On September 26, the Government Accountability Office (GAO) publicly released an August 26 report on cybersecurity and threats to electronic protected health information (ePHI) that was highly critical of the U.S. Department of Health and Human Services (HHS). According to the report, among other shortcomings, the guidance that HHS provides to healthcare providers doesn't adequately address all relevant privacy and security concerns.

As frequently discussed on this blog, HHS's Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. OCR received almost 18,000 complaints of HIPAA privacy and security violations in 2014. OCR conducts periodic HIPAA compliance audits and for the past several years has put out frequent press releases to notify the public of noteworthy HIPAA violations and settlements. The GAO report observed that there are no benchmarks to assess the effectiveness of OCR's audits, and its follow-up to ensure implementation of corrective actions is often lacking.

The report pointed out the lack of integration between HHS's guidance for HIPAA covered entities and the cybersecurity guidance issued by the National Institute of Standards and Technology (NIST), which includes key security controls. Also noted was the widespread failure by covered entities and their business associates to perform risk assessments and establish risk management plans, as HIPAA requires, and as often featured in OCR's public announcements of settlements.

The report recommended that HHS improve its guidance for protecting ePHI by incorporating the specific security control elements recommended by NIST, providing better technical assistance to covered entities, following up on corrective actions more diligently, and establishing metrics to determine the efficacy of its audit program.

The new report is a companion piece to a broader GAO report released last week that covered cyber incidents affecting federal government agencies.

For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.

Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.