Earlier this week the Government Accountability Office released a report critiquing the U.S. Department of Health and Humana Services’ (HHS) oversight of and guidance related to health information security and privacy. (The report is available here.)

GAO cited the increasing incidence of hacking and other breaches, which affected over 113 million health records in 2015, as a key reason to ensure that HHS provides appropriate guidance to and oversight of covered entities and business associates. Hacking and other breaches may result in identify theft, fraud, disruption of health care services, and even national security threats.

GAO’s concerns fell into two primary categories: those related to HHS’s guidance to covered entities and business associates, and those related to oversight efforts.

HHS Security and Privacy Guidance:

The report noted that HHS’s security and privacy guidance does not fully address controls detailed in other federal guidance. In February 2014, in response to an Executive Order issued by the President, the National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity.  The healthcare sector is part of the nation’s critical infrastructure, and HHS was designated as the agency to support voluntary adoption of the NIST Cybersecurity Framework by the health care and public health sectors.  However, GAO noted, HHS’s privacy and security guidance does not address all of the elements detailed in the NIST Cybersecurity Framework.  For example, while the Framework details 98 subcategories of specific security control elements, the HIPAA Security Rule (HSR) Toolkit developed by the HHS Office of Civil Rights (OCR) fully address only 19 of these subcategories.  Other HHS guidance documents provide high-level advice but do not address specific Cybersecurity Framework controls or inform covered entities or business associates of how to tailor controls for their specific requirements.

HHS Security and Privacy Oversight:

GAO also expressed concerns about HHS’s oversight and enforcement of the Security and Privacy Rules. For example, HHS OCR receives thousands of complaints regarding potential violations each year.  But due to the high volume, OCR opens investigations on very few, and only 7 percent of complaints result in a corrective action.  About 89 percent of complaints are closed on intake or after OCR has provided technical assistance.  GAO expressed concern that, in those cases where OCR provides “technical assistance” rather than opening an investigation, the technical assistance did not always address the specific issues that spurred the initial complaint.  Additionally, when enforcement is undertaken and corrective actions identified, HHS does not always ensure that covered entities and business associates correct all issues identified.

With respect to the audit program that OCR intends to implement this year, GAO expressed concern about whether the program will include performance measurement to assess the effectiveness of the audit program.

Finally, GAO noted that OCR and CMS do not share the results of their privacy and security investigations. CMS oversees the meaningful use incentive program in part to ensure that providers implement privacy and security requirements such as risk assessment.  Both CMS and OCR investigations or audits may review whether providers are complying with such requirements, but OCR and CMS do not share these findings with one another.  GAO expressed concern that this lack of coordination could allow providers to collect incentive payments even if they are not complying with all requirements.

GAO Makes Five Recommendations:

As a result of its findings, GAO recommended that HHS take the following five steps to improve guidance and oversight in this area:

  1. Update security guidance to address implementation of controls contained in the NIST Cybersecurity Framework;
  2. Ensure that technical assistance provided to covered entities and business associates addresses technical security concerns;
  3. Ensure that enforcement actions include follow-up to determine whether corrective actions have been taken;
  4. Implement performance measures for the soon-to-be-implemented OCR audit program.
  5. Ensure the sharing of audit and investigation results between OCR and CMS.

HHS concurred with the first, second, and fourth recommendations and indicated that it would implement these. However, HHS requested additional information regarding the concerns that GAO raised with respect to corrective action follow-up, and noted that it would consider having OCR and CMS engage in information sharing on those investigations or audits that relate to the EHR incentive program.