate accurate and secure exchange of information between authorized users. The Department has provided guidance to help covered entities comply with privacy and security rules mandated by the Health Insurance Portability and Accountability Act of 1996 and pursued enforcement actions against entities that have failed to do so.
The Department has also addressed, in limited ways, privacy and security matters in its regulations governing Medicare and Medicaid EHR incentive payments. The Department has developed and shared with the States a pre- and post-payment audit toolkit to help States verify eligibility for incentive payments under the Medicaid EHR program.
The Department has implemented numerous recommendations to make its own electronic data more secure. The Department has educated physicians on protecting their provider identifiers and preventing unauthorized individuals from using the physicians' credentials to order or bill for services. The Department established databases to track compromised beneficiary and provider identifiers and implemented a new remediation process to assist physicians whose identities were stolen and used to submit false bills to Medicare and Medicaid.
In addition, OIG has undertaken educational initiatives, including direct outreach by special agents and dissemination of an identity theft brochure, to help beneficiaries and providers protect themselves from medical identity theft.
What Needs To Be Done
The Department needs to heighten its focus on oversight and enforcement of privacy and security protections to ensure that health care providers and the Department's own systems and contractors effectively safeguard individuals' protected health and other sensitive personal information. This should entail continued compliance reviews to ensure adoption of adequate privacy and security standards. The Department should also increase protections for provider and beneficiary identifiers to prevent medical identity theft and better assist beneficiaries whose identifiers have been compromised.
The Department should also provide additional guidance on information technology security standards and best practices that the health care industry should adopt for EHRs. As providers increasingly claim financial incentives for adoption of electronic record and prescribing technologies, strict oversight, including prepayment verification and postpayment auditing, will be essential.
Key OIG Resources
- Security Gaps May Threaten Electronic Health Records (A-04-08-05069 and A-18-09-30160)
- Early Review of States' Planned Medicaid Electronic Health Record Incentive Program Oversight (OEI-05-10-00080)
- Use of Electronic Health Record Systems in 2011 Among Medicare Physicians Providing Evaluation and Management Services (OEI-04-10-00184)
- Protect Yourself Against Medical Identity Theft
- CMS Response to Breaches and Medical Identity Theft (OEI-02-10-00040)
Management Issue 10: Fostering an Ethical and Transparent Environment
Let's start by choosing a topic
Priority recommendations summarized.
FY 2016 Work Plan
OIG projects planned for 2016.
Significant OIG activities in 6-month increments.