Using, Exchanging Health Data Securely a Challenge, Says OIG

The meaningful and secure exchange and use of electronic health data was one of several challenges facing the Department of Health and Human Services (HHS) that the Office of the Inspector General (OIG) highlighted in a recent report. The agency reviewed what it considered to be the top performance challenges for 2014, which was divided into 10 different sections.

Specifically for using and exchanging health data, the OIG said that significant challenges exist with respect to overseeing the EHR Incentive Programs, achieving interoperability of EHRs, and keeping sensitive health information secure.

However, the OIG said that progress is being made in terms of addressing the interoperability challenges.

“The Department has made great strides in developing a foundational health IT infrastructure by making inroads with EHR adoption, establishing privacy and security guidance and standards, and offering services to support health information exchanges (HIE) and interoperability,” explained the report. “As of September 2014, 95 percent of eligible hospitals and CAHs and 92 percent of physicians and other eligible professionals have registered to participate in the EHR Incentive Programs, amounting to more than 500,000 eligible professionals, eligible hospitals, and CAHs.”

Even so, more work needs to be done, according to the OIG. For example, guidance and technical assistance should be issued to address adoption, meaningful use, and interoperability barriers and program integrity safeguards. Moreover, healthcare privacy, security, and fraud prevention must remain a top priority for the Department, ONC, and CMS health IT efforts.

In terms of protecting sensitive health data, the OIG said more care needs to be taken. In its audits of hospitals and covered entities, the OIG said it identified numerous weaknesses that could lead to unauthorized access of patients PHI. This included inadequacies in access controls, patch management, encryption of data, and web site security vulnerabilities.

“Some of the beneficial characteristics of EHRs, including efficiency and ease of storage and access, may also make them tools for fraud,” the report said. “OIG work in examining fraud safeguards in EHRs found that protections designed to improve validity, accuracy, and integrity in EHRs were not being used to their full extent.”

Specifically, the report said that just one-quarter of hospitals have policies about the use of copy-paste. If used improperly, this feature could add documentation to a patient’s record to support a fraudulent bill for services that were never provided, according to the OIG. Moreover, deleting or disabling audit logs could make it more difficult to prevent and detect fraud. The OIG also highlighted the fact that CMS and its program integrity contractors have done little to update their practices to address EHR vulnerabilities.

“Given the magnitude of the investment in EHRs and other health IT programs, it will become increasingly important to demonstrate and measure the extent to which EHRs and health IT have actually achieved the Department’s goals, which include improved health care and lower costs,” the report stated.

The OIG continues to examine the accuracy of Medicare and Medicaid EHR incentive payments for stage one meaningful use, while also determining if Medicaid safeguards prevent improper payments. In the future, the agency might examine health IT interoperability across providers, across HHS, and between providers and patients. It could also be necessary to examine outcomes from health IT investments, the OIG said.