Management Issue 9: Integrity of Information Technology Systems and InfrastructureTopics on this page:
Management Challenge:In 2001, the President identified the development and implementation of an “interoperable health information technology infrastructure” as a key initiative. To facilitate this, in April 2004, the President issued Executive Order 13335, which established the position of the National Health Information Technology Coordinator (ONC) and outlined incentives for the use of health information technology (health IT). According to the order, “[t]he National Coordinator shall, to the extent permitted by law, develop, maintain, and direct the implementation of a strategic plan to guide the nationwide implementation of interoperable health information technology in both the public and private health care sectors that will reduce medical errors, improve quality, and produce greater value for health care expenditures.” Medicaid Health Information Technology In a 2007 report on State Medicaid agencies’ initiatives on health IT and health information exchange (HIE), OIG found that almost a quarter of State Medicaid agencies have implemented health IT initiatives, and over three quarters of States are developing similar health IT initiatives. Additionally, a number of Medicaid agencies are involved in the planning of statewide HIE networks and are incorporating the Medicaid Information Technology Architecture (MITA) into their health IT and HIE planning. Based on these findings, OIG recommended that CMS continue to support the goals of MITA to help facilitate future State Medicaid health IT and HIE initiatives. OIG also recommended that CMS, in collaboration with other Federal agencies and offices, assist State Medicaid agencies with developing privacy and security policies as well as continue to work with the ONC for health IT to ensure that State Medicaid initiatives are consistent with national goals. Medicare Health Information Technology Additionally, there remains a need to ensure adherence to general controls. OIG’s work indicates that the Medicare payment errors are due more often to the input by people of incorrect information than due to computer system or programming errors. For example, for the 7 years during which OIG produced the Medicare fee-for-service error rate, the overwhelming majority (more than 95 percent) of the improper payments identified were detected through medical reviews. When these claims were submitted for payment to Medicare contractors, they contained no visible errors. Clearly this represents a challenge to implement controls that ensure progressive improvement with respect to data integrity. Security and Privacy Issues The recent expansion of HHS programs, such as the new Medicare Part D benefit, significantly increases the programmatic and system demands on the Department and creates new relationships or expands existing relationships with business partners. In turn, these new or expanded relationships create the potential for new system security exposures that have to be evaluated and, if need be, mitigated to ensure the confidentiality, integrity, and availability of critical assets. As part of the HHS responsibility to protect critical data assets and to ensure the privacy of our citizens, the Department oversees and endorses the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which specifies a series of administrative, technical, and physical security procedures for covered entities to use to ensure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications. The development and expansion of Department IT systems brings new focus to additional areas of risk. For instance, over the past several years, the importance of protecting personal data has become much more visible, as illustrated by media attention to personal data lost by accounting firms, credit bureaus, universities, and insurance companies, and most recently, the serious loss of data by Federal agencies. OMB has recently reemphasized Federal agency responsibilities under the law and policies to appropriately safeguard sensitive, personally identifiable information and train Federal employees regarding their responsibilities in this area. The OIG Federal Information Security Management Act assessments also found that many identified security weaknesses are attributed to either an absence of a process to protect resources or a failure to comply with an already established process. OIG has also identified that the human factor is a critical component of an effective security program and may be overlooked in the development of technical solutions to address weaknesses in entity wide security, access controls, service continuity, application controls and development, and segregation of duties. Therefore, OIG continues its efforts to monitor HHS oversight of its vital IT systems to ensure that all necessary technical and policy measures are being taken to protect sensitive information, the systems that store that information, and the physical or electronic transport of that information. Through planned work, OIG will place new emphasis on controls designed to ensure the protection of personal data. OIG will also continue to review the controls that are designed to ensure the integrity of data for numerous vital programs on which critical systems depend for the accurate payment of billions of dollars through the Department’s many programs. OIG will also review CMS’s activities related to the enforcement of the HIPAA Security Rule. The review will focus on an internal control assessment at CMS headquarters as well as include vulnerability assessments at a sample of covered entities. Assessment of Progress in Addressing the Challenge: HHS has made progress in the security of the Department’s most critical and essential assets, both physical and cyber based, such as laboratories, computer systems, and data communication networks. The Secure One HHS project, begun in FY 2003 and supported through a multiyear contract, was initiated by the Department to improve IT security from the top down by providing security policy, procedures, and guidance to HHS agencies. The goals of this project are to improve the overall security of the Department’s IT operations, ensure adequate departmentwide security standards, support integration of IT security practices into all phases of HHS operations, and promote an environment in which employee actions reflect the importance of IT security. On August 8, 2006, the Department issued final regulations (71 FR 45110) that establish new exceptions under the physician self-referral law and new safe harbors under the anti-kickback statute involving the donation of certain electronic health IT and services. The final rules seek to lower perceived barriers to the adoption of health IT through exceptions and safe harbors that promote the adoption of electronic prescribing technology and interoperable electronic health record systems while safeguarding the Federal programs and beneficiaries against undue risks of fraud and abuse. As required by the MMA, the first exception and safe harbor establish the conditions under which hospitals and certain other health care entities may donate to physicians and certain other recipients’ hardware, software, or IT and training services necessary and used solely for e-prescribing. The second exception and safe harbor establish conditions under which certain entities may donate to physicians and certain other recipients interoperable electronic health records software, IT, and training services.
Other Management Issues:
AFR Section III Links
| 
Print 
Download Reader 
HHS Home|About HHS|Contact Us
