Health IT incentives on HHS IG’s radar screen

The auditor for the Health and Human Services Department will scrutinize a number of the department’s health information technology projects over the next 12 months, with a sharp eye toward programs funded by the stimulus law for the adoption of health IT.

The HHS Office of Inspector General will check plans by the Centers for Medicare and Medicaid Services for financial oversight of the incentives and reporting mechanisms CMS will use to determine if providers meet meaningful use requirements.

The stimulus provides financial incentives through the Medicare and Medicaid programs to encourage physicians, hospitals and health clinics to adopt and be meaningful users of certified electronic health record systems (EHRs).

Medicare will spend $18 billion and Medicaid $12 billion for incentives from 2011 to 2016, according to the IG, citing Congressional Budget Office estimates. The IG will review incentive payment data to identify erroneous payments beginning in 2011.

“If errors are identified, we will also assess CMS’s actions to remedy incentive payments made in error and its plans for securing these payments for the duration of the incentive program,” according to the IG plan.

In addition to financial oversight, information security will be a high priority for the IG. CMS must modify its computer systems to manage the health IT requirements under the stimulus. The IG will review CMS system upgrades to make sure they include health IT standards that HHS has adopted and that adequate system information security are in place to protect sensitive health information. 

The Office of the National Health IT Coordinator has recommended health IT standards for the exchange of health information to the HHS secretary. The auditor will review the national health IT coordinator’s use of federal advisory panels to come up with those standards and whether IT security controls have been incorporated, the plan said. HHS will publish a rule by Dec. 31 that details an initial set of standards.

States that receive grants to establish health information exchanges must also assure that security controls are in place to safeguard sensitive health information. The IG will use its body of work in Medicaid reviews of 24 states to “identify higher risk states, assess state plans, and determine the adequacy of their security controls,” the plan said.

Among other HHS agencies, the Health Resources and Services Administration (HRSA) has announced $125 million in grants from the stimulus to help fund health IT in community health centers. In addition to evaluating HRSA’s oversight of the grants, the auditor will review that IT security safeguards are in place in the agency’s grant award system and generally in place for community health center systems.

The plan is online.