Skip to main content

You are here

Electronic Health Information: HHS Needs to Strengthen Security and Privacy Oversight and Guidance

 

You must be logged in to view and download documents.

You must be logged in to view and download documents.

  • Government employees:  If you have an account, log in by clicking on login button at top of page.  If you don’t have an account, click here to create your free account.
  • Industry employees:
    • If your company is an IAC member and you have an account, log in by clicking on login button at top of page.
    • If your company is an IAC member and you don't have an account, click here to create an account.
    • If your company is not an IAC member, contact April Davis for information about membership (adavis@actiac.org or 703-208-4800 ext. 202).
 

Abstract

As a digital version of a patient’s medical record or chart, an EHR can make pertinent health information more readily available and usable for providers and patients. However, recent data breaches highlight the need to ensure the security and privacy of these records. HHS has primary responsibility for setting standards for protecting electronic health information and for enforcing compliance with these standards.

GAO was asked to review the current health information cybersecurity infrastructure. The specific objectives were to (1) describe expected benefits of and cyber threats to electronic health information, (2) determine the extent to which HHS security and privacy guidance for EHRs are consistent with federal cybersecurity guidance, and (3) assess the extent to which HHS oversees these requirements. To address these objectives, GAO reviewed relevant reports, federal guidance, and HHS documentation and interviewed subject matter experts and agency officials.

What GAO Recommends

GAO is making five recommendations, including that HHS update its guidance for protecting electronic health information to address key security elements, improve technical assistance it provides to covered entities, follow up on corrective actions, and establish metrics for gauging the effectiveness of its audit program. HHS generally concurred with the recommendations and stated it would take actions to implement them.

Document Date: 
Aug 1, 2016
 
Author (organization): 
Government Accountability Office (GAO)
 
Document type: 
Report
 
Interests: 
Cybersecurity
Healthcare
Volunteer Corps