WHY OIG DID THIS REVIEW
“Prescription opioids continue to contribute to the opioid overdose epidemic. A prior OIG audit identified high volumes of opioid purchases in IHS communities. In addition, the prior OIG audit of two IHS hospitals determined that IHS did not have adequate information technology (IT) security controls to protect health information and patient safety. The audit also found significant differences in the way the two hospitals carried out their respective IT operations.”
“We conducted this audit to analyze and compare opioid prescribing and dispensing practices and IT operations at five other IHS hospitals…”
WHAT OIG FOUND
“The IHS hospitals we reviewed did not always follow the Indian Health Manual when prescribing and dispensing opioids. Specifically, through our patient record review, we found that hospitals did not always review the course of patient treatment and causes of pain within required timeframes, perform the required urine drug screenings within recommended time intervals, review patient health records before filling a prescription from a non-IHS provider, and maintain pain management documents to support that provider responsibilities had been performed. We also found that these IHS hospitals did not fully use the States’ prescription drug monitoring programs when prescribing or dispensing opioids.”
“IHS’s decentralized IT management structure led to vulnerabilities and weaknesses in implementing security controls at all five hospitals. IHS’s controls were not effective at preventing or detecting our penetration test cyberattacks. In addition, the hospitals implemented IT security controls to protect health information and patient safety differently. Inconsistencies in the delivery of cybersecurity services can lead to the same vulnerability being remediated at one hospital but being exploited at another hospital that did not remediate the vulnerability. As a result, IHS hospital operations and delivery of patient care could have been significantly affected.”
WHAT OIG RECOMMENDS AND IHS COMMENTS
“We recommend that IHS work with hospitals to ensure they follow the Indian Health Manual when prescribing and dispensing opioids. We also recommend that IHS consider centralizing its IT systems, services, and functions by conducting a cost-benefit analysis of adopting a cloud computing policy, including centralization of IT systems, services, and functions. We made other procedural recommendations, which are listed in the report. We provided more detailed information and specific recommendations to IHS so that it can address specific vulnerabilities that we identified.” Read the full 57-page report here.
Source: IHS Needs To Improve Oversight of Its Hospitals’ Opioid Prescribing and Dispensing Practices and Consider Centralizing Its Information Technology Functions – July 2019. OIG.
