Health care cybersecurity

Feedback Mechanism for HHS Cyber Breach Reporting Process Needed, GAO Says

The Department of Health and Human Services should create a way for health care organizations to provide feedback on the agency’s cyber breach reporting process, a government watchdog said.

HHS’ Office of Civil Rights is responsible for enforcing the Health Insurance Portability and Accountability Act‘s security standards as required by a law enacted in January 2021.

According to the Government Accountability Office, OCR has developed methods to evaluate HIPAA-covered entities’ compliance but does not provide a formal process for them to suggest improvements to the process. OCR has also not announced any plans to create one, GAO said Monday.

The absence of a feedback process poses a challenge for covered entities and HHS business associates, the auditor added.

In the full 37-page report, GAO cited the deputy director for health and information privacy as saying that the only way for OCR to receive information is through a breach investigation.

The deputy director added that covered entities can schedule a meeting, email the office or write a letter if they encounter issues during the breach reporting process.

GAO said that addressing the issue could help OCR simplify aspects of the reporting process and prevent long lapses of communications during investigations. HHS concurred with the recommendations and described what actions it plans to take, GAO added.

The watchdog said that its conclusions were informed by a review of security laws, an analysis of HHS processes, interviews with OCR officials and surveys of HIPAA-covered entities.