GAO: HHS oversight flaws leave EHR data vulnerable

A report from the Government Accountability Office (GAO) harshly criticized HHS’s guidance on privacy and security for health information, saying it fails to meet cybersecurity standards of other federal agencies and provides advice to covered entities that doesn’t help prevent future data breaches.

Requested by U.S. Sen. Lamar Alexander, R-Tennessee, chairman of the Senate Health, Labor and Pension Committee, the report identified several shortcomings in HHS’s privacy and security guidance and its health IT infrastructure. In one example on how HIPAA guidance doesn’t match cybersecurity measures at other federal agencies, the GAO report said HHS doesn’t explain how “covered entities should tailor their implementations of key security controls” to their needs.

“Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise,” the report said.

Unclear definitions were a common criticism in the report. The GAO quoted one private sector organization dedicated to HIPAA compliance and assessment that it was “difficult for organizations to know whether they had adequately addressed all the requirements.” The report noted risk assessments appeared to be challenging for covered entities, with 24 percent of HHS complaints and breaches involving questions about how organizations conducted risk analyses.

The oversight of those complaints and breaches is also a major problem, according to the report, saying HHS’s Office of Civil Rights (OCR) doesn’t follow through on investigations and isn’t sharing its enforcement data with other agencies.

“The office does not always ensure that identified issues are corrected and does not always issue appropriate guidance for cases resolved informally,” the report said. “Further, while the office has developed an audit function as an additional oversight function, as required under the HITECH Act, it is not yet fully operational and its effectiveness is not yet known. The office also has not demonstrated the effectiveness of its enforcement program over time or fully communicated or coordinated its enforcement results with [CMS]. Until HHS addresses these issues, it is likely missing opportunities to ensure compliance and to demonstrate the full effectiveness of its oversight program.”

What assistance OCR does provide to entities was also criticized, with the report saying what it offered in some cases “was not pertinent to identified problems.”

The numerous problem areas are troubling, according to the GAO, considering the spike in the number of large breaches, which affected more than 113 million health records in 2015.

To correct these shortcomings, the GAO report made the following recommendations:

  • Update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls, as described in the National Institute of Standards and Technology Cybersecurity Framework.
  • Update technical assistance for covered entities and business associates.
  • Change current enforcement program to include following up to ensure corrective actions have been implemented.
  • Create performance measures for OCR audit program.
  • Establish implement data-sharing policy with CMS.

HHS concurred with the report on the first four recommendations, saying it would “consider” data sharing coordination as outlined in the fifth recommendation.

Alexander encouraged HHS to follow through on those promises, saying to POLITICO it “needs to continue to implement the recommendations in this report as well as the new Cybersecurity Information Sharing Act, which requires the department to give hospitals and doctors clear information on the best ways to safeguard patients’ information, and also to require the agency to make it clear who is responsible for dealing with the rising cyber-attacks against the healthcare industry.”