In January 31st, 2014 the OIG published its 2014 work plan. The plan basically is a guide delineating the OIG efforts for fiscal year 2014. In other words; “it summarizes new and ongoing reviews and activities that the OIG plans to pursue with respect to HHS programs and operations during the current fiscal year (FY) and beyond” as written in the 2014 work plan. The OIG work plan is quite well organized and it identifies risk areas based on Provider type. I personally read it every year and adjust our operations based on the information from the same. An interesting point on this year’s plan was the emphasis on electronic health records and business associates. In particular they mentioned:
- Meaningful Use Payment Recipients. The emphasis will be on identifying payments to providers that should not have received incentive payments (e.g., those not meeting selected meaningful use criteria).
- Security of Certified EHRs under Meaningful Use. This is quite a wide category as the OIG plans to audit covered entities receiving EHR incentive payments and their business associates. In particular the OIG specified referred to the security risk analysis as a tool to meet and measure this objective.
- OCR Oversight of Covered Entities’ Compliance with the HIPAA Privacy Rule. In short the OIG will make sure that OCR is enforcing HIPAA.
- Security of portable devices containing personal health information. This category covers electronic devices that store patient information such as laptops, dialysis machine and even medication dispensing systems.
In addition to the above the OIG will look into these new categories:
And never forget some of our all-time favorites:
- Evaluation and management services—Inappropriate payments
- Physicians and suppliers—Noncompliance with assignment rules and excessive billing of beneficiaries
- Physicians—Place-of-service coding errors
- Physical therapists—High utilization of outpatient physical therapy services
- Ambulatory surgical centers—Payment system
- End-stage renal disease facilities—Payment system for renal dialysis services and drugs
- Rural health clinics—Compliance with location requirements
- Anesthesia services—Payments for personally performed services
- Chiropractic services—Part B payments for noncovered services
- Diagnostic radiology—Medical necessity of high-cost tests
- Laboratory tests—Billing characteristics and questionable billing
- Ophthalmologists—Questionable billing
- Electrodiagnostic testing—Questionable billing
- Portable x-ray equipment—Supplier compliance with transportation and setup fee requirements (new)
- Sleep disorder clinics—High utilization of sleep-testing procedures
- Partial hospitalization programs—Services in hospital outpatient departments and community mental health centers
We at Taino Consultants have already seen quite a few Meaningful Use Audits and have done our share of Security Risk Analysis and Risk Management Plans. Our experience may be summarized as follows:
- Meaningful Use audits. Before you start your attestation complete a security risk analysis and put in place a security risk plan. The as you go thru the process prepare an evidence book with copies of the information and even screen shots to prove your numbers.
- HIPAA Security Risk Analysis. These are long, complex and painful. Most of the time a team effort between Administration and Information Systems personnel will be required. Based on the magnitude and complexity I highly recommend the use of a seasoned professional to assist with this endeavor.
Note: Recently we have played a number of roles in these endeavors. We can do it all, provide tools for the completion of key tasks or simply coach you and your designated representatives. The choice is always in your hands, the customer. http://oig.hhs.gov/reports-and-publications/archives/workplan/2014/Work-Plan-2014.pdf