HHS privacy and security guidance fails to meet federal guidelines, says GAO

It also neglects to cover all the elements from the NIST Cybersecurity Framework, according to the new report, which offers five suggestions for protecting electronic health information.
By Jessica Davis
11:35 AM

The Department of Health and Human Services' guidance on security and privacy requirements for protected health information and HIPAA compliance fails to meet federal guidelines, according to a U.S. Government Accountability Office report released Monday.

Further, the HHS guidance neglects to cover all elements from the National Institute of Standards and Technology's Cybersecurity Framework, according to GAO, which noted that, as a result, electronic health record data is left vulnerable.

Healthcare organizations struggle with data security, GAO said, which is problematic, given that HIPAA requires them to routinely evaluate technical and non-technical privacy controls.

And although HHS requires risk assessments and risk response development, it doesn't address the ways organizations should customize these key security control implementations, according to the report.

"HHS has primary responsibility for setting standards for protecting electronic health information and for enforcing compliance with these standards," according to the GAO report. "Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise."

[Also: GAO finds HHS lags in workforce management, is not doing enough to address physician shortages]

In response, GAO explained HHS officials responded, "They intended their guidance to be minimally prescriptive to allow flexible implementation by a wide variety of cover entities."

While HHS has a compliance oversight program for privacy and security, it often didn't completely verify that regulations were implemented and also failed to help organizations correct its security practices, the report explained.

"For some of its investigations it provided technical assistance that was not pertinent to identified problems, and in other cases it didn't always follow-up to ensure agreed-upon corrective actions were taken once investigative cases were closed," the authors said.

To address and improve these issues, GAO made five recommendations to HHS:

  • Update EHR guidance to address implementation of NIST's Cybersecurity Framework controls;
  • Update technical assistance for healthcare organizations;
  • Revise the enforcement program to include following up with investigated entities;
  • Establish performance measures;
  • Create procedures to share audit and investigation results with HIPAA.

HHS agreed to comply with three out of five of the recommendations, according to the report. It didn't agree or disagree with the others.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn