In 2015 Work Plan, OIG Targets HIPAA Compliance

Each year, the U.S. Department of Health and Human Services Office of Inspector General (OIG) releases a Work Plan that informs the public of planned audits, evaluations, and other legal and investigative activities that the agency plans to pursue during the current fiscal year. In its 2015 Work Plan released on October 31, 2014, OIG explained that much of of the agency's ongoing work will continue, including focusing on emerging payment, eligibility, management, and information technology systems security issues in Affordable Care Act programs, such as the health insurance marketplace. Of particular note to a wide range of providers, the Work Plan also explains how the agency will focus on key areas of HIPAA compliance.

HIPAA Compliance

OIG highlighted several areas of HIPAA compliance for special focus in the current year. OIG will, for the first time, review hospital policies and plans to determine the extent to which hospitals comply with contingency planning requirements. The HIPAA Security Rule requires covered entities to have contingency plans that establish policies and procedures for responding to emergencies or other occurrences that damage systems containing protected health information. The agency says that it will compare hospital plans to government and industry-related practices. OIG’s planned review of hospital contingency plans serves as a reminder to all health care providers to review their contingency plans to ensure compliance with the HIPAA security rule.

OIG also intends to investigate health care professionals’ and providers’ implementation of EHR technology under the meaningful use program to prevent erroneous incentive payments. Although the full extent of OIG’s review is unknown, it will likely include review of providers’ EHR systems and policies to ensure compliance with meaningful use requirements. EHR security is another area of focus, with OIG planning to closely investigate the security of certified EHR technology. Providers subject to an audit of their EHR systems can expect OIG to review relationships with business associates, in particular EHR cloud service providers, to determine whether adequate systems and policies are in place to protect electronic health information created or maintained by certified EHR technology. Audits will be performed of such “downstream” service providers to ensure compliance with contractual agreements (such as business associate agreements) and regulatory standards.

OIG’s focus on EHR security and the security of service providers serves as a reminder for every health care provider to review security measures, protocols and relationships with third-party vendors. Providers need to be especially careful to ensure that business associate agreements are in place with service providers, that such agreements are in accord with HIPAA security standards, and that the terms of agreements are being followed. Covered entity performance of ongoing security audits is also needed to demonstrate compliance, as electronic security of protected health information is likely to remain a strong focus for OIG in the years ahead.

Other Focus Areas

Some of OIG’s other key objectives for 2015 include the following:

  • Hospitals: As mentioned in previous work plans, OIG will continue to focus on hospital oversight. OIG is particularly interested in reviewing billing and payment tactics as well as quality of care issues. OIG will use audits, investigations, and inspections to identify areas at risk for noncompliance with Medicare billing requirements. OIG remains focused on discrepancies between inpatient versus outpatient payments, the “two midnight rule” for inpatient admissions, and cardiac catheterizations.
  • Hospice: OIG is concerned with reducing potential waste in hospice care, focusing on the extent to which hospices serve Medicare beneficiaries who reside in assisted living facilities. For those beneficiaries, OIG plans to record the length of stay, levels of care received, and common terminal illnesses. OIG is also concerned with the use of hospice general inpatient care and will review hospice medical records to address concerns that general inpatient care is perceived as misused and to review for quality measures.
  • Laboratories: OIG currently has a heightened scrutiny of technical billing and payment compliance, particularly by specialty laboratories. OIG will perform audits, investigations, and inspections to determine whether clinical laboratories are at risk for noncompliance with Medicare billing requirements.
  • Freestanding Clinic Providers: As in previous years, OIG will continue to audit provider based services and freestanding clinic payments to determine the difference in payments made to the clinics for similar procedures. While no payment changes are yet planned, OIG will continue to assess the potential impact of hospitals' claiming Medicare provider based status for such facilities. OIG’s long term objective is to reduce the disparity of payments based on the site of service.

The above is a sampling of the dozens of focus areas in OIG’s 2015 Work Plan. The full Work Plan is available at Should you or your organization have any questions about the compliance areas identified in the Work Plan, please contact Peter Mellette ( or Harrison Gibbs (, or call Mellette PC at (757) 259-9200.

This Client Advisory is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have. Individuals desiring legal advice should consult legal counsel for up to date and fact specific advice.
Categories: Client Advisory