The Government Accountability Office has asked the Department of Health and Human Services to update its guidance for associated healthcare entities on how to protect electronic health records against cyber threats and privacy violations.
GAO said in a report posted Monday HHS’ Health Insurance Portability and Accountability Act guidance for EHR security and privacy does not address how entities should implement security controls that the National Institute of Standards and Technology has identified.
Auditors added HHS should improve its technical assistance to covered entities during security and privacy breach investigations and that the department should follow up on corrective actions after cases have been closed.
GAO found that HHS’ civil rights office gave technical assistance that was not relevant to identified problems during some investigations on security and privacy complaints.
The government watchdog said HHS did not always check whether corrective actions have been implemented after investigative cases were closed.
HHS’ civil rights office created a program to audit covered entities’ security and privacy initiatives but the office has yet to establish benchmarks to evaluate the effectiveness of that evaluation program, GAO’s report stated.
GAO recommended HHS establish metrics to assess the effectiveness of its audit program.