OIG Report Takes Issue With Oversight of Security Controls for Electronic Health Records


HHS Office of Inspector General (OIG) recently released a report concluding that the entity responsible for overseeing the testing and certification process for electronic health records (EHRs) did not fully ensure that electronic patient information was secure and protected.

The Office of the National Coordinator for Health Information Technology (ONC) is the principal entity charged with coordination of efforts to implement and use health information technology and the electronic exchange of health information. ONC-approved organizations test and certify EHRs in accordance with federal security standards. Providers that attest to the “meaningful use” of EHRs receive incentive payments from CMS, but the EHRs must be tested and certified by one of the ONC-approved organizations. The goal of certification is to assure providers that the EHR has the appropriate security and protection for the providers to participate in the EHR Incentive Programs. However, the OIG study identified vulnerabilities with the EHR certification program that could undermine providers’ confidence that their patient health information is secure and protected.

OIG audited ONC’s procedures for oversight of the testing and certification bodies. OIG found that ONC’s oversight did not fully ensure that EHRs were secure and protected. OIG recommended that ONC require the testing and certification bodies to:

  1. Develop procedures to periodically evaluate whether certified EHRs continued to meet federal standards after initial certification; and
  2. Develop a training program to ensure personnel are competent to test and certify EHRs and to secure proprietary or sensitive EHR information.

OIG also recommended that ONC work with the National Institute of Standards and Technology (NIST) to strengthen EHR test procedure requirements, such as by addressing common security issues like password complexity and user privilege changes.

The OIG report is available here.

Reporter(s), Jennifer S. Lewin, Atlanta, + 1 404 572 3569, jlewin@kslaw.com

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:


King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.