Kusserow on Compliance: GAO lambasts HHS/OCR failure to protect EHR security

The General Accountability Office (GAO) reported a 13-fold increase in reported cyber-attacks on federal government agencies between 2006 and 2015 that rose to more than 77,000 last year. They attributed this increase to failures on HHS and Office for Civil Rights (OCR) that has primary responsibility for setting standards for protecting Electronic Health Records (EHR) and for enforcing compliance with these standards, but have failed to address what is called for by other federal cyber-security guidance under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) for health plans and care providers. GAO reported that over 113 million health records were breached in 2015 alone, which represents more than half the U.S. population has had their medical records breached. Of those, just 221 breaches or 13.3%, were attributed to some form of a hacking incident, but many of those hacks were whoppers, contributing to 126 million records, or 75%, of those records exposed. These breaches can have serious adverse impacts such as identity theft, fraud, and disruption of health care services

Although EHR permits providers to more efficiently share information and give patients easier access to their health information, it must be protected. However this system for storing and transmitting this information in electronic form continues to be vulnerable to cyber-based threats. GAO cited the following examples of failures:

  • Failure to address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology to their specific needs, such as developing risk responses.
  • Covered entities and business associates must comply with HHS requirements for risk assessment and management, but without more comprehensive guidance, they may not be adequately protecting electronic health information from compromise.
  • Although HHS has established an oversight program for compliance with privacy and security regulations, they have not always fully verified that the regulations were implemented.
  • OCR has failed to establish benchmarks to assess the effectiveness of its audit program, which result in less assurance that loss or misuse of health information is being adequately addressed.
  • For OCR’s investigations, the technical assistance they provided was not pertinent to identified problems, and in other cases it did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed.

GAO made five recommendations, including that HHS update its guidance for protecting electronic health information to address key security elements, improve technical assistance it provides to covered entities, follow up on corrective actions, and establish metrics for gauging the effectiveness of its audit program. HHS generally concurred with the recommendations and stated it would take actions to implement them.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.