Management Challenge 3: The Meaningful and Secure Exchange and Use of Electronic Information and Health Information Technology
Why This Is a Challenge
In support of its mission and operations, the Department maintains and uses expanding amounts of sensitive information. Complete, accurate, and timely data can help ensure efficient operations of the Department and its programs, as well as support proactive program oversight. Similarly, the American health care system increasingly relies on health information technology (health IT) and the electronic exchange and use of health information. Health IT, including electronic health records (EHRs), offers opportunities for improved patient care, more efficient practice management, and improved overall public health. However, the Department faces a number of significant challenges in this information-rich environment.
Ensuring Privacy and Security of Information. Safeguarding privacy and ensuring data security are, and should remain, top priorities for the Department. The Department must ensure that the data it creates and maintains are protected. Equally important is the need to ensure appropriate protection of health information when considering and implementing policies related to the adoption of health IT, and the exchange, storage, and use of electronic health information. The frequency of notable data breaches has increased significantly, and data breaches can have serious consequences for the health care industry, the Department, and those the Department serves. Those consequences can include identity theft, which, in the health care context, can negatively affect the care that patients receive and lead to wasteful, including fraudulent, spending of public funds. Frequently identified weaknesses include inadequacies in access controls, patch management, encryption of data, and Web site security vulnerabilities at the Department, health care providers, and other entities that do business with the Department. Such weaknesses could result in unauthorized access to sensitive information.
Improving Information Flow. To make use of the benefits of the growing amounts of data in the health care context 3, data must be available, subject to appropriate privacy and security safeguards, where and when needed. However, enabling and encouraging the flow of information remains a challenge for the Department. Several factors may impede the flow of information. These include technical barriers (e.g., lack of interoperability), the complex nature of federal and state privacy and security laws, financial considerations (e.g., the cost of health IT acquisition), and behavioral issues-such as information blocking 4 and consumer confidence-that relate to a willingness to share information.
Improving the appropriate flow of health information is critical to the success of many delivery reform and other initiatives, including the President's Precision Medicine Initiative. Without appropriate information sharing, those who participate in the initiatives may face challenges in coordinating care and meeting performance and other goals. Impediments to information sharing can also present patient safety concerns. For example, a patient could be subjected to additional invasive testing that could have been avoided had information about prior results held by a different provider been shared. (For more information on health delivery reforms, see Management Challenge 8.)
The flow of information is also important between the Department and others, including providers. For example, data created, maintained, or transmitted using EHRs or other health IT are used to ensure correct Medicare and Medicaid payments, including value-based payments. Participants in certain initiatives also receive Departmental data for their use in improving the care they furnish. Additionally, the Department increasingly uses and shares data as part of its program operations and program integrity efforts. It is critical that, as the flow of information improves, the information is complete, accurate, timely, and appropriately protected.
Ensuring a Return on Health IT Investments. The Department has made significant investments in health IT. However, the Department faces challenges in ensuring that the goals associated with investing in the widespread adoption and use of EHRs and other health IT are fulfilled. In addition to the challenge of improving the flow of information, challenges to ensuring a return on the Department's investments in health IT include preventing inappropriate payments to participants who do not meet program requirements; ensuring that the beneficial characteristics of EHRs, including efficiency and ease of storage and access, are not used as tools for fraud; and ensuring that patient safety benefits are realized. When addressing these challenges, the Department must ensure coordination among internal agencies, as well as other federal partners, with overlapping responsibility for various aspects of health IT to avoid potential gaps in policy and oversight that could undermine the promise of the investments.
Progress in Addressing the Challenge
The Department has made progress with respect to privacy and security of its systems and information. Like others in the federal government, the Department has participated in the U.S. Chief Information Officer's 30-day Cybersecurity Sprint, which aims to "further improve federal cybersecurity and protect systems against...evolving threats."
The Department has made great strides in developing a nationwide health IT infrastructure that supports the appropriate flow of information. As of September 2015, more than 548,000 eligible professionals, eligible hospitals, and critical access hospitals (CAH), are actively registered in the EHR incentive programs.5 Additionally, the Office of the National Coordinator (ONC) recently issued $38 million in grants to encourage better information exchange for care coordination and population health.
Further, the Department's participation in the Healthcare Fraud Prevention Partnership (HFPP) has improved the flow of information to address program integrity issues. The HFPP, a public-private partnership, brings interested parties—including private insurers, law enforcement agencies, and others—together to share and use data and analytic tools to proactively address health care fraud.
The Department has continued to oversee the EHR incentive programs and has made a concerted effort to advance the national conversation about important health IT issues to ensure that the potential benefits of health IT investments are realized. Last year, ONC issued a document entitled "Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure" (10-Year Vision Paper), which describes plans to expand the sharing of information for health beyond EHRs and identifies privacy and security protections for health information as a building block for a nationwide interoperable health information infrastructure. More recently, ONC issued a document entitled "Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap Draft Version 1.0," which supports the vision laid out in the 10-Year Vision Paper. ONC has also issued an information-blocking report to Congress, a Health IT Safety Center Roadmap, and an updated Federal Health IT Strategic Plan for 2015–2020.
What Needs To Be Done
Threats to information privacy and security are evolving, and the Department must remain vigilant. While the Department has made progress with respect to protecting its own information, as highlighted in OIG work and a recent Congressional Report, more remains to be done. The Department also must use available policy levers to address health IT privacy and security issues, such as through the EHR incentive programs. OIG work will continue to focus on HHS systems' privacy and security to support the Department's efforts to mitigate the risk of unauthorized access to its sensitive information. OIG work will also focus on privacy and security issues in the regulated community and on the related agencies to address concerns about similar risks for health information. Future work may consider privacy and security issues that arise from the continuing expansion of the Internet of Things, such as connected medical devices.
To fully realize the value of health IT investments—which included, as of September 2015, over $31 billion through the EHR incentive programs—and achieve the goal of a learning health system identified in the 10-Year Vision Paper, the Department must do more to improve the flow of information, subject to appropriate privacy and security safeguards.
Finally, given the magnitude of the investment in EHRs and other health IT programs, it will become increasingly important to measure the extent to which EHRs and health IT have achieved the Department's goals, which include improved health care and lower costs. As the Department progresses through the development and implementation of meaningful use stages and looks to implement the meaningful use portion of the Merit-based Incentive Payment System created in the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), it should continue to consider feedback from stakeholders to ensure that adopted policies advance the Nation toward the Department's stated goals, while appropriately reflecting the changing health IT landscape and balancing privacy and security considerations. Additional guidance and technical assistance should be issued to address adoption, meaningful use, interoperability barriers, and program integrity safeguards. It is also essential that privacy, security, and fraud prevention remain at the forefront of the Department's, ONC's, and CMS's health IT efforts. Ongoing OIG work is examining the accuracy of Medicare and Medicaid EHR incentive payments for meaningful use. Future work may examine health IT interoperability across providers (including those participating in accountable care organizations), across HHS, and between providers and patients, as well as examine outcomes from health IT investments.
Key OIG Resources
- OIG Reports on EHR Incentive Program Oversight, A-06-13-00047; OEI-09-11-00380; A-06-12-00041; OEI-05-11-00250; OEI-05-11-00080
- OIG Reports on EHR program integrity, OEI-01-11-00570, OEI-01-11-00571
- OIG Report, CMS Response to Breaches and Medical Identity Theft, October 2012
- OIG Summary Report, Information Technology Infrastructure and Operations Office Had Inadequate Information Security Controls, April 2015
- OIG Reports on hospital IT security, including HIPAA Security Rule Oversight, June 2011, OEI-09-10-00510, and OEI-09-10-00511
3 Sources of relevant health care data are ever increasing, particularly as the Internet of Things continues to expand. For more information about the Internet of Things, particularly related privacy and security issues, see FTC's Staff Report, Internet of Things: Privacy and Security in a Connected World, January 2015.
4 For more information on the topic of information blocking, see ONC's Report to Congress, Report on Health Information Blocking, April 2015
5 CMS, "State Breakdown of Registration by Medicaid and Medicare Providers through September 30, 2015," September 2015.
Management Challenge 4: Administration of Grants, Contracts, and Financial and Administrative Management Systems
Let's start by choosing a topic
Priority recommendations summarized.
OIG planned projects.
Significant OIG activities in 6-month increments.