HHS security, privacy guidance said to fall short of fed guidelines
Guidance from the Department of Health and Human Services on how to comply with HIPAA requirements on security and privacy of protected health information falls short of federal guidelines, leaving electronic health records and data vulnerable.
That’s the conclusion of a new Government Accountability Office report, which finds that HHS’s guidance does not address all of the elements provided in the Cybersecurity Framework developed by the National Institute of Standards and Technology.
Specifically, the GAO says HHS falls short in informing how covered entities should tailor their implementations of key security controls, including the development of risk responses.
HIPAA requirements dictate that covered entities perform a periodic technical and non-technical evaluation of controls. But, as GAO points out, organizations have struggled to select appropriate security and privacy controls.
In addition, the report notes that the HIPAA Security Rule requires covered entities to perform risk assessments and develop risk management plans, which are among the most challenging aspects for covered entities to implement.
“Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise,” state auditors.
According to GAO, HHS officials indicated that they “intended their guidance to be minimally prescriptive to allow flexible implementation by a wide variety of covered entities.” However, the report contends that “until these entities address all the elements of the NIST Cybersecurity Framework, their EHR systems and data are likely to remain unnecessarily exposed to security threats.”
At the same time, while the HHS Office of Civil Rights has established an audit program for covered entities’ security and privacy programs, the report finds that OCR is falling short.
“For some of its investigations, it provided technical assistance that was not pertinent to identified problems, and in other cases, it did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed,” charges the GAO. “Further, the office has not yet established benchmarks to assess the effectiveness of its audit program. These weaknesses result in less assurance that loss or misuse of health information is being adequately addressed.”
To address all these shortcomings, GAO made five recommendations:
- Update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the NIST Cybersecurity Framework;
- Update technical assistance that is provided to covered entities and business associates to address technical security concerns;
- Revise the current enforcement program to include following up on the implementation of corrective actions;
- Establish performance measures for the OCR audit program; and
- Create and implement policies and procedures for sharing the results of investigations and audits between OCR and CMS to help ensure that covered entities and business associates are in compliance with HIPAA and the HITECH Act.
In response to the report, HHS concurred with three of the GAO’s five recommendations and stated it would take actions to implement them. “The department did not agree or disagree with the remaining two recommendations but stated that it would consider taking actions to implement them as well,” according to GAO.