The Government Accountability Office (GAO) said in a new report that the Department of Health and Human Services (HHS) needs to improve its communications around data breach reporting in order to enhance health care delivery.
HHS’s Office of Civil Rights (OCR) manages breach reporting, but its current operation lacks a way for entities to provide feedback on the process that could help improve the process.
HHS sets standards for protecting electronic health information and enforces compliance, while health care providers, health plans, business associates, and other entities are required to report breaches to HHS, GAO explained.
The number of healthcare data breaches since 2015 has grown steadily, the government watchdog agency said. Breaches of health data may involve unauthorized (intentional or unintentional) exposure, disclosure, or loss of an individual’s identifiable health information.
“A law enacted in January 2021 required HHS, as part of its enforcement activities, to consider whether covered entities had implemented such practices,” wrote GAO in its report. “In response, OCR established standard operating procedures for its investigators, published a request for information to seek public comments on implementation of security practices, and is conducting outreach to the health care sector. OCR expects to finalize the process no later than the summer of 2022.”
Despite that work, OCR doesn’t have a method for covered entities to provide feedback on breach reporting, nor does it have a plan to develop one, GAO found.
GAO recommended that developing a mechanism for feedback would greatly improve the process, and HHS agreed to work on implementing that change.