By Nicole D. Prysby, J.D.
An OIG report studied opioid prescribing and dispensing and information technology (IT) security at five IHS hospitals. The study concluded that the hospitals are not consistently following required practices related to opioids and have security vulnerabilities due to their decentralized IT structure.
The Office of the Inspector General (OIG) at HHS has released a report in which it concludes that Indian Health Service (IHS) hospitals are not consistently following the Indian Health Manual (IHM) when prescribing and dispensing opioids. The report also reviewed information technology (IT) security practices at IHS hospitals and found that IHS’s decentralized IT management structure led to vulnerabilities in implementing security controls at the hospitals in the study (OIG Report, No. A-18-17-11400, July 2019).
The OIG performed the review at five hospitals in Arizona, Minnesota, New Mexico, North Dakota, and Oklahoma. Through patient record review, the investigators found that hospitals did not always review the course of patient treatment and causes of pain within required timeframes; perform the required urine drug screenings within recommended time intervals; review patient health records before filling a prescription from a non-IHS provider; and maintain pain management documents to support that the provider had performed his responsibilities. They also found that IHS hospitals did not fully use the States’ prescription drug monitoring programs when prescribing or dispensing opioids, did not always ensure opioids were physically secure before the prescribing or dispensing of opioids, and did not always use available data to identify risks in their prescribing and dispensing practices. The hospitals’ noncompliance with IHS policies and procedures increased the risk of opioid abuse, misuse, and overdose.
IT concerns. The OIG also found issues with IHS’s decentralized IT management structure. IHS operates separate mini-networks at each of its 25 hospitals and the security controls were not effective at preventing or detecting penetration test cyberattacks. In addition, the hospitals implemented IT security controls to protect health information and patient safety differently. Inconsistencies in the delivery of cybersecurity services could have led to the same vulnerability being remediated at one hospital but being exploited at another hospital that did not remediate the vulnerability. As a result, IHS hospital operations and delivery of patient care could have been significantly affected.
Recommendations. The OIG’s recommendations include modifications to the IHM, creation of additional policies (such as tracking all opioids prescribed at the hospital, including those being filled at an outside pharmacy), oversight of compliance with new and existing policies, and increased oversight and centralization of IT systems (for example, by determining whether cloud solutions would better address persistent cybersecurity vulnerabilities). IHS concurred with the recommendations and described actions that it had taken or plans to take to implement them.
MainStory: TopStory OIGReports ControlledNews DrugBiologicNews PrescriptionDrugNews SafetyNews
Interested in submitting an article?
Submit your information to us today!Learn More
Health Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.