HHS guidance falls short of federal guidelines

The Department of Health and Human Services’ (HHS) guidance on security and privacy for HIPAA covered entities fails to comply with federal guidelines, according to a recent U.S. Government Accountability Office (GAO) report.

The report, released last Monday, found that HHS guidelines do not fully address key security controls of the Cybersecurity Framework, issued by the National Institute of Standards and Technology (NIST).

HIPAA regulations, as set out by HHS, require HIPAA covered entities to carry out risk assessments, technical and non-technical evaluations of control, in order to develop risk management plans. However, these regulations do not address the ways in which organizations should customize these key security control implementations, which may be putting electronic health information at risk, according to the report.

The report recognizes that while HHS has a compliance oversight program in place for privacy and security, it does not always succeed in verifying that regulations are implemented, and it fails to help organizations correct their security practices.

Following the report, HHS responded to say its guidance is intended to be minimally prescriptive to allow for flexible implementation by a wide variety of covered entities.

The GAO states “HHS has primary responsibility for setting standards for protecting electronic health information and for enforcing compliance with these standards… without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise.”

In a bid to address and improve these security issues, GAO offered five recommendations to the HHS:

  • Update security guidance for covered entities and business associates to address implementation of the NIST Cybersecurity Framework controls
  • Update technical assistance for healthcare organizations to address security concerns
  • Revise the enforcement program to include follow up with entities in the process of implementing corrective actions.
  • Establish performance measures for the audit program
  • Create procedures to share audit and investigation results to help ensure that covered entities and business associates are in compliance with HIPAA and the HITECH Act.

Responding to the above recommendations, HHS has agreed to take action toward meeting three out of five. It has neither agreed nor disagreed with the remaining two.

Reacting to the report, many security experts are calling for a complete overhaul of the ‘out of date’ HIPAA Security Rule, in order to reflect the modern day threats that exist from hackers, cloud and cybersecurity, vulnerability scans, penetration, and intrusion, to name a few.