The Office of Inspector General’s (OIG) 2016 Work Plan, released November 3, 2015, calls for increased scrutiny of protections of electronic protected health information (“ePHI”) with respect to “networked medical devices.” Furthermore, the OIG indicated its plan to determine the “extent to which hospitals comply with contingency planning requirements of the Health Insurance Portability and Accountability Act (HIPAA)” regarding their use of electronic health records (“EHR”) systems. Thus, the OIG has indicated that there will be heightened focus on the HIPAA Security Rule, which addresses the administrative, physical and technical safeguards of ePHI (45 CFR Part 160 and Subparts A and C of Part 164).
The OIG specifically indicated that it will examine whether the U.S. Food and Drug Administration (“FDA”) is providing sufficient oversight of “networked medical devices” in hospitals. With this statement of priorities for 2016, the OIG has affirmed that the proliferation of devices, with their ability to store health information, creates real risks to the privacy and security of ePHI. Although the list of devices that store and transmit ePHI is vast and growing rapidly, the OIG specifically mentioned “dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network.” The OIG also recognized that these devices may create risks, whether they are wired or wireless.
The OIG also stated, “Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device.” In highlighting the MDS2 forms, the OIG has effectively signaled that HIPAA-covered entities that use networked medical devices should document the ways in which they have considered the disclosure statements for such devices as part of their HIPAA security risk assessments and overall HIPAA compliance plans.
Although it was not mentioned in the 2016 Work Plan, anyone using networked medical devices should bear in mind that improper disposal of such devices carries significant HIPAA risks. Specifically, for any of these devices that store ePHI locally, there is a risk of a HIPAA violation if the device is not stripped of all ePHI or otherwise destroyed prior to disposal. Indeed, in 2013, Affinity Health Plan Inc. entered a $1.2 million settlement agreement with the U.S. Department of Health and Human Services for returning multiple photocopiers to a leasing agent without first erasing the data contained on the hard drives of the copiers.
Continue Reading OIG Lists Cybersecurity of Medical Devices and HIPAA Among its Priorities for 2016