The Government Accountability Office (GAO) has released a damning report on the Department of Health and Human Services (HHS), criticizing its lack of oversight and privacy and security guidance for HIPAA covered entities.
The GAO determined that the privacy and security guidance issued by the HHS failed to meet federal guidelines and did not cover all of the elements of the Cybersecurity Framework issued by the National Institute of Standards and Technology (NIST).
The report explains that under the Health Insurance Portability and Accountability Act (HIPAA) the HHS is require to set standards for protecting healthcare data. The HHS developed the Privacy Rule and the Security Rule to ensure that healthcare organizations implemented appropriate controls to keep ePHI secure. However, the lack of specific technical guidance in these HIPAA Rules – and in the privacy and security guidance already issued – is causing problems for many covered entities.
The report explains that many HIPAA covered entities struggle to implement the right security protections to keep the electronic protected health information (ePHI) of patients secure. The GAO report says more must be done by the HHS to help covered entities protect ePHI.
The guidance issued by the HHS has been written to allow “flexible implementation by a wide variety of cover entities.” However, the report says that without more detailed privacy and security guidance, covered entities may fail to implement appropriate measures to ensure ePHI is appropriately protected. The lack of adequate guidance on technical privacy and security controls is leaving ePHI vulnerable to attack.
The GAO report also highlights problems with HHS oversight of the compliance efforts of HIPAA covered entities. The HHS does not always verify that regulations are implemented, and even when covered entities are investigated and non-compliance issues are discovered, the HHS does not always follow up on those cases to ensure that policies and procedures are updated.
Technical guidance issued to covered entities to correct minor compliance issues is also inadequate in many cases. The technical guidance issued often fails to cover the specific issues that investigations have discovered. The report also pointed out that it is not clear whether the enforcement activities of the HHS are effective.
The report details five recommendations for the HHS. The HHS concurred with three out of the five recommendations, and neither agreed nor disagreed with the other two. The HHS has agreed to adopt three of the recommendations, and it will consider the other two.
The recommendations are:
- Update privacy and security guidance for HIPAA covered entities and their business associates, ensuring guidance addresses implementation of the NIST Cybersecurity Framework.
- Update technical assistance to address technical security concerns.
- Revise its enforcement program to ensure that adequate follow ups are made to ensure corrective actions have been implemented.
- Set performance measures for the HIPAA audit program.
- Establish and implement policies and procedures to ensure the results of HIPAA investigations and audits are shared with the CMS.