Electronic Health Information: HHS Needs to Strengthen Security and Privacy Guidance and Oversight
Highlights
What GAO Found
The use of electronic health information can allow providers to more efficiently share information and give patients easier access to their health information, among other benefits. Nonetheless, systems storing and transmitting health information in electronic form are vulnerable to cyber-based threats. The resulting breaches—involving over 113 million records in 2015—can have serious adverse impacts such as identity theft, fraud, and disruption of health care services, and their number has increased steadily in recent years, from 0 in 2009 to 56 in 2015 (see figure).
Number of Reported Hacking and Information Technology Breaches Affecting Health Care Records of 500 or More Individuals
The Department of Health and Human Services (HHS) has established guidance for covered entities, such as health plans and care providers, for use in their efforts to comply with HIPAA requirements regarding the privacy and security of protected health information, but it does not address all elements called for by other federal cybersecurity guidance. Specifically, HHS's guidance does not address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology to their specific needs. Such controls include developing risk responses, among others. Further, covered entities and business associates have been challenged to comply with HHS requirements for risk assessment and management. Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise.
HHS has established an oversight program for compliance with privacy and security regulations, but actions did not always fully verify that the regulations were implemented. Specifically, HHS's Office of Civil Rights investigates complaints of security or privacy violations, almost 18,000 of which were received in 2014. It also has established an audit program for covered entities' security and privacy programs. However, for some of its investigations it provided technical assistance that was not pertinent to identified problems, and in other cases it did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed. Further, the office has not yet established benchmarks to assess the effectiveness of its audit program. These weaknesses result in less assurance that loss or misuse of health information is being adequately addressed.
Why GAO Did This Study
As a digital version of a patient's medical record or chart, an EHR can make pertinent health information more readily available and usable for providers and patients. However, recent data breaches highlight the need to ensure the security and privacy of these records. HHS has primary responsibility for setting standards for protecting electronic health information and for enforcing compliance with these standards.
GAO was asked to review the current health information cybersecurity infrastructure. The specific objectives were to (1) describe expected benefits of and cyber threats to electronic health information, (2) determine the extent to which HHS security and privacy guidance for EHRs are consistent with federal cybersecurity guidance, and (3) assess the extent to which HHS oversees these requirements. To address these objectives, GAO reviewed relevant reports, federal guidance, and HHS documentation and interviewed subject matter experts and agency officials.
Recommendations
GAO is making five recommendations, including that HHS update its guidance for protecting electronic health information to address key security elements, improve technical assistance it provides to covered entities, follow up on corrective actions, and establish metrics for gauging the effectiveness of its audit program. HHS generally concurred with the recommendations and stated it would take actions to implement them.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Health and Human Services | To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the National Institute of Standards and Technology Cybersecurity Framework. |
The Department of Health and Human Services (HHS) concurred with and took actions to fully implement this recommendation. Specifically, HHS demonstrated in 2018 that its Office of Civil Rights (OCR) issued guidance for covered entities on specific topics which reference NIST guidelines and include suggestions for responding to an incident. HHS OCR also collaborated with other federal agencies to create a cybersecurity guide that recommended establishment of an evaluation mechanism to determine whether entities were applying the NIST Cybersecurity Framework. As a result, HHS OCR improved the alignment of their privacy and security guidance to NIST guidance, and by doing so, facilitated tailoring of security controls by covered entities and business associates according to NIST guidance.
|
Department of Health and Human Services | To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should update technical assistance that is provided to covered entities and business associates to address technical security concerns. |
The Department of Health and Human Services (HHS) concurred with the recommendation and took action to fully implement it. In particular, in 2016, HHS began publication of a periodic cybersecurity newsletter that identifies emerging or prevalent issues and recommends ways in which entities can strengthen their cybersecurity posture, protect personal health information, and comply with relevant laws. As a result, HHS is able to provide more meaningful direction to covered entities and business associates on their technical and compliance-related security concerns.
|
Department of Health and Human Services | To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should revise the current enforcement program to include following up on the implementation of corrective actions. |
The Department of Health and Human Services (HHS) neither concurred nor nonconcurred with the recommendation, but took action to fully implement it. In particular, in February 2020, the HHS Office of Civil Rights (OCR) issued documentation to its managers which stated that cases OCR is investigating should not close until it receives evidence that related corrective actions were implemented. In August 2021, OCR created an operating procedure, as well as a memo signed by its acting director, both of which included a requirement to not close investigative cases unless OCR receives evidence of corrective actions. As a result, HHS OCR is better able to determine that covered entities have taken the corrective actions needed to address security and privacy issues.
|
Department of Health and Human Services | To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program. |
The Department of Health and Human Services (HHS) concurred with this recommendation and took action to fully implement it. In particular, in December 2020, the HHS Office of Civil Rights (OCR) released a report which summarized the comprehensiveness and effectiveness of activities performed by each of the covered entities and business associates audited by OCR in 2016 and 2017. The assessment scores differentiated between entities found to be performing appropriate compliance activities and those needing remedial action to ensure appropriate safeguards are in place. OCR also supplied a comprehensive planned survey designed to provide detailed information on compliance-related improvements made by the entities under audit. As a result of these steps, OCR will be better able to understand the level of effectiveness of its audit program in assisting covered entities and business associates in achieving regulatory compliance.
|
Department of Health and Human Services | To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish and implement policies and procedures for sharing the results of investigations and audits between OCR and Centers for Medicare & Medicaid Services to help ensure that covered entities and business associates are in compliance with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act. |
The Department of Health and Human Services (HHS) took actions to full implement this recommendation. In 2018, the HHS Office for Civil Rights (OCR) determined that OCR should share information from their system of records on case investigations, which includes complaint details and subsequent investigation results, with CMS in cases where there is a violation or potential violation of the law. We found that this sharing is in accordance with language in the System of Records Notice (SORN) for the HHS case management system. HHS also reported that, as of late 2017, CMS directly received information on providers that failed to meet an audit measure for protection of electronic health information under the Health Information Technology for Economic and Clinical Health (HITECH) Act. As a result, CMS is more likely to be aware of compliance violations by entities when making eligibility decisions for its programs.
|