The OIG Work Plan
What are the HHS areas of focus this year?
In past columns, we outlined the history, authority, and structure of the Office of the Inspector General (OIG) of the federal Department of Health and Human Services (read more at http://bit.ly/May12RADLAW) and explained the OIG Advisory Opinion process (read more at http://bit.ly/June12RADLAW).
This month, we'll delve into a little-known but critically important document called "the OIG Work Plan." The work plan is an outline of the areas on which the OIG plans to focus during a particular fiscal year. The introduction to the 101-page fiscal year 2014 work plan states,
Work planning is a dynamic process, and adjustments are made throughout the year to meet priorities and to anticipate and respond to emerging issues with the resources available. We assess relative risks in the programs for which we have oversight authority to identify the areas most in need of attention and, accordingly, to set priorities for the sequence and proportion of resources to be allocated.1
In other words, the OIG carefully selects the target areas for its work each year. They aren't just saying they're going hunting — that's a given. They're saying, this year, they're hunting ducks, deer, and sometimes, radiologists.
ACR committee members and staff spend a significant amount of time and effort parsing each annual work plan in an effort to assist members and practices that may fall into these target areas. For example, in the FY 2014 Work Plan, the OIG targets one area that will clearly impact radiologists and two other areas in which radiologists are either already or soon will be involved:
Imaging services — Payments for practice expenses
Billing and Payments. We will review Medicare Part B payments for imaging services to determine whether they reflect the expenses incurred and whether the utilization rates reflect industry practices. For selected imaging services, we will focus on the practice expense components, including the equipment utilization rate....
Security of portable devices containing personal health information
Protected Health Information. We will review security controls implemented by Medicare and Medicaid contractors and at hospitals to prevent the loss of protected health information (PHI) stored on portable devices and media, such as laptops, jump drives, backup tapes, and equipment considered for disposal.
Controls over networked medical devices at hospitals (new)
Protected Health Information. We will determine whether hospitals' security controls over networked medical devices are sufficient to effectively protect associated electronically protected health information (ePHI) and ensure beneficiary safety.
In the imaging practice expenses area, we anticipate the OIG will scrutinize to what extent radiology practices actually use imaging equipment. In 2009, the Medicare Payment Advisory Commission (MedPAC) issued a report on the assessment of payment adequacy. MedPAC opined that a 50 percent utilization rate (i.e., using equipment for 25 hours per week, when an imaging center is open for 50 hours per week) contributed to the rapid volume growth of advanced imaging services by mispricing those services. MedPAC asserted that health care entities that had a lower volume of services thereby might have incentive to purchase expensive machines. However, ACR and other organizations contended that the MedPAC data was too limited because it only included six markets. ACR has discussed this audit with OIG officials and offered to assist the OIG in designing its parameters, especially as it relates to the equipment utilization rate. At press time, the OIG had not yet finalized its audit.
When it comes to networked medical devices in hospitals, we anticipate the OIG will include RIS, PACS, and electronic medical records (EMRs) access as part of its review. In some hospitals, the facility controls all of these systems. In others, by contract or past practice, radiologists are responsible for the PACS and RIS. The OIG will undoubtedly examine access controls, access tracking, password use, encryption, antivirus protection, and reporting of any breaches or other violations. The same is true for EMRs. Although radiologists are unlikely to have direct control over a hospital EMR system, they are responsible for the actions of their physicians and other employees. In this regard, the OIG always looks at HIPAA training and enforcement. The OIG is still working on this audit.
In the area highlighting security of portable devices, we anticipate that the OIG will examine which devices can be used to access patient data in the hospital systems and the system protections such as password use, encryption, antivirus software, HIPAA training, etc. Of particular relevance to radiologists is the use of various devices for remote interpretation and reporting. While a tablet may be very convenient for such work, a four-digit security code, such as those securing Apple's mobile devices, may not be considered adequate for protection of PHI. Whether the radiologist loads the images in the hospital and carries them out on the device or accesses them remotely on the PACS, the OIG will expect the same level of protection as is enforced within in the hospital. Virtually all HIPAA breaches involving portable devices involve either lost tablets or laptops or unprotected devices that were accessed by someone who was not authorized to do so. This audit is also pending.
By Bill Shields, JD, LLM, CAE, and Tom Hoffman, JD, CAE
1. U.S. Department of Health and Human Services Office of Inspector General. “Work Plan for Fiscal Year 2014.” http://bit.ly/OIGworkplan. Accessed May 30, 2014.