OIG Targets Meaningful Use

April 2011

Ober|Kaler's Health Law attorneys are regular contributors to Medical Laboratory Observer's "Liability and the Lab" column at mlo-online.com. This article appears in the April 2011 edition.

Q: What is the Office of the Inspector General’s (OIG) role in electronic health records (EHR)?

A: The OIG recently released its Recovery Act Implementation Overview and Work Plan (Plan) for 2011. A significant portion of the Plan items relate to healthcare information technology (HIT), including meaningful use. With regard to HIT generally, the OIG seems especially concerned with information security.

The meaningful-use incentive program contemplates a large outlay of government funds to eligible professionals and hospitals who have met technically exacting criteria regarding the implementation and use of varied HIT. The OIG intends to monitor this program closely. In total, the Plan includes a half dozen different items related to meaningful use. The OIG intends to:

review the ONC’s oversight of the ATCBs to ensure that the ATCBs have properly reviewed and tested the security features of EHR products put forth for certification (this review will include a review of some EHRs that have already received certification);
determine whether Centers for Medicare & Medicaid Services’ (CMS) HIT system enhancements include the standards adopted by the Department of Health and Human Services (HHS) and provide sufficient security for sensitive personal information;
assess CMS’ compliance with the current Breach Notification Rule (which is described at http://tiny.cc/r3606) and CMS’ response to breaches;
identify incentive-program payments made in error and review CMS’ response to identified erroneous payments;
determine the progress states have made toward CMS approval for incentive payment plans and determine when states intend to make Medicaid incentive payments available to program participants;
review states’ IT controls for capturing meaningful-use data and track payments made; and
determine whether states’ initial plans for incentive payment processes and incentive payments eventually claimed were both in accordance with Recovery Act requirements.

As part of the meaningful-use program, the Office of the National Coordinator for Health Information Technology (ONC) sets standards for the certification of EHR systems and modules. Providers may only receive incentive payments where they use meaningful-use-certified EHR technology. Final testing of EHRs and final determinations of certification status is made by Authorized Testing and Certification Bodies (ATCBs) named by the ONC. With regard to the ONC, the OIG intends to:

review the ONC’s oversight of the ATCBs to ensure that the ATCBs have properly reviewed and tested the security features of EHR products put forth for certification (this review will include a review of some EHRs that have already received certification);
determine whether the ONC’s process to develop HIT-related standards properly considered security concerns; and
determine whether the federal Regional Extension Centers are providing IT security support to healthcare providers.

Finally, the OIG Plan included as an independent work item examination of providers’ compliance with HIPAA and Recovery Act requirements and the HHS Office of Civil Rights’ (OCR) compliance with the enforcement responsibilities authorized by the Recovery Act.

The OIG’s plan to review the certification of certain EHR technologies raises the question of whether a negative review could result in the “de-certification” of previously certified EHR technologies that providers have already implemented. In addition, the OIG’s plan to review the enforcement activities of the OCR should remind all healthcare providers that properly executed and implemented HIPAA policies, procedures, and training must remain a foremost compliance concern.