In light of recent health information data breaches, the Government Accountability Office has issued a report examining whether HHS security and privacy guidance for electronic health records (EHRs) are consistent with federal cybersecurity guidance, and the extent to which HHS oversees compliance with HHS information security and privacy requirements. The GAO identified shortcomings in HHS guidance on the privacy and security of protected health information, such as a failure to address how covered entities should tailor their implementation of key security controls (e.g., penetration testing and developing risk responses) identified by the National Institute of Standards and Technology (NIST) to their specific needs. The GAO also found that the HHS Office of Civil Rights (OCR) did not always follow up with an entity under its jurisdiction with which OCR had entered into a settlement agreement to ensure that corrective actions were implemented, nor has it established benchmarks to assess the effectiveness of its audit program.

GAO made several recommendations to strengthen controls in this area, including: updating security guidance for covered entities and business associates to address controls described in the NIST Cybersecurity Framework; updating technical assistance for covered entities and business associates; revising enforcement protocols to include following up on the implementation of corrective actions; establishing performance measures for the OCR audit program; and implementing procedures to share results of investigations and audits between OCR and CMS to help ensure that covered entities and business associates are in compliance with health security standards. HHS generally concurred with these recommendations.