OIG 2016 Work Plan Has Been Released

  • OIG Logo

OIG 2016 Work Plan Targets Hospital Safeguards for PHI, Contingency Plans & Medical DevicesHHS OIG Logo

HHS’s Office of Inspector General (OIG) released its 2016 work plan detailing new investigations it plans to undertake next year. According to the report the OIG plans to look into the effectiveness of the Office for Civil Rights in enforcing the HIPAA Security Rule and whether the FDA’s oversight of hospital’s networked medical devices is sufficient to protect ePHI and patient safety. The work plan also updated the status of ongoing engagements to examine hospital’s compliance with the HIPAA Security Rule requirements to have contingency plans for responding to an emergency or natural disaster.

On the heels of issuing a report critical of how OCR enforces the HIPAA Security Rule using data collected in 2011, the OIG will perform a follow up series of on-site performance audits of hospitals testing their compliance with the security standards for the protection of ePHI. The new review marks the third time in the last 10 years that OIG has examined how HHS sets uses its enforcement authority in policing the HIPAA Security Standards. In each prior engagement, OIG employed a protocol in which regional offices selected several hospitals and academic medical centers for on-site performance audits, testing the adequacy security safeguards, access control policies and measuring technical controls through the use of network scanning appliances. The OIG would make a report of its findings and recommendations for corrective action in a formal report directed to the covered entity and copied to OCR. OIG held OCR accountable for ensuring that the findings from the individual covered entity audit engagements were addressed.

The OIG work plan updated the status of its ongoing project to examine the extent to which hospitals comply with the HIPAA Security Rule requirements that covered entities have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information. In its 2014 work plan OIG announced that its evaluation comparing hospitals’ contingency plans with government- and industry-recommended practices.

OIG will also examine if hospitals have effective technical security controls in place to manage networked medical devices to safeguard ePHI and protect patient safety. Like the program to review HIPAA Security Rule compliance, OIG regional offices will select individual hospitals and academic medical centers for on-site performance audits to assess technical security controls of computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network to measure the threat to the security and privacy of personal health information. It is likely that hospitals selected for review under this program will be tested to evaluate if the hardware, software, and networks that monitor a patient’s medical status and transmit and receive related data using wired or wireless communications have taken into account the risks associated with ePHI that is transmitted or maintained by a medical device.

How do you effectively manage your information security controls and networked medical devices?

  • Review HIPAA/HITECH OCR’s audit protocol sections that test compliance with the HIPAA Security Rule
  • Conduct an enterprise wide information security risk assessment, placing special emphasis on the threats and vulnerabilities to networked medical devices, obsolete or unsupported hardware or software, points of access through which removable media or portable/mobile devices may send or receive data
  • Make sure you have the latest guidelines, policies, and procedures in place
  • Consider conducting a mock audit (either by internal staff or by a third-party specialist) to make sure you’re prepared for the real thing

You do not want to wait until you receive notification from OIG that you have been selected for an OIG on-site technical security audit to begin preparing. CynergisTek can help hospitals and academic medical centers reduce vulnerabilities with a risk assessment or a robust compliance program that satisfies HIPAA Security Rule responsibilities and ensure adequate information security controls. Contact us to learn more.

November 9th, 2015|

About the Author:

David Holtzman
Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.