Skip to main content

GAO: Tighter HIPAA Safeguards Needed at HHS

 |  By dnicastro@hcpro.com  
   September 21, 2010

The Government Accountability Office (GAO) released a report this month that says the Department of Health and Human Services (HHS), the enforcer of HIPAA privacy and security rules, has safeguards that do not always protect sensitive information it shares with contractors.

The reportContractor Integrity: Stronger Safeguards Needed for Contractor Access to Sensitive Information, released this month—cites patient health and medical information as one of the examples of "sensitive information."

GAO's report assesses the:

  • Extent to which government guidance and contracts contain safeguards for contractor access to sensitive information
  • Adequacy of government-wide guidance on how agencies are to safeguard sensitive information to which contractors may have access

The report also reviews practices of the Department of Defense (DOD) and Department of Homeland Security (DHS).

It found that DOD's and HHS' guidance do not always protect "all relevant types of sensitive information contractors may access during contract performance," according to a one-pager of report highlights released by the GAO.

"GAO's analysis of guidance and contract actions at three agencies found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."

The federal agencies operate under the Federal Acquisition Regulation (FAR), which governs federal agencies in the process of acquiring goods and services—in this case, hiring contractors who handle sensitive information.

The GAO recommends additional safeguards to FAR, including:

  • Address the use of nondisclosure agreements with contractors
  • Prompt notification of unauthorized disclosure or misuse of sensitive information

DHS agreed with the recommendations, the GAO said, but DOD and HHS did not respond.

HHS did not immediately answer an e-mail from HealthLeaders Media Monday.

Senator Tom Carper (D-Del.), chairman of the U.S. Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, said in a statement that "there have been an unacceptably high number of data breaches that have left individuals, at times, the victim of serious financial crime or, more often, fearful that their personal information will be compromised."

He cited a 2008 incident in which a payment processing company was hacked, exposing more than 100 million Americans' sensitive information; and the Department of Veterans Affairs lost laptop that held more than 25 million veterans' health and personal information.
"These types of breaches are not only scary, but unacceptable," Carper said.

"This report from the Government Accountability Office shows that, despite increased awareness and progress in addressing this issue, sensitive information retained by federal agencies remains vulnerable to unauthorized disclosure and abuse by outside contractors working for those agencies," Carper said. "The federal government needs to do a better job of protecting sensitive information to prevent disclosure as well as ensuring that, if an improper disclosure takes place, contractors immediately notify the affected agency."

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.