On January 31, 2014, the U.S. Department of Health & Human Services Office of Inspector General (OIG) released its “Work Plan for Fiscal Year 2014,” which summarizes OIG’s planned reviews and outlines OIG’s focus areas.

In the Work Plan, OIG explained that in fiscal year 2014 it will conduct (and has already started, in some cases) audits in a number of areas relating to the Electronic Health Record (EHR) Incentive Program.  OIG stated that it planned to review:

  • Medicare and Medicaid EHR incentive payments to health care professionals and hospitals.
  • Medicaid payments for costs associated with a State’s adoption of EHR technology (which receives a 90 percent federal match as an administrative expense).
  • The Centers for Medicare & Medicaid Services’ (CMS) oversight of EHR incentive payments, including whether actions are taken to remedy erroneous payments.

OIG also stated that it planned to audit covered entities receiving EHR incentive payments and their business associates to determine if they were adequately protecting electronic health information, which is a Stage 1 meaningful use objective in the EHR Incentive Program, see 42 C.F.R. § 495.6(d)(15), (f)(14).  OIG mentioned audits of EHR cloud service providers specifically.  It views audits of these particular business associates as “necessary to assure compliance with regulatory requirements and contractual agreements.”