Why GAO did this study. The use of IT allows health care providers and others to share health care information electronically, which enhances care delivery, public health and research; and empowers providers to make informed decisions regarding patient health. HHS sets and enforces standards for protecting electronic health information. To implement the provisions of HIPAA, HHS issued regulations that govern PHI transmitted or maintained by covered entities, such as health plans and health care providers, and their business associates. GAO was asked to review covered entities’ required reporting to HHS on data breaches. This report examines (1) the number of breaches and affected individuals reported to HHS since 2015; (2) the extent to which HHS established a review process to assess whether covered entities had implemented recognized security practices; and (3) the extent to which improvements can be made related to HHS’s breach reporting requirements. To do so, GAO reviewed privacy and information security laws; analyzed HHS documentation, policies, and procedures; and interviewed cognizant OCR officials. GAO also surveyed HIPAA covered entities and business associates. What GAO recommends. GAO is making one recommendation to HHS to establish a feedback mechanism to improve the effectiveness of its breach reporting process. HHS concurred with GAO’s recommendation and described actions it would take to address it.
Copyright:
The National Library of Medicine believes this item to be in the public domain. (More information)