GAO calls upon HHS to improve communications for breach reporting processes

The U.S. Government Accountability Office (GAO) pressed upon the Department of Health and Human Services (HHS) to establish a feedback mechanism to improve the effectiveness of its breach reporting process. HHS concurred with GAO’s recommendation and described actions it would take to address it.

According to a report released this week, the GAO was asked to review covered entities’ required reporting to HHS on data breaches. The report examines the number of breaches and affected individuals reported to HHS since 2015, the extent to which HHS established a review process to assess whether covered entities had implemented recognized security practices, and the extent to which improvements can be made related to HHS’s breach reporting requirements. 

In doing so, GAO reviewed privacy and information security laws, analyzed HHS documentation, policies, and procedures, and interviewed cognizant OCR officials. GAO also surveyed HIPAA-covered entities and business associates.

The HHS Office for Civil Rights (OCR) enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. 

In its response, the HHS noted that OCR would establish a mechanism for regulated entities to provide feedback on the breach reporting and investigative process, the GAO report said. “Specifically, OCR plans to add language and contact information to the confirmation email that regulated entities receive when they submit breach reports through the HHS Breach Portal to invite feedback and questions about the breach reporting process,” it added.

The agency also plans to implement procedures for OCR’s regional offices to regularly review and address emails received about the breach reporting process through their respective mailboxes, GAO said. “We will continue to follow-up with HHS to validate its implementation of this recommendation,” it added.

GAO found that since 2015, the HHS has seen an increase in reported breaches while the number of affected individuals has varied each year from approximately 5 to 113 million. Such health information breaches involve the unauthorized (intentional or unintentional) exposure, disclosure, or loss of an individual’s identifiable health information.  

The GAO report said that the OCR had taken steps to establish a process on whether entities implemented recognized security practices. It pointed to a law enacted last January that required HHS to consider whether covered entities had implemented such practices as part of its enforcement activities. In response, OCR established standard operating procedures for its investigators, published a request for information to seek public comments on implementing security practices, and conducted outreach to the healthcare sector. “OCR expects to finalize the process no later than the summer of 2022,” the report added.

While the OCR is charged with implementing and enforcing the HIPAA Privacy, Security, and Breach Notification Rules, including the development and management of the breach reporting process, it “does not have a method for covered entities to provide feedback on the breach reporting process, nor did the office indicate that it had plans to develop one. Without a clear mechanism to provide feedback to OCR, covered entities and business associates can face challenges during the breach reporting process. Further, soliciting feedback on the breach reporting process could help OCR improve aspects of the process,” it added.

The GAO report said that HIPAA authorized the Secretary of HHS to establish standards to protect the privacy of certain health information and required the Secretary to adopt security standards for that health information. “HHS implemented the HIPAA provisions, as amended by the HITECH Act, through its issuance of the Privacy, Security, Enforcement, and Breach Notification Rules. The Rules are collectively known as the HIPAA Rules, which govern PHI transmitted or maintained by covered entities and their business associates,” it added.

The GAO report assessed that the healthcare sector uses various information systems and technologies, with patient care and services provided in multiple settings, such as physician offices and hospitals that are not always well-coordinated. For example, providers may lack real-time access to critical information needed for the care of patients and to ensure that informed decisions are made about the best treatment options because of the lack of coordination. Moreover, health IT systems can be vulnerable to security lapses, including breaches, that can jeopardize the confidentiality, integrity, and availability of the systems and their information. 

“Cyber threat actors can intrude and use their access to obtain or manipulate sensitive information, such as EHRs, in order to commit fraud or disrupt operations,” the GAO report said. “Further, the loss or unauthorized disclosure of sensitive information, including PHI within EHRs, can lead to serious consequences such as identity theft or other fraudulent activity and can result in substantial harm,” it added.

The GAO report disclosed that the Deputy Director for Health Information Privacy stated that the primary method for the office to receive information is through a breach investigation and that there is no formal process or platform for a covered entity or business associate to provide feedback. “In addition, he noted that if a covered entity or business associate experienced issues during the breach reporting process, it could take one of three steps—schedule a meeting, email OCR at its publicly-available email address, or write a letter to OCR,” it added.

Furthermore, “The National Plan emphasizes the importance of partners collectively adapting based on feedback and the changing environment,” the GAO report said. The plan states that recognizing the value of different perspectives helps the partnership understand challenges and solutions related to critical infrastructure security and resilience. The plan also emphasizes that a well-functioning partnership, among other attributes, depends on clear and frequent communication, it added.

“Without a clear mechanism to provide feedback to OCR, covered entities and business associates may face challenges during the breach reporting process,” the GAO report said. “Further, soliciting feedback on the breach reporting process could help OCR improve or simplify aspects of the process and may decrease long lapses of communication during ongoing breach reporting investigations,” it added. 

The GAO report said that breaches experienced by covered entities and their business associates had compromised hundreds of millions of individuals’ sensitive information. “OCR is taking steps to finalize its process to consider whether covered entities and business associates have implemented recognized security practices. These efforts, if implemented within the expected timeframes, these efforts may help improve the consistency of the breach investigations process and better prepare covered entities and business associates for investigations,” it added. 

The report added that OCR had not provided a formal method for covered entities and business associates to provide feedback about the breach reporting and investigations processes. “Addressing this shortcoming will be an important step toward improving or simplifying aspects of the breach and investigations process and preventing long lapses of communication during ongoing breach reporting investigations.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.