The GAO has issued a report entitled “Prescription Drug Data: HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance and Oversight.” The report assesses the extent to which HHS has established a framework to ensure the privacy and security of Medicare beneficiaries’ protected health information when data on prescription drug use are used for purposes other than direct clinical care. According to the GAO, while HHS has issued regulations (including HIPAA Privacy and Security Rules) to safeguard protected health information from unauthorized use and disclosure, the Department has not issued all required guidance or fully implemented required oversight capabilities. For instance, the GAO notes that HHS has not issued required implementation guidance to assist entities in de-identifying personal health information, including when it is used for purposes other than directly providing clinical care to an individual. The GAO also found that HHS does not have plans for establishing a sustained capacity to audit covered entities’ compliance with HHS privacy and security requirements. GAO therefore recommends that HHS issue de-identification guidance and establish a plan for a sustained audit capability; HHS generally agreed with the recommendations.