The Government Accountability Office (GAO) is warning that the U.S. government hasn’t lived up to promises to protect the privacy of Medicare patients who use the federal government’s Prescription Drug Benefit and not following through on promises to audit organizations that store patient health information.
The report, “Prescription Drug Data: HHS Has Issued Health Privacy and Security Regulations But Needs To Improve Guidance and Oversight” (GAO-12-605) was released on Friday. It found that the U.S. federal government’s Department of Health and Human Services (HHS) has failed to provide guidance to health care providers on how they can protect the privacy and security of Medicare beneficiaries’ protected health information (PHI). HHS is also shirking a requirement of the Health Insurance Portability and Accountability Act (HIPAA) that requires regular audits of organizations’ compliance with HIPAA’s Privacy and Security rules, the report says.
The GAO audit was mandated by the Patients and Providers Act of 2008, which instructed the agency to report on prescription drug use data protections. As part of its report, GAO surveyed HHS’s system for ensuring the privacy and security of Medicare beneficiaries’ protected health information, such as their use of prescription drugs under the Medicare Prescription Drug Benefit, when that data is used for purposes other than direct clinical care.
The Patients and Providers Act, which Congress passed over a veto by then-President George W. Bush, improves Medicare beneficiaries’ access to preventive and mental health services and expands benefit programs for low-income and rural Medicare recipients.
HHS’s Office for Civil Rights (OCR) has done a good job issuing regulations governing the protection of patient data and making covered entities aware of those rules. However, enforcement of those regulations is another matter entirely. GAO found that HHS hasn’t yet issued implementation guidance to assist entities that must abide by HIPAA and the Patients and Providers Act of 2008 in de-identifying personal health information, as required by HIPAA.
De-identifying refers to the process of making it impossible to connect data to an individual. For example, organizations could simply remove unique identifiers in the data or prove, via statistical methods, that the risk is very small that an individual could be identified. HHS was required by law to provide specific guidance on de-identifying data by February 2010, but has repeatedly delayed issuing the guidance, citing competing priorities for resources and internal reviews.
GAO found that HHS is balking on requirements that it conduct regular audits of covered entities’ compliance with HIPAA’s Security and Privacy rules. The agency was required by law to implement “periodic compliance audits” of covered entities in the absence of specific data breach incidents. HHS’s Office of Civil Rights has piloted a program for doing such audits but says it doesn’t plan to create a “sustained audit capability” for covered entities or their business associates.
“Without a plan for establishing an ongoing audit capability, OCR will have limited assurance that covered entities and business associates are complying with requirements for protecting the privacy and security of individuals’ personal health information,” GAO wrote.
HIPAA became law in 1996. However, the law’s Security and Privacy provisions became law seven years later, with many providers exempt until 2005. Enforcement of civil penalties for violators of the law’s Security and Privacy provisions have appeared only in the last year – fully eight years later. In February 2011, HHS fined a Maryland health care provider Cignet Health Care $4.3 million for failing to provide 41 patients with copies of their medical records and failing to respond to requests from HHS’s Office of Civil Rights for information related to the complaints. In March, 2012, HHS fined BlueCross BlueShield of Tennessee $1.5m for a 2009 data breach affecting around one million BlueCross BlueShield customers in that state.