October 10, 2016

GAO Study Slams HHS For Lack of Guidance to Covered Entities

Robinson+Cole Data Privacy + Security Insider

+ Follow Contact

Send

Embed

We watch closely for any guidance to HIPAA covered entities and business associates from the Department of Health and Human Services Office for Civil Rights (HHS/OCR). Why? Because there is so little of it. Lately, the only guidance we have been receiving is in the form of Resolution Agreements and Corrective Action Plans, and hefty fines accompanying them.

The Government Accountability Office (GAO) recently finished a study of HHS/OCR’s cybersecurity infrastructure to see if it was consistent with NIST standards.

The Report notes that health care entities are struggling to select appropriate privacy and security controls for their organizations, and HHS is not offering enough help to those organizations. Although OCR published two tools to assist covered entities and business associates with risk assessments, according to the GAO, those tools do not provide enough detailed information for covered entities and business associates to determine the cybersecurity activities that must be performed. The Report noted that the NIST framework has 98 subcategories for security controls, while the OCR Toolkit only addresses 19 of the 98 subcategories. According to the GAO, these gaps in the OCR’s guidance could lead to incomplete risk assessments.

The GAO further found that when the OCR resolves cases informally, it does not provide appropriate guidance to the covered entity. Further, the OCR provides technical assistance to address compliance issues, but it is not always relevant. According to the Report “For 12 of the 94 cases we reviewed, the technical assistance was not directly applicable to the submitted complaint.”

On these findings, the GAO recommended that the OCR:

Update security guidance for covered entities and business associates; and
Update technical assistance that is provided to covered entities and business associates to address technical security concerns

As the Report notes, the health care industry is working hard to protect patient data. Any security guidance and technical assistance from the OCR would be welcomed.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Robinson+Cole Data Privacy + Security Insider

Contact + Follow

Linn Freedman

+ Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Business Associates

+ Follow

Covered Entities

+ Follow

Cybersecurity

+ Follow

Data Protection

+ Follow

Department of Health and Human Services (HHS)

+ Follow

GAO

+ Follow

Health Care Providers

+ Follow

Health Insurance Portability and Accountability Act (HIPAA)

+ Follow

Healthcare

+ Follow

NIST

+ Follow

OCR

+ Follow

Health

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Robinson+Cole Data Privacy + Security Insider on:

GAO Study Slams HHS For Lack of Guidance to Covered Entities

Related Posts

Latest Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Robinson+Cole Data Privacy + Security Insider on:

"My best business intelligence, in one easy email…"