The Government Accountability Office, responding to an inquiry by Congress, made it “official” this week: HHS has failed to protect the privacy and security of electronic patient records from hackers, data thieves and voyeurs.
Privacy and security gurus praised the GAO for taking an unflinching look at the dual role HHS plays as both a promoter of health information technology use and the primary enforcer of the Health Insurance Portability and Accountability Act, the federal privacy, security and breach notification law.
The report, experts say, should come as one more warning to the healthcare industry to better protect sensitive patient information before Congress, the courts or their own patients take action.
“The findings are just what I've been saying for the last 14 years. HIPAA was just terribly implemented,” said privacy lawyer Jim Pyles, a partner in Powers Pyles Sutter & Verville in Washington. He added that hospitals and practitioners adopted IT systems that “everyone knew couldn't be made secure.”
More importantly, the agency whose job it is to protect patient privacy, has work to do, said Sen. Lamar Alexander (R-Tenn.), who, along with Patty Murray (D-Wash.) asked the GAO to investigate HHS' security oversight.
The GAO report, Alexander said, found HHS' “guidance is hard to follow, it has no benchmarks so there's no way to measure the effectiveness of its oversight, it doesn't communicate with other federal agencies who may be unknowingly giving taxpayer dollars to companies with security problems, and it provides irrelevant technical advice."
So far, taxpayers have poured $31.2 billion into federal subsidies for the purchase and adoption of electronic health record systems, chiefly by hospitals and physicians.
HHS did not respond to a request for comment.
The GAO didn't go far enough in determining who's to blame for the nation's leaky health IT infrastructure, said Twila Brase, president and co-founder of the Citizens' Council for Health Freedom, a healthcare privacy advocacy organization headquartered in St. Paul, Minn. The problem lies with what Brase called the federal “mandate” for providers to use EHRs or face penalties.
“They can come out with this report, but so what?” Brase said. “Congress and the administration that put this into law are at fault.”
Previously, courts have swatted down class-action lawsuits arising from data breaches because actual harm has been difficult to prove, Pyles said.
But a recent appeals court decision that customers don't have to wait for their identity to be misused in order to claim that their privacy was violated indicates that a once-closed door is opening.
Health IT systems have "many potential benefits, including reducing costs and increasing medical accuracy," the GAO acknowledged. But data insecurity is a huge problem.
Since 2009, when the American Recovery and Reinvestment Act required public reporting of major healthcare data breaches, more than 168 million individuals have had their medical records exposed. More than 113 million individuals' records were breached in 2015 alone. The vast majority of those victims fell prey to hackers.
Congress last year created a healthcare cyber task force that addressed these issues.
"Our Senate committee has held six hearings and approved legislation to help make these records more secure," Alexander said. "As we pass that bill into law, (HHS) needs to continue to implement the recommendations in this report as well as the new Cybersecurity Information Sharing Act, which requires the department to give hospitals and doctors clear information on the best ways to safeguard patients' information, and also to require the agency to make it clear who is responsible for dealing with the rising cyberattacks against the healthcare industry.”
Other key GAO findings and recommendations include:
• The obvious, that the increased use of EHR systems, while having the potential to improve healthcare quality, can also render vast amounts of patient information “vulnerable to security lapses that can jeopardize the confidentiality, integrity and availability of the information they contain.” Pyles concurs with this point. Patients already withhold sensitive personal information from their physicians, and that will only get worse if they feel the doctors won't or can't keep it secure, he said.
• HHS is giving security compliance guidance to providers that isn't tailored to key security controls identified by cybersecurity experts at the National Institute of Standards and Technology. HHS should re-write the guidance to address implementing NIST controls, the GAO said.
• HHS' Office for Civil Rights, which enforces HIPAA data rules and handles thousands of privacy and security complaints each year, may be overloaded and under-resourced. At any rate, the GAO found the Civil Rights Office is closing complaint cases with no follow-up to ensure that providers or their business associates are completing the compliance actions as agreed. Follow-up should be added, the report said.
• Also, the Civil Rights Office started conducting more than 220 HIPAA compliance audits without first setting benchmarks to measure the audit program's failure or success. Performance measures for the audit program should be set, the GAO said.
• Finally, the Civil Rights Office, after looking into complaints, routinely fails to share its findings with the CMS, thereby losing the potential leverage CMS' payment authority might bring to bear on improving healthcare data privacy and security. Under the EHR incentive payment program, the CMS can withhold payments or impose Medicare penalties if a provider fails to meet its “meaningful use” criteria. Those criteria include attesting that a provider has met the HIPAA requirement to perform a data security risk assessment. The CMS audits its own incentive payment program, but the Civil Rights Office, by not fully sharing information with the CMS, increases the risk that providers will skate their security requirements and inappropriately receive EHR incentive payments. Sharing of information should be aimed at ensuring providers comply both with the incentive payment program rules and HIPAA, the watchdog said.