HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Criticized by GAO for ePHI Security Guidance and CE Oversight

The Government Accountability Office (GAO) has slammed the Department of Health and Human Services (HHS) for its lack of oversight of HIPAA covered entities and the guidance for covered entities on security controls to implement to keep electronic protected health information (ePHI) secure.

A GAO study on the current health information cybersecurity infrastructure was requested by the U.S. Senate’s Chairman of the Committee on Health, Education, Labor and Pensions Sen. Lamar Alexander (R-Tenn.) and ranking member Sen. Patty Murray, (D-Wash.).

GAO wanted to determine if standards and guidance issued by the HHS under HIPAA/HITECH were consistent with federal information security guidance, assess the extent to which the HHS is overseeing compliance with HIPAA Privacy and Security Rules, and find out if its efforts are being effectively executed. GAO also examined the benefits of using electronic health records and the cyber threats to electronic health data.

The study was conducted following a particularly bad year for the healthcare industry. More than 113 million records were exposed as a result of healthcare data breaches in 2015. The number of healthcare data breaches also increased considerably last year. Aside from the cost to the healthcare industry, the data breaches have had an adverse financial impact on patients and have caused major disruptions to the provision of patient care.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy



In order to determine whether the HHS has issued guidance for covered entities that was consistent with federal cybersecurity guidance, GAO reviewed NIST standards and compared security and privacy control recommendations with a selection of investigations of covered entities conducted by Office for Civil Rights (OCR) between January and December 2015. Interviews were also conducted with OCR officials on its role as enforcer of HIPAA Rules and its enforcement activities.

GAO established that there are many benefits to electronic healthcare records, such as improved access to healthcare data, easier sharing of information, and better coordination of healthcare services, all of which have potential to significantly improve patient outcomes and drive down the costs of healthcare provision.

However, storing healthcare data electronically carries a number of risks. Lapses in security have considerable potential to jeopardize the confidentiality of healthcare information, as well as its integrity and availability.

The GAO report identified a number of threats to the security of systems containing ePHI, from a wide range of sources, not only from outside the organization but also from within. While GAO confirmed that the most serious breaches – involving more than 1 million records – have occurred as a result of cyberattacks by outside agents, GAO acknowledges that the biggest threat comes from insiders.

HHS Must Do More to Help Covered Entities Keep ePHI Secure

HIPAA required the Secretary of the HHS to develop regulations to ensure the privacy and security of ePHI is protected, which took the form of the HIPAA Privacy and Security Rules.

Those HIPAA Rules are deliberately vague when it comes to protections that covered entities should apply to safeguard ePHI. It is not possible for legislation to keep up with the rapid pace of technology, so specifics were omitted.

However, GAO determined that the guidance issued by the HHS does not cover important controls that are detailed in federal guidance on data security. Healthcare organizations are struggling to select appropriate privacy and security controls, and the HHS is not offering enough help in this regard.

The GAO report states that HHS guidance does not cover many elements that are detailed in the NIST cybersecurity framework. According to the report, “until covered entities address all the elements of the NIST Cybersecurity Framework, their EHR systems and data are likely to remain unnecessarily exposed to security threats.”

For example, the security risk assessment is a foundational requirement of the HIPAA Security Rule. It allows covered entities to determine the risks to the confidentiality, integrity, and availability of ePHI and is the basis for a wide range of decisions on the actions and security measures that need to be taken.

OCR developed two tools to assist covered entities with their risk assessments: The NIST HIPAA Security Rule (HSR) Toolkit (2010) for larger covered entities, and the Security Risk Assessment Tool (2015) for smaller healthcare organizations. The HHS also issued seven documents in its HIPAA Security Information Series.

NIST developed the Cybersecurity Framework, which provides much more detail on cybersecurity activities that must be performed. The GAO report points out that the Framework core is divided into five broad security functions (Identify, Protect, Detect, Respond, and Recover), which in turn are divided into 22 more specific categories and 98 subcategories, with the 98 subcategories corresponding to security controls.

GAO points out that the HSR Toolkit only fully addresses 19 of those 98 subcategories, while a great many are not covered in the HIPAA Security Information Series documents. Two notable omissions were found to be penetration testing and developing risk responses.

GAO points out that the considerable gaps HHS guidance could lead to incomplete risk assessments, which in turn could leave ePHI unprotected.

Oversight of Covered Entities Must Improve

OCR conducts investigations of data breaches and complaints against covered entities. While all breaches of more than 500 records are investigated, relatively few investigations are opened following complaints about covered entities.

OCR also does not effectively follow up on all compliance issues that it discovers. The GAO study determined that when cases are resolved informally, the covered entities in question are not always provided with appropriate guidance.

When technical assistance is provided to covered entities to address compliance issues and security vulnerabilities that OCR investigations uncover, it is not always relevant. According to the GAO report, “For 12 of the 94 cases we reviewed, the technical assistance was not directly applicable to the submitted complaint.” An example given was a complaint that was filed following the discovery that a covered entity was allowing easily guessable passwords to be used. OCR closed the complaint after sending the covered entity a checklist for securing postal mail and faxes.

OCR officials said technical assistance is not always provided to covered entities because “OCR has only limited technical assistance guidance on hand, which may not always directly address identified issues, and there is no review process to ensure that it is consistent and relevant.”

In some cases, investigations were closed without OCR confirming that corrective actions had been taken to address the issues discovered. Cases were often closed after the covered entity reported that policies and procedures had been updated, yet no evidence was required by OCR to confirm that was actually the case.

GAO Recommendations

GAO concluded that a number of steps should be taken by the HHS to ensure that privacy and security controls are implemented by covered entities and oversight is improved. The HHS concurred with three of the five recommendations and agreed to take action to address them. The HHS will also consider taking action to address the remaining two recommendations which it didn’t agree with.

The GAO recommendations are to:

  1. Update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the NIST Cybersecurity Framework
  2. Update technical assistance that is provided to covered entities and business associates to address technical security concerns
  3. Revise the current enforcement program to include following up on the implementation of corrective actions
  4. Establish performance measures for the OCR audit program; and
  5. Establish and implement policies and procedures for sharing the results of investigations and audits between OCR and CMS to help ensure that covered entities and business associates are in compliance with HIPAA and the HITECH Act.

The GAO Report can be viewed and downloaded on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.