OIG Can Examine Cybersecurity and Internal Controls in Medicare Financial Management: Part VI

EDITOR’S NOTE: Edward Roche, in association with RACmonitor, is writing a series on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the sixth installment in this series.

Cybersecurity audits now are becoming an integral part of the internal control requirements in the Medicare Financial Management Manual (MFMM).

Under the Federal Managers’ Financial Integrity Act of 1982 (FMFIA) (P.L. 97-255), Section 113 of the Accounting and Auditing Act of 1950 (31 U.S.C.66a) will be changed so that “each executive agency … shall provide reasonable assurance that … (their) systems of internal accounting and administrative control fully comply” with guidelines established by the Director of the Office of Management and Budget “in consultation with the Comptroller General.” 

In the MFMM, Section 10.1.2, these requirements apply to all Centers for Medicare & Medicaid Services (CMS) contractors and healthcare providers because there is an article in their agreements with CMS “to cooperate … in the development of procedures permitting CMS to comply with FMFIA.” Also, the “Medicare Administrative Contractor (MAC) … Statements of Work” specify that “the contractor shall establish and maintain efficient and effective internal controls.” 

The essence of this burdensome and convoluted language is that all Medicare contractors are required to follow internal control procedures that are approved by CMS. These are specified in Chapter 7 of the MFMM, in which information and communications are listed as being one of the “five interrelated standards” for internal control (§10.2.3).

Cybersecurity Auditing

“CMS conducts … information technology (IT) audits … to provide reasonable assurance that contractors have developed and implemented internal controls,” this language goes on to read (§40). “Information technology (IT) audits … include network vulnerability assessment (and) security testing (NVA/ST), (including) OIG information technology (IT) controls” (§40¶2.1,3).

“All contractors are required to certify their system security compliance (and) …should write a few paragraphs to self-certify that their organization has successfully completed all required security activities, including the security self-assessment of their Medicare IT systems and associated software in accordance with the terms of their contract,” this passage continues (§20.1). “Access to significant computerized applications … (must be) appropriately authorized.”

The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) has clear authority to investigate and audit cybersecurity problems, even if this has not been an element of its responsibility in the past.

This is because HHS OIG has a broad mandate to prevent fraud and abuse, and to promote economy, efficiency, and effectiveness. For example, it has the authority to identify “systemic weaknesses giving rise to opportunities for fraud and abuse in HHS programs and operations.” Since much “systemic weakness” can come from the information systems that operate within every healthcare provider, this would include a look at cybersecurity.

The Office of Investigations (OI) is tasked with ensuring “that policies and procedures are followed effectively, and are functioning as intended.” (Ibid, §QJ.20) It also “coordinates the adoption of advanced digital forensic acquisition and examination and information security technologies to assist in the investigation …  of fraud and abuse.”

It appears that the OIG can audit to ensure that cybersecurity is sound. It also has the power to develop “standards governing the imposition of … exclusion.” Therefore, it is entirely reasonable that a healthcare provider involved with Medicare could be audited if its cybersecurity fell below the standards that are set in FMFIA and related statutes, and possibly excluded.

There was consideration given in the past to setting cybersecurity standards, and it was put to the side. However, with the recent wave of ransomware attacks and the exposure of other IT vulnerabilities, we might expect a more aggressive auditing effort in this area in the future.

We can expect much more audit risk in the future, and we will continue to discuss these new audits in future installments of this RACmonitor series.

Facebook
Twitter
LinkedIn

Edward M. Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

Related Stories

HHS Under the Microscope

HHS Under the Microscope

While President-elect Trump’s pick for U.S. Department of Health and Human Services (HHS) Secretary, Robert F. Kennedy, Jr., put the agency in even international newspapers

Read More

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

Enhancing Outcomes with CDI-Coding-Quality Collaboration in Acute Care Hospitals

Enhancing Outcomes with CDI-Coding-Quality Collaboration in Acute Care Hospitals

Join Angela Comfort, DBA, MBA, RHIA, CDIP, CCS, CCS-P, as she presents effective strategies to strengthen collaboration between CDI, coding, and quality departments in acute care hospitals. Angela will also share guidance on implementing cross-departmental meetings, using shared KPIs, and engaging leadership to foster a culture of collaboration. Attendees will gain actionable tools to optimize documentation accuracy, elevate quality metrics, and drive a unified approach to healthcare goals, ultimately enhancing both patient outcomes and organizational performance.

November 21, 2024
Comprehensive Inpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Comprehensive Outpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Optimize your outpatient clinical documentation and gain comprehensive knowledge from foundational practices to advanced technologies, ensuring improved patient care and organizational and financial success. This webcast bundle provides a holistic approach to outpatient CDI, empowering you to implement best practices from the ground up and leverage advanced strategies for superior results. You will gain actionable insights to improve documentation quality, patient care, compliance, and financial outcomes.

September 5, 2024
Advanced Outpatient Clinical Documentation Integrity: Mastering Complex Narratives and Compliance

Advanced Outpatient Clinical Documentation Integrity: Mastering Complex Narratives and Compliance

Enhancing outpatient clinical documentation is crucial for maintaining accuracy, compliance, and proper reimbursement in today’s complex healthcare environment. This webcast, presented by industry expert Angela Comfort, DBA, RHIA, CDIP, CCS, CCS-P, will provide you with actionable strategies to tackle complex challenges in outpatient documentation. You’ll learn how to craft detailed clinical narratives, utilize advanced EHR features, and implement accurate risk adjustment and HCC coding. The session also covers essential regulatory updates to keep your documentation practices compliant. Join us to gain the tools you need to improve documentation quality, support better patient care, and ensure financial integrity.

September 12, 2024

Trending News

Featured Webcasts

Patient Notifications and Rights: What You Need to Know

Patient Notifications and Rights: What You Need to Know

Dr. Ronald Hirsch provides critical details on the new Medicare Appeal Process for Status Changes for patients whose status changes during their hospital stay. He also delves into other scenarios of hospital patients receiving custodial care or medically unnecessary services where patient notifications may be needed along with the processes necessary to ensure compliance with state and federal guidance.

December 5, 2024
Navigating the No Surprises Act & Price Transparency: Essential Insights for Compliance

Navigating the No Surprises Act & Price Transparency: Essential Insights for Compliance

Healthcare organizations face complex regulatory requirements under the No Surprises Act and Price Transparency rules. These policies mandate extensive fee disclosures across settings, and confusion is widespread—many hospitals remain unaware they must post every contracted rate. Non-compliance could lead to costly penalties, financial loss, and legal risks.  Join David M. Glaser Esq. as he shows you how to navigate these regulations effectively.

November 19, 2024
Post Operative Pain Blocks: Guidelines, Documentation, and Billing to Protect Your Facility

Post Operative Pain Blocks: Guidelines, Documentation, and Billing to Protect Your Facility

Protect your facility from unwanted audits! Join Becky Jacobsen, BSN, RN, MBS, CCS-P, CPC, CPEDC, CBCS, CEMC, and take a deep dive into both the CMS and AMA guidelines for reporting post operative pain blocks. You’ll learn how to determine if the nerve block is separately codable with real life examples for better understanding. Becky will also cover how to evaluate whether documentation supports medical necessity, offer recommendations for stronger documentation practices, and provide guidance on educating providers about documentation requirements. She’ll include a discussion of appropriate modifier and diagnosis coding assignment so that you can be confident that your billing of post operative pain blocks is fully supported and compliant.

October 24, 2024
The OIG Update: Targets and Tools to Stay in Compliance

The OIG Update: Targets and Tools to Stay in Compliance

During this RACmonitor webcast Dr. Ronald Hirsch spotlights the areas of the OIG’s Work Plan and the findings of their most recent audits that impact utilization review, case management, and audit staff. He also provides his common-sense interpretation of the prevailing regulations related to those target issues. You’ll walk away better equipped with strategies to put in place immediately to reduce your risk of paybacks, increased scrutiny, and criminal penalties.

September 19, 2024

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →