GAO Report Criticizes HHS’ HIPAA Cybersecurity Guidance and Program



Recently, the Government Accountability Office (GAO) reviewed the U.S. Department of Health and Human Services’ (HHS) security and privacy oversight and identified significant gaps in the cybersecurity guidance provided by HHS to entities regulated by HIPAA. The report’s primary criticism emphasized that though HHS prepared a crosswalk with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the crosswalk included only 19 cybersecurity factors identified by NIST in the framework. This leaves 98 subcategories of NIST’s framework unaddressed and, according to the GAO, unnecessarily exposes EHRs (and therefore protected health information) to security threats.

The GAO report recommends that HHS:

  • Update HHS guidance for protecting electronic health information to address the remainder of the controls that HHS’ current guidance does not address from the NIST Cybersecurity Framework.
  • Improve technical assistance it provides to covered entities to ensure that it is pertinent to the identified problems.
  • Follow up on its corrective action recommendations after an investigation is concluded.
  • Establish benchmarks to assess the effectiveness of the audit program.

HHS’s response generally concurred with the GAO recommendations, although it also clarified that the nature of the NIST Cybersecurity Crosswalk is not to be a comprehensive guide for all entities seeking to protect electronic protected health information, but as one guide among many others HHS has made available for risk management purposes.

The remainder of the recommendations did not take into account that HHS is in the process of the Phase 2 audits or that the structure of corrective action plans requires long-term monitoring (two years or more), which HHS pointed out in its response to the GAO report.

The GAO emphasized that the NIST Cybersecurity Framework crosswalk lacked detailed guidance for risk assessments and corresponding risk management plans. For healthcare providers, both OCR’s 2016 resolution agreements, which have repeatedly emphasized the need for enterprise-wide risk assessments, and the GAO report findings regarding risk assessments and risk management guidance reflect the importance of undertaking a comprehensive risk assessment and appropriately managing those risks to prevent security threats to protected health information.  Healthcare providers should at the least implement safeguards that meet the bare minimum requirements from HHS and utilize NIST guidance to fully secure protected health information.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.