HHS has work to do to safeguard electronic health information

Although the increased use of electronic health record (EHR) technology can improve health care quality, HHS must take steps to aid Health Insurance Portability and Accountability Act (HIPAA) covered entities (CEs) and business associates (BAs) to shore up vulnerabilities that could lead to security lapses. According to the Government Accountability Office (GAO), the department must guide organizations in tailoring implementation of key security controls identified by the National Institute of Standards and Technology (NIST) to their needs. It also recommended that the HHS Office for Civil Rights (OCR) update technical assistance provided to entities, follow up on the implementation of corrective actions, establish auditing benchmarks, and share with CMS information relevant to that agency’s oversight of the EHR incentive programs.

Sharing health information electronically is necessary to allow for the coordination of care across multiple settings, particularly when care is provided via new delivery systems, including accountable care organizations (ACOs). Unfortunately, the accessibility of electronic protected health information (ePHI) also makes it vulnerable to hackers and other actors. In 2015, the number of records compromised in breaches involving 500 or more individuals, as reported to the OCR, was greater than 113 million, more than at any time since the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, although the GAO did not distinguish between hacking and other types of incidents. Forty-five percent of breaches since 1994 involved lost or stolen equipment involving unencrypted information.

HHS guidance. HHS has published guidance to help CEs and BAs comply with the HIPAA Privacy, Security, and Breach Notification Rules and protect ePHI. HHS intended its guidance to be “minimally prescriptive” so that entities can adapt its recommendations to their businesses. However, the GAO opined that HHS needs to go further in aligning its guidance with the NIST’s Cybersecurity Framework, which is divided and subdivided into five security functions, 22 more specific categories, and 98 subcategories. It noted that the OCR’s NIST HIPAA Security Rule Toolkit (HSR Toolkit), geared toward larger entities, only fully addresses 19 of the 98 NIST subcategories. For example, although the OCR guidance addresses risk assessments, which are one of the largest problem areas facing CEs and BAs, it does not address penetration testing, which many cybersecurity experts view as crucial to a cybersecurity program.

OCR actions. The OCR has the authority to investigate potential violations of the HIPAA Privacy, Security, and Breach Notification Rules based on individual complaints, reports from entities, and its own volition. After performing a “triage” process, it determines whether an investigation is merited. In some instances, it will provide technical assistance to organizations to aid them with compliance, rather than investigating. In the vast majority of the 94 occurrences of technical assistance reviewed in 2015, the GAO determined that the assistance was appropriate. However, it noted that in 12 cases, the OCR provided irrelevant information, such as providing assistance regarding postal security in an instance involving insecure passwords. HHS agreed that it must improve in this area.

The GAO also noted that, while the OCR generally ensured that corrective actions were taken before closing investigations, it failed to seek proof of such actions in 13 of 205 cases that the GAO reviewed. Although the agency monitors entities with which it has entered into a settlement agreement for three years, it does not typically do so outside of settlement agreements, citing resource constraints.

The GAO also criticized the OCR for failing to establish benchmarks or performance measures to assess the effectiveness of its auditing program, although the agency claims it will evaluate the results of its Phase 2 audit process “as they unfold.”

Finally, the GAO recommended that the OCR should share the results of its HIPAA audits with CMS when it determines that CEs and BAs also participating in the EHR incentive programs have failed to perform risk assessments. Eligible professionals (EPs) participating in the meaningful use programs must attest that they have performed such assessments in order to receive incentives. If CMS received such information from the OCR, it could identify EPs ineligible for the incentives. HHS countered that breach report information is available to CMS.

SOURCE: GAO Report, GAO-16-771, September 26, 2016.

Visit our News Library to read more news stories.