CMS Isn't the only government entity conducting audits for Meaningful Use

Thursday, April 23, 2015

Dice Blocks that spell 'Audit'Organizations attesting to Meaningful Use (MU) have come to accept the possibility of being selected for a MU audit by the Centers for Medicare & Medicaid Services (CMS). Some organizations have experienced MU audits under the CMS EHR Incentive Payment Program for both Medicare and Medicaid providers.

Now attesting organizations will have to deal with another three-letter agency: the OIG. The Office of Inspector General (OIG) recently indicated it will conduct audits of the electronic health records' (EHR) security profile of organizations receiving CMS incentive funds.

Details regarding OIG's audit process are still unknown, as they have refused to share the scope or audit process publically. They have even gone as far as to deny Freedom of Information Act requests citing confidentiality as the reason for not sharing details of the audit program. Purdue Healthcare Advisors was able to learn that the OIG audits conducted so far have been extremely technical in nature. They addressed 17 areas of interest, including:

  • EHR risk assessment & audit reports
  • EHR security plans
  • Organizational chart
  • Network documentation & diagrams
  • EHR websites & patient portals
  • Policies & procedures
  • System inventories
  • Tools used to conduct vulnerability scans
  • Central log and event reports
  • EHR system users
  • List of contractors support EHR & network perimeter devices

What you need to know about the OIG audits is that they are more focused on EHR security than the CMS audits. They want to know more about your EHR vendor; what business associates have access to your EHR; and who provides you cloud services. OIG audits also tend to be on-site audits that incorporate interviews with key staff and last for two-to three weeks.

Once PHA learns of the OIG audit protocol, we will share it with our clients and partners. If you would like to discuss how your organization should prepare for an OIG audit, please email me.


George Bailey, MS, CISSP, GCIH, CHP, is an information technology security professional with more than 17 years of experience in network security, remote access, wireless security and incident response. Bailey serves as Senior Advisor – Security Services at Purdue Healthcare Advisors, where he oversees and implements security solutions for the healthcare


Writer: George Bailey, 765-494-7538, baileyga@purdue.edu

Tags: Health IT Security

Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2014 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program taphelp@purdue.edu.