The HHS OIG recently released its annual Work Plan for Fiscal Year (FY) 2016. The Work Plan outlines planned audits and evaluations, including a review of the Office for Civil Rights’ (OCR) oversight over the security of electronic protected health information (ePHI).
Prior OIG audits reported that OCR had not assessed the risks, established priorities, or implemented controls for its HITECH Act requirement to provide for periodic audits of covered entities and business associates to ensure HITECH and HIPAA. Therefore, the OIG had limited assurance that covered entities and business associates adequately protected ePHI. Prior OIG audits have additionally summarized numerous vulnerabilities in selected covered entities’ systems and controls to protect ePHI.
OIG also plans to add medical device security in its Food and Drug Administration (FDA) oversight. It will “examine whether FDA’s oversight of hospitals’ networked medical devices is sufficient to effectively protect associated [ePHI] and ensure beneficiary safety.” Connected medical devices, including dialysis machines and radiology systems, can connect to EMRs and could therefore jeopardize the privacy and security of individuals’ PHI. The OIG noted that “such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications.”Subscribe to blog