As the Centers for Medicare and Medicaid Services (CMS) prepares to upgrade its computer systems and begins to award incentive payments to eligible meaningful users of electronic health records, the Office of the Inspector General is positioning itself for its monitoring responsibilities. Medicare and Medicaid information systems and data security falls under the oversight of the OIG, as outlined in its work plan for 2011.

The Centers for Medicare and Medicaid Services (CMS), the largest healthcare payer in the country providing services to approximately 100 million beneficiaries and benefits totaling approximately $800 billion a year, released its plan for upgrading its computer and data systems on Dec. 23. The OIG is charged with monitoring those upgrades and also with overseeing the government stimulus program that will disburse billions to healthcare providers across the country who show meaningful use of electronic health records.

Oversight as detailed in the OIG's 2011 work plan includes:

• Health information technology system enhancements - Review of health information technology enhancements to CMS systems to ensure that they include standards adopted by the Department of Health and Human Services and that adequate information technology security controls are in place to protect sensitive EHR and personal information.
• Breaches and medical identity theft involving Medicare identification numbers - Review CMS policies and procedures on breaches and medical identity theft. The Recovery Act requires covered entities, including health plans such as Medicare, to notify individuals whose unsecured protected health information has been or is reasonably believed to have been, accessed, acquired, or disclosed as a result of a breach.
• Medicare and Medicaid health information data privacy - Review Medicare and Medicaid program providers' implementation of the Privacy Rule standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The standards address use and disclosure of individuals' Protected Health Information (PHI) by covered entities, which include Medicare and Medicaid providers.
• Use of smart card technology to reduce TANF (temporary assistance for needy families) payment errors - Determine whether states have adopted or are contemplating adoption of smart card technology in their TANF programs. Smart cards can validate the identity of TANF recipients and ensure that payments are allowed only for authorized items. This technology could greatly reduce fraud and abuse in the TANF program. OIG will survey a number of states to quantify the impact of using the technology.
• State Medicaid agencies' progress in implementing Medicaid Recovery Act incentives for electronic health records - OIG will review state Medicaid agencies' progress in implementing Medicaid incentive payments for EHRs. Estimates for CMS spending on incentive payments for Medicare and Medicaid programs is about $20 billion. OIG will review Medicaid incentive payments to providers and hospitals for adopting EHRs and CMS safeguards to prevent erroneous incentive payments.
• Medicare incentive payments for electronic health records - OIG will review Medicare incentive payments to eligible health care professionals and hospitals for adopting electronic health records and CMS safeguards to prevent erroneous incentive payments. Incentive payments are scheduled to begin in 2011 and continue through 2016, with payment reductions to healthcare professionals who fail to become meaningful users of EHRs beginning in 2015.
• Grant award system for health information technology funds - OIG will review general and application IT security controls for HRSA's grant system to ensure that adequate IT security controls are in place. We will assess whether HRSA's grant award system has sufficient processes in place to ensure that the confidentiality, integrity, and availability of sensitive data in transit and at rest are maintained. HRSA has $120 million in Recovery Act funding available for health IT systems and network grants to support EHR for health centers.
• Community health centers receiving health information technology funding - OIG will review general IT security controls in place for community health center systems funded by HRSA health IT grants to ensure that adequate health IT security controls are in place to protect sensitive EHR and personal information. HRSA will expend $120 million of $1.5 billion in Recovery Act funding for health IT systems and network grants to support EHR for community health centers. Almost 300 community health centers are expected to benefit from the funding.