OIG cites CMS for poor risk assessments

by A.J. Plunkett (aplunkett@decisionhealth.com)

Guess who just got dinged after an audit for not doing a risk assessment adequately? It was none other than The Centers for Medicare & Medicaid Services (CMS).

The Department of Health and Human Services’ Office of Inspector General (OIG) recently investigated The Centers for Medicare & Medicaid Services (CMS) to check whether the agency, which oversees patient safety at hundreds of U.S. hospitals, considers national security as part of its enterprise risk management (ERM) process.

“CMS’s ERM process did not consider national security risks for any of CMS’s programs in accordance with federal requirements,” says the OIG summary of its findings, released July 8.

And why did they fail? Because they relied on someone else to do the job.

“CMS lacked policies and procedures that required its programs to consider national security threats because it relied on HHS’s ERM process. As a result, CMS was unable to ensure that it had implemented effective controls to protect against threats from foreign and domestic adversaries,” said the summary.

And yes, CMS had to respond to the OIG’s findings and create a plan of correction.

OIG recommended that “CMS, as part of its ERM program, implement a process to assess all of its programs for national security risks in accordance with OMB Circular No. A-123’s requirement to include new or emerging risks in the risk profile.”

“In written comments to our draft report, CMS concurred with our recommendation. CMS also stated that it currently participates in the HHS enterprise risk management process, is in the early stages of establishing an agency enterprise risk management program, and it will consider how to assess national security risks across its programs.”

You can read the full 11-page OIG report online here.

If, you know, your risk assessments are up-to-date and you don’t have anything better to do.