HHS needs to strengthen its oversight of Medicare beneficiaries' protected prescription drug data, according to a newly released report from the Government Accountability Office.

In the 40-page report (PDF), the GAO acknowledged that HHS has taken some steps, such as issuing legislation and ramping up educational efforts, aimed at protecting the privacy and security of vulnerable patient data. But those actions have not gone far enough, the GAO argued.

"HHS has not issued required implementation guidance to assist entities in de-identifying personal health information including when it is used for purposes other than directly providing clinical care to an individual," the GAO said in the report. "This means ensuring that data cannot be linked to a particular individual, either by removing certain unique identifiers or by applying a statistical method to ensure that the risk is very small that an individual could be identified."

The GAO also criticized HHS for making slow progress in establishing an audit system for assessing covered entities' compliance with privacy and security requirements. HHS has a pilot audit program in place but has no long-term plan for sustaining such review, the report stated.

"Without a plan for establishing an ongoing audit capability," the GAO said, HHS' Office for Civil Rights "will have limited assurance that covered entities and business associates are complying with requirements for protecting the privacy and security of individuals' personal health information."