Electronic Health Information: HHS Needs to Improve Communications for Reporting Violations
What the GAO found
Since 2015, the Department of Health and Human Services (HHS) has seen an increase in reported violations, while the number of people affected has varied annually from approximately 5 million to 113 million. Such health information breaches involve the unauthorized exposure, disclosure or loss (whether intentional or unintentional) of an individual’s identifiable health information. The figure shows the number of breaches reported by various covered entities from 2015 to 2021.
Figure: The number of breaches involving unsecured protected health information (PHI) from 2015 to 2021
*Note: Business Associates are entities that perform certain functions or activities that involve the use or disclosure of PSI on behalf of or provide services to a Covered Entity. Health care information clearinghouses are entities that process non-standard data elements of health information that they receive from another entity into standard data elements or vice versa.
The HHS Office for Civil Rights (OCR), the unit responsible for enforcing the standards of the Health Insurance Portability and Accountability Act (HIPAA), has taken steps to establish a process for determining whether entities have implemented implement recognized security practices. A law enacted in January 2021 required HHS, as part of its enforcement activities, to determine whether covered entities had implemented such practices. In response, the OCR has established standard operating procedures for its investigators, issued an information request to solicit public feedback on the implementation of safety practices, and is conducting outreach to the healthcare sector. health. OCR expects to finalize the process no later than summer 2022.
The OCR is responsible for implementing and enforcing the privacy, security, and breach notification rules of HIPAA, including developing and managing the breach reporting process. However, the OCR does not have a method for covered entities to provide feedback on the process for reporting violations, nor has the office indicated that it plans to develop one. Without a clear mechanism for providing feedback to OCR, Covered Entities and Business Associates may face challenges during the process of reporting violations. Additionally, soliciting feedback on the process for reporting violations could help OCR improve certain aspects of the process.
Why GAO Did This Study
The use of computers allows health care providers and others to share health care information electronically, which improves health care delivery, public health, and research; and enables providers to make informed decisions about patient health.
HHS sets and enforces standards for protecting electronic health information. To implement the provisions of HIPAA, HHS has issued regulations that govern PHI transmitted or retained by covered entities, such as health plans and health care providers, and their business associates.
The GAO has been asked to review required reports from Covered Entities to HHS on data breaches. This report examines (1) the number of breaches and affected individuals reported to HHS since 2015; (2) the extent to which HHS has established a review process to assess whether Covered Entities have implemented accepted security practices; and (3) the extent to which improvements can be made to HHS’s violation reporting requirements.
To do this, GAO reviewed privacy and information security laws; analyzed HHS documentation, policies, and procedures; and interviewed relevant OCR officials. The GAO also interviewed HIPAA-covered entities and business associates.