GAO: HHS Must Improve HIPAA Oversight, Cybersecurity Guidance

September 30, 2016
News & Insights

The Government Accountability Office (GAO) is the latest agency to slam HHS’ oversight of HIPAA in a report released September 26. The report was scathing in its criticism of HHS’ efforts to educate covered entities (CE) and business associates (BA), develop and uphold technical security guidelines, and enforce compliance.

Electronic protected health information (ePHI) is common but, as recent breaches have shown, it’s extremely vulnerable to a wide variety of cybersecurity threats, the report said. But as cyberthreats have evolved and ePHI has grown, HHS’ security guidance has stalled. HHS’ guidance does not cover all elements covered by other federal cybersecurity guidance. Although HHS recommends that CEs and BAs follow the National Institute of Standards and Technology’s (NIST) cybersecurity framework, and in February released a NIST/HIPAA crosswalk tool, the GAO report faults the agency’s efforts to provide specific guidance on how CEs and BAs should tailor NIST standards to their needs.

Many recent high-profile HIPAA enforcement actions have hinged on the CE or BA’s failure to comply with risk analysis, management, and assessment requirements, but the GAO report shifts at least some of the blame to HHS for not providing comprehensive guidance.

HHS’ investigations of HIPAA violations also came under fire in the GAO report. HHS may provide technical assistance to a CE or BA in the course of an investigation, but that assistance is not always pertinent to the technical problems identified, the report said. And HHS often fails to ensure that agreed-upon corrective actions are actually taken.

The report also faulted the HIPAA audit program. HHS has not established benchmarks for the program, making it difficult to determine how effective it is.

Taken together, these gaps seriously undermine the security of ePHI, the report concludes. GAO recommends HHS take the following five actions:

  • Establish and implement policies and procedures for sharing the results of investigations and audits between the Office for Civil Rights (the HHS agency responsible for enforcing HIPAA) and CMS
  • Establish performance measures for the HIPAA audit program
  • Revise the current enforcement program to include following up on the implementation of corrective actions
  • Update security guidance to addresses implementation of NIST’s cybersecurity framework
  • Update technical assistance provided to CEs and BAs

HHS agreed with GAO’s recommendations but no information on how, or when, it would take action is available.

Related Topics: 
Compliance, HIM/HIPAA