The Department of Health and Human Services has failed to provide guidance on protecting the privacy and security of Medicare beneficiaries’ prescription drug use information when used for purposes other than direct clinical care, according to the Government Accountability Office.

The congressional watch dog agency says guidance from the HHS Office for Civil Rights was required under law to be issued by February 2010, but has been delayed “due to competing priorities for resources and internal reviews.”

The guidance is intended to aid in de-identifying personal health information. “Until the guidance is issued, increased risk exists that covered entities are not properly implementing the standards set forth by federal regulations for de-identifying protected health information,” according to a new GAO report.

The report also touches on OCR’s new HIPAA privacy and security compliance audit program. OCR has completed 20 initial pilot audits and plans 95 more during 2012, but has not established plans for continuing the program or expanding it from covered entities to business associates. “Without a plan for establishing an ongoing audit capability, OCR will have limited assurance that covered entities and business associates are complying with requirements for protecting the privacy and security of individuals’ protected health information.”

The GAO report is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access