HHS Has Been Slow to Address High Priority GAO Recommendations

Share this article on:

The Department of Health and Human Services has been slow to address high priority recommendations from the Government Accountability Office (GAO). Out of the 54 high priority recommendations outlined in a GAO March 2019 report, only 13 (24%) have been addressed so far.

GAO explained in a letter to HHS’ Secretary Alex Azar that its November 2019 report showed that government-wide, 77% of GAO recommendations made 4 years ago had been implemented, but the implementation rate at the HHS was only 61%. As of April 2020, there were 405 outstanding recommendations.

The March 2019 report identified 54 high priority recommendations and a further 18 high priority recommendations have been made. The total number of outstanding high priority recommendations now stands at 55. Several of the outstanding recommendations relate to enhancing cybersecurity and fraud risk reduction.

GAO says there are nine open priority recommendations related to public health related programs and issues “that would help ensure that relevant federal agencies are coordinating, managing risks, and have the resources they need to respond to biological threats such as the COVID-19 pandemic.” Some of these recommendations would also help the HHS improve oversight of nursing homes to better protect residents from abuse.

Critical infrastructure in the United States, which includes healthcare, is heavily reliant on computer systems and electronic data, but serious cyber threats to that infrastructure continue to grow. There are currently at least 7 open priority recommendations related to cybersecurity that need to be addressed.

GAO reports that the HHS has not yet developed a cybersecurity risk management strategy that includes key risk-related elements. The Centers for Medicare and Medicaid Services (CMS) has yet to develop processes and procedures to ensure that researchers and other qualified entities have implemented information security controls effectively throughout their agreements with CMS. Progress also needs to be made toward implementing IT enhancements to establish the electronic public health situation awareness network.

Several of the recommendations have only been partially addressed. GEO explains that recommendations were made in July 2019 for HHS to develop a cybersecurity risk management strategy and establish processes for conducting an organization-wide security risk assessment. The HHS reported in January 2020 that it was “drafting a drafting a new cybersecurity risk management memo that will provide additional details of its cybersecurity risk management strategy,” which would also define process for the cybersecurity risk assessment.

“To fully address our recommendations, HHS must ensure that its strategy includes key elements, including a statement of risk tolerance and information on how the agency intends to assess, respond to, and monitor cybersecurity risks,” wrote GAO in the report. “In addition, HHS needs to establish a risk assessment process to allow the agency to consider the totality of risk derived from the operation and use of its information systems.”

Seven outstanding recommendations relate to the prevention of fraud. GAO points out that estimates of improper payment in the Medicare and Medicaid programs is unacceptably high and totaled more than $103 billion in fiscal year 2019. The GAO recommendations would help to significantly reduce that figure and are of critical importance. Those recommendations include assessing documentation requirements, taking steps to minimize program risks, and conducting prepayment claims reviews.

GAO recognizes the HHS and its component agencies are focused on the response to the coronavirus pandemic and has urged the HHS to address the high priority recommendations as soon as it is able to refocus its efforts. If the recommendations are implemented, GAO says they could “substantially improve HHS’s operations.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On