GAO Report Looks at HHS’ Capability to Protect Health Data | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

GAO Report Looks at HHS’ Capability to Protect Health Data

October 3, 2016
by Rajiv Leventhal
| Reprints

The Government Accountability Office (GAO) has issued a report that calls into question the Department of Health and Human Services’ (HHS) guidance for protecting electronic health information.

The report to the U.S. Senate’s Committee on Health, Education, Labor, and Pensions, published in August but publicly released just last week, stated that while “HHS has established guidance for covered entities, such as health plans and care providers, for use in their efforts to comply with HIPAA requirements regarding the privacy and security of protected health information, it does not address all elements called for by other federal cybersecurity guidance.”

Specifically, GAO’s report read, “HHS's guidance does not address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology (NIST) to their specific needs. Such controls include developing risk responses, among others. Further, covered entities and business associates have been challenged to comply with HHS requirements for risk assessment and management. Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise.”

As noted in this week’s Washington Debrief from the College of Healthcare Information Management Executives (CHIME), “Cybersecurity has been a bipartisan priority for lawmakers during the 114th Congress, but the GAO request sent by Senators Alexander and Murray was the first major indication of Congress’ intent to dig into healthcare cybersecurity.” The Debrief added, “The findings echoed one of the charges given to the HHS Cybersecurity Task Force created in Section 405 of the Cybersecurity Act of 2015, directing the group to recommend resources that are scalable across the industry to improve cyber readiness in healthcare.”

GAO noted that although HHS has established an oversight program for compliance with privacy and security regulations, actions did not always fully verify that the regulations were implemented. Specifically, HHS's Office of Civil Rights (OCR) investigates complaints of security or privacy violations, almost 18,000 of which were received in 2014. OCR also established an audit program for covered entities' security and privacy programs. However, GAO stated, “for some of its investigations it provided technical assistance that was not pertinent to identified problems, and in other cases it did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed. Further, the office has not yet established benchmarks to assess the effectiveness of its audit program. These weaknesses result in less assurance that loss or misuse of health information is being adequately addressed.”

GAO said it conducted the study because while an electronic health record (EHR) can make relevant health information more readily available and usable for providers and patients, recent data breaches highlight the need to ensure the security and privacy of these records. Indeed, the agency pointed out the increase in reported healthcare breaches involving healthcare records of 500 or more individuals from 2009 (0) to 2015 (56). “HHS has primary responsibility for setting standards for protecting electronic health information and for enforcing compliance with these standards,” GAO said.

As such, GAO was asked to review the current health information cybersecurity infrastructure. The specific objectives were to (1) describe expected benefits of and cyber threats to electronic health information, (2) determine the extent to which HHS security and privacy guidance for EHRs are consistent with federal cybersecurity guidance, and (3) assess the extent to which HHS oversees these requirements. To address these objectives, GAO reviewed relevant reports, federal guidance, and HHS documentation and interviewed subject matter experts and agency officials.

In sum, GAO made five recommendations: including that HHS update its guidance for protecting electronic health information to address key security elements, improve technical assistance it provides to covered entities, follow up on corrective actions, and establish metrics for gauging the effectiveness of its audit program. HHS generally concurred with the recommendations and stated it would take actions to implement them, the report concluded.

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

CMS Exploring Potential Behavioral Health Payment and Care Delivery Model

The Center for Medicare & Medicaid Services (CMS) plans to hold a one-day summit in September to solicit feedback and ideas for a potential behavioral health model to improve access, quality and cost of care for beneficiaries with behavioral health conditions.

MEDITECH to Soon Offer CommonWell Health Alliance Services to Customers

MEDITECH, a Westwood, Mass.-based electronic health record (EHR) vendor, has announced that it is set to offer CommonWell interoperability services early next year.

HITRUST CSF Certification Now Includes NIST Cybersecurity Certification

HITRUST has announced that HITRUST cybersecurity framework (CSF) version 9 enhancements now extend an “assess once, report many” approach as a standard security framework for multiple critical infrastructure industries and includes National Institute of Standards and Technology (NIST) Cybersecurity certification.

Premier: Analytics Helping Hospitals Optimize Blood Use

An analysis of 645 hospitals revealed that comparative data analytics to drive performance improvement has the potential to optimize blood use across numerous diagnoses.

Almost 80 Percent of Clinicians Still Use Hospital-Issued Pagers

A study examining the communication technologies used by hospital-based clinicians found that close to 80 percent (79.8 percent) of clinicians continue to use hospital-provided pagers and 49 percent of those clinicians report they receive patient care-related messages most commonly by pager.

Survey: IT Expenses per Physician Continue to Rise to Nearly $19,000

Information technology (IT) expenses for physician practices are on a slow and steady rise for most practices, and last year, physician-owned practices spent between nearly $2,000 to $4,000 more per FTE physician on IT operating expenses than they did the prior year, according to a recent Medical Group Management Association (MGMA) survey.