GAO Presses HHS for Privacy GuidanceReport Also Urges Firming Up HIPAA Audits Beyond 2012
A new Government Accountability Office report criticizes the Department of Health and Human Services for its tardiness in issuing privacy guidance for how to de-identify patient data that's used for research. The report also calls on HHS to spell out plans for continuing its HIPAA compliance audit program beyond this year.
The HITECH Act required HHS to issue by February 2010 guidance for de-identifying patient data that's aggregated for research, going beyond the requirements already spelled out in the HIPAA Privacy Rule. But that guidance has been "delayed due to competing priorities for resources and internal reviews," the GAO report states. The HHS' Office for Civil Rights is heading up the effort to prepare the guidance; it's also coordinating the HIPAA audit program.
The GAO report says that while HHS "established a framework for protecting the privacy and security of Medicare beneficiaries' prescription drug use information when used for purposes other than direct clinical care through its issuance of regulations, outreach and enforcement activities, it has not issued all required guidance or fully implemented required oversight capabilities."
The report warns that until the guidance is issued, "Increased risk exists that covered entities are not properly implementing the standards set forth by federal regulations for de-identifying protected health information."
In its comments on the report's findings, HHS says, "While the department agrees that issuing the guidance will be helpful to covered entities, the department does not agree that without the guidance, covered entities will have limited assurance that they are complying with the HIPAA Privacy Rule de-identification standards."
Nevertheless, HHS is "committed to publishing the guidance as soon as possible," according to the department's comments.
The GAO report also urges HHS to develop a sustainable plan for continuing its HIPAA compliance audit program beyond this year. "Without a plan for establishing an ongoing audit capability, OCR will have limited assurance that covered entities and business associates are complying with requirements for protecting the privacy and security of individuals' personal health information," the report states.
Under the audit program, mandated by the HITECH Act, 20 healthcare entities have been audited so far, and HHS expects to complete another 95 by year's end. OCR published the protocol for its audits this week (see: HIPAA Audit Protocol Revealed).
While HHS hasn't formally released details about its plans for the audit program beyond this year, OCR director Leon Rodriquez has indicated that the program likely will continue next year.
In an earlier interview, Rodriquez said there was a "reasonable likelihood" the audit program will continue beyond 2012, despite budget cuts.
"This audit program has exposed vulnerabilities and issues that we can't find any other way," he noted. "I think it will be good policy for us to really keep this audit program going."
In its comments on the report, HHS said: "The outcomes of the evaluation of the pilot audit program [in 2012] will identify requirements needed to fully implement OCR's audit function and will provide other critical information necessary to inform [HHS'] decision as to how best establish a sustainable audit program and infrastructure." The comments continue: "Once the results are known, [HHS] will be able to move forward with the implementation of a sustainable audit program.
HHS also wrote that while the audit function is "a critical compliance tool to identify vulnerabilities before they cause breaches and other incidents ... the importance of the audit function should not, however, be understood to diminish the effectiveness of other OCR enforcement activities" for HIPAA, including investigation into "thousands of complaints" as well as compliance reviews conducted annually by OCR.