GAO: Tighter HIPAA Safeguards Needed at HHS

The Government Accountability Office (GAO) released a report this month that says the Department of Health and Human Services (HHS), the enforcer of HIPAA privacy and security rules, has safeguards that do not always protect sensitive information it shares with contractors.

The report—Contractor Integrity: Stronger Safeguards Needed for Contractor Access to Sensitive Information, released this month—cites patient health and medical information as one of the examples of "sensitive information."

GAO's report assesses the:

• Extent to which government guidance and contracts contain safeguards for contractor access to sensitive information
• Adequacy of government-wide guidance on how agencies are to safeguard sensitive information to which contractors may have access

The report also reviews practices of the Department of Defense (DOD) and Department of Homeland Security (DHS).

It found that DOD's and HHS' guidance do not always protect "all relevant types of sensitive information contractors may access during contract performance," according to a one-pager of report highlights released by the GAO.

"GAO's analysis of guidance and contract actions at three agencies found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."