GAO: HHS oversight flaws leave EHR data vulnerable

A report from the Government Accountability Office (GAO) harshly criticized HHS’s guidance on privacy and security for health information, saying it fails to meet cybersecurity standards of other federal agencies and provides advice to covered entities that doesn’t help prevent future data breaches.

Requested by U.S. Sen. Lamar Alexander, R-Tennessee, chairman of the Senate Health, Labor and Pension Committee, the report identified several shortcomings in HHS’s privacy and security guidance and its health IT infrastructure. In one example on how HIPAA guidance doesn’t match cybersecurity measures at other federal agencies, the GAO report said HHS doesn’t explain how “covered entities should tailor their implementations of key security controls” to their needs.

“Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise,” the report said.

Unclear definitions were a common criticism in the report. The GAO quoted one private sector organization dedicated to HIPAA compliance and assessment that it was “difficult for organizations to know whether they had adequately addressed all the requirements.” The report noted risk assessments appeared to be challenging for covered entities, with 24 percent of HHS complaints and breaches involving questions about how organizations conducted risk analyses.

The oversight of those complaints and breaches is also a major problem, according to the report, saying HHS’s Office of Civil Rights (OCR) doesn’t follow through on investigations and isn’t sharing its enforcement data with other agencies.

“The office does not always ensure that identified issues are corrected and does not always issue appropriate guidance for cases resolved informally,” the report said. “Further, while the office has developed an audit function as an additional oversight function, as required under the HITECH Act, it is not yet fully operational and its effectiveness is not yet known. The office also has not demonstrated the effectiveness of its enforcement program over time or fully communicated or coordinated its enforcement results with [CMS]. Until HHS addresses these issues, it is likely missing opportunities to ensure compliance and to demonstrate the full effectiveness of its oversight program.”

What assistance OCR does provide to entities was also criticized, with the report saying what it offered in some cases “was not pertinent to identified problems.”

The numerous problem areas are troubling, according to the GAO, considering the spike in the number of large breaches, which affected more than 113 million health records in 2015.

To correct these shortcomings, the GAO report made the following recommendations:

  • Update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls, as described in the National Institute of Standards and Technology Cybersecurity Framework.
  • Update technical assistance for covered entities and business associates.
  • Change current enforcement program to include following up to ensure corrective actions have been implemented.
  • Create performance measures for OCR audit program.
  • Establish implement data-sharing policy with CMS.

HHS concurred with the report on the first four recommendations, saying it would “consider” data sharing coordination as outlined in the fifth recommendation.

Alexander encouraged HHS to follow through on those promises, saying to POLITICO it “needs to continue to implement the recommendations in this report as well as the new Cybersecurity Information Sharing Act, which requires the department to give hospitals and doctors clear information on the best ways to safeguard patients’ information, and also to require the agency to make it clear who is responsible for dealing with the rising cyber-attacks against the healthcare industry.”

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.