A Government Accountability Office (GAO) report charges that the U.S. Department of Health & Human Services (HHS) has not properly safeguarded the privacy and security of personal health information when electronic prescribing data is used for secondary purposes. The report also slams HHS' Office for Civil Rights (OCR) for not fully carrying out its enforcement of privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).
With regard to e-prescribing, the watchdog agency noted that, under the Health Information Technology for Economic and Clinical Health (HITECH) Act, HHS is supposed to provide guidance on how covered entities should de-identify data in electronic prescriptions when it is used for purposes other than direct patient care. Such secondary purposes include the use of data in research, healthcare operations, public health, and drug marketing.
The law required HHS, through OCR, to publish guidance on the de-identification procedures by Feb. 2010, GAO noted in its report. OCR officials told the agency that while a guidance had been drafted, its issuance had been delayed due to "competing priorities for resources and internal reviews."
GAO claimed that the postponement raised the risk that covered entities are not properly implementing the standards already set forth in federal regulations. But HHS denied the charge in its official comments on the report.
"Covered entities have been operating under these existing de-identification standards for almost 10 years, and it has not been OCR's experience in administering the Privacy Rule that the standards have been the subject of significant or frequent compliance issues by covered entities," HHS said.
However, GAO said that OCR remains far from meeting its own mandate to audit covered entities and their business associates for HIPAA compliance. While OCR in 2010 issued a notice of proposed rulemaking (NPRM) on regulations to implement the HITECH provisions strengthening the HIPAA privacy rules, GAO said, it has not yet established a program for auditing business associates. The final rule is now with the Office of Management and Budget (OMB), which is expected to make a decision soon on approval.
The GAO report also pointed out that, despite having finished 20 HIPAA audits--with 95 more scheduled for completion by the end of 2012--OCR has not revealed its plans for continuing the audit program after its current pilot ends. OCR told GAO that it hasn't finalized a decision on the program's future because the government funding for the program runs out in December.
In addition, the HHS comment letter said, OCR has yet to evaluate the results of its pilot. Until it does, HHS cannot move forward with a permanent audit program.
To learn more:
- read the GAO report and the attached HHS comments (.pdf)