We watch closely for any guidance to HIPAA covered entities and business associates from the Department of Health and Human Services Office for Civil Rights (HHS/OCR). Why? Because there is so little of it. Lately, the only guidance we have been receiving is in the form of Resolution Agreements and Corrective Action Plans, and hefty fines accompanying them.

The Government Accountability Office (GAO) recently finished a study of HHS/OCR’s cybersecurity infrastructure to see if it was consistent with NIST standards.

The Report notes that health care entities are struggling to select appropriate privacy and security controls for their organizations, and HHS is not offering enough help to those organizations. Although OCR published two tools to assist covered entities and business associates with risk assessments, according to the GAO, those tools do not provide enough detailed information for covered entities and business associates to determine the cybersecurity activities that must be performed. The Report noted that the NIST framework has 98 subcategories for security controls, while the OCR Toolkit only addresses 19 of the 98 subcategories. According to the GAO, these gaps in the OCR’s guidance could lead to incomplete risk assessments.

The GAO further found that when the OCR resolves cases informally, it does not provide appropriate guidance to the covered entity. Further, the OCR provides technical assistance to address compliance issues, but it is not always relevant. According to the Report “For 12 of the 94 cases we reviewed, the technical assistance was not directly applicable to the submitted complaint.”

On these findings, the GAO recommended that the OCR:

  • Update security guidance for covered entities and business associates; and
  • Update technical assistance that is provided to covered entities and business associates to address technical security concerns

As the Report notes, the health care industry is working hard to protect patient data. Any security guidance and technical assistance from the OCR would be welcomed.