Goal One: Fight Fraud, Waste, and Abuse
Goal Two: Promote Quality, Safety, and Value
Goal Three: Secure the Future
Goal Four: Advance Excellence and Innovation
Top 12 Management and Performance Challenges Facing HHS
1. Preventing and Treating Opioid Misuse
2. Ensuring Program Integrity in Medicare Fee-for-Service and Effective Administration of Medicare
3. Ensuring Program Integrity and Effective Administration of Medicaid
4. Ensuring Value and Integrity in Managed Care and Other Innovative Healthcare Payment and Service Delivery Models
5. Protecting the Health and Safety of Vulnerable Populations
6. Improving Financial and Administrative Management and Reducing Improper Payments
7. Protecting the Integrity of HHS Grants
8. Ensuring the Safety of Food, Drugs, and Medical Devices
9. Ensuring Quality and Integrity in Programs Serving American Indian/Alaska Native Populations
10. Protecting HHS Data, Systems, and Beneficiaries from Cybersecurity Threats
11. Ensuring that HHS Prescription Drug Programs Work as Intended
12. Ensuring Effective Preparation and Response to Public Health Emergencies
The OIG Work Plan sets forth various projects including OIG audits and evaluations that are underway or planned to be addressed during the fiscal year and beyond by OIG's Office of Audit Services and Office of Evaluation and Inspections. Projects listed in the Work Plan span the Department and include the Centers for Medicare & Medicaid Services (CMS), public health agencies such as the Centers for Disease Control and Prevention (CDC) and National Institutes of Health (NIH), and human resources agencies such as Administration for Children and Families (ACF) and the Administration on Community Living (ACL). OIG also plans work related to issues that cut across departmental programs, including State and local governments' use of Federal funds, as well as the functional areas of the Office of the Secretary of Health & Human Services (HHS). Some Work Plan items reflect work that is statutorily required.
OIG operates by providing independent and objective oversight that promotes economy, efficiency, and effectiveness in the programs and operations of HHS. OIG's program integrity and oversight activities adhere to professional standards established by the Government Accountability Office (GAO), Department of Justice (DOJ), and the Inspector General community. OIG carries out its mission to protect the integrity of HHS programs and the health and welfare of the people served by those programs through a nationwide network of audits, investigations, and evaluations, as well as outreach, compliance, and educational activities.
How We Plan Our Work
OIG assess relative risks in HHS programs and operations to identify those areas most in need of attention and, accordingly, to set priorities for the sequence and proportion of resources to be allocated. Audits and evaluations may be cancelled based on OIG staff availability, changes in the environment, legislation that substantially affects the issue or similar recent studies that provided definitive results. Reports are cancelled only after senior staff have reviewed and approved the cancellation. In evaluating potential projects to undertake, OIG considers a number of factors, including:
The report entitled “The Food and Drug Administration's Policies and Procedures Should Better Address Post market Cybersecurity Risk to Medical Devices” 10-29-2018 | Audit (A-18-16-30530) reported the OIG findings and recommendations as follows:
We conducted this audit because OIG had identified ensuring the safety and effectiveness of medical devices and fostering a culture of cybersecurity as top management challenges for HHS. We also considered public and Congressional interest in medical device cybersecurity risks to patients and the Internet of Things. The Food and Drug Administration (FDA) is the HHS operating division responsible for assuring that legally marketed medical devices are safe and effective.
Our objective was to determine the effectiveness of FDA's plans and processes for timely communicating and addressing cybersecurity medical device compromises in the post market phase.
We focused this audit on FDA’s internal processes for addressing the cybersecurity of medical devices in the post market phase. To accomplish our objective, we reviewed FDA's policies, procedures, manuals, and guides; interviewed staff; and reviewed publicly available information on FDA's website. We also analyzed FDA's processes for receiving and evaluating information on medical device compromises. In addition, we tested the internal controls at FDA's Center for Devices and Radiological Health to determine whether they ensured an effective response to a medical device cybersecurity incident.
FDA had plans and processes for addressing certain medical device problems in the post market phase, but its plans and processes were deficient for addressing medical device cybersecurity compromises. Specifically, FDA's policies and procedures were insufficient for handling post market medical device cybersecurity events; FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices; and, in 2 of 19 district offices, FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cyber threats.
These weaknesses existed because, at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA's mission, as part of an enterprise risk management process. We shared our preliminary findings with FDA in advance of issuing our draft report. Before we issued our draft report, FDA implemented some of our recommendations. Accordingly, we kept our original findings in the report, but, in some instances, removed our recommendations.
We recommend that FDA do the following: (1) continually assess the cybersecurity risks to medical devices and update, as appropriate, its plans and strategies; (2) establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a “need to know”; (3) enter into a formal agreement with Federal agency partners, namely the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, establishing roles and responsibilities as well as the support those agencies will provide to further FDA's mission related to medical device cybersecurity; and (4) ensure the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats.
FDA agreed with our recommendations and said it had already implemented many of them during the audit and would continue working to implement the recommendations in the report. However, FDA disagreed with our conclusions that it had not assessed medical device cybersecurity at an enterprise or component level and that its preexisting policies and procedures were insufficient. We appreciate the efforts FDA has taken and plans to take in response to our findings and recommendations, but we maintain that our findings and recommendations are valid.
The HHS OIG, along with Federal and State law enforcement partners, participated in the largest ever prescription opioid law enforcement operation. The Appalachian Regional Prescription Opioid Surge Takedown resulted in charges against 60 individuals, including 53 medical professionals, for their alleged participation in the illegal prescribing and distributing of opioids and other dangerous narcotics and for healthcare fraud schemes. The charges involve over 350,000 prescriptions for controlled substances and over 32 million pills in West Virginia, Ohio, Kentucky, Alabama, and Tennessee. More than 24,000 patients in the region who received prescriptions from these medical professionals over the past 2 years are affected by the law enforcement activity. This effort demonstrates the positive impact the Medicare Fraud Strike Force is making in our communities.
The HHS OIG, with our law enforcement partners, announced in April 2019 our efforts in dismantling one of the largest healthcare fraud schemes ever investigated, in terms of amount billed to Medicare. Twenty-four defendants in 17 Federal districts were charged for allegedly participating in the scheme, in which fraudsters submitted over $1.7 billion in Medicare claims and were paid $900 million. In the alleged scheme, medical professionals working with fraudulent telemedicine companies received illegal kickbacks and bribes from medical equipment companies. In exchange, the medical equipment companies obtained prescriptions for medically unnecessary orthotic braces and used them to fraudulently bill Medicare. This enforcement action demonstrates the positive impact OIG is making to fight fraud and protect HHS programs and beneficiaries.
The Unaccompanied Alien Children program (UAC), operated by the Office of Refugee Resettlement (ORR) within the Administration for Children and Families (ACF), provides temporary housing, food, clothing, and other related services to unaccompanied minor children in its custody. In 2018, OIG announced that the agency would rapidly deploy multidisciplinary teams to conduct site visits at ORR-funded facilities nationwide to review the care and well-being of all children residing in these facilities, including the subset of children who were separated due to the zero-tolerance policy. As part of this body of work, OIG also reviewed HHS program data and interviewed HHS staff, officials, and senior leadership to understand how HHS identified and tracked separated children. In three weeks, more than 200 OIG staff completed multi-day site visits to 45 ORR-funded facilities across the country. A series of reports are being released as a result of the site visits.
The HHS OIG, along with our state and federal law enforcement partners, participated in the largest health care fraud takedown in history in June 2018. More than 600 defendants in 58 federal districts were charged with participating in fraud schemes involving about $2 billion in losses to Medicare and Medicaid. Since the last takedown, OIG also issued exclusion notices to 587 doctors, nurses, and other providers based on conduct related to opioid diversion and abuse. These enforcement actions protect Medicare and Medicaid and deter fraud -- sending a strong signal that theft from these taxpayer-funded programs will not be tolerated. The money taxpayers spend fighting fraud is an excellent investment: For every $1 spent on health care-related fraud and abuse investigations in the last 3 years, more than $4 has been recovered.