GAO Says HHS Needs to Improve Communications Regarding Electronic Health Information Breaches

Entities covered by the Health Insurance Portability and Accountability Act (HIPAA), such as health plans, are required to meet standards, developed by HHS, to protect electronic health information. Covered entities are also required to report data breaches to HHS.

GAO was asked to analyze the number of breaches reported to HHS, HHS’s review process for assessing implementation of security practices among covered entities, and the potential for improvements to HHS’ breach reporting requirements.

The chart below shows the number of breaches reported each year to HHS that involve 500 or more individuals’ health data. The breaches take place with the covered entities listed.

According to GAO’s analysis of electronic health information breaches reported to HHS, the number of breaches involving 500 or more individuals increased 164% from 2015 to 2021. Breaches stem from hacking, IT incidents, unauthorized exposure, disclosure, theft or loss of an individual’s identifiable health information. The majority, or 55%, of the breach events reported to HHS during this time period were due to hacking or another IT incident.

The HHS Office for Civil Rights (OCR) is responsible for enforcing HIPPA standards with covered health entities. A law referred to as the HITECH Amendment was enacted in January 2021 and requires OCR to establish a process to assess the extent to which covered entities have implemented security best practices related to electronic health information. To date, OCR has established standard operating procedures for its investigators, sought public comment about the implementation of security practices, and is conducting outreach to the health care sector. OCR plans to finalize the process during the summer of 2022.

OCR is also responsible for implementing breach notification rules, including the development and management of the breach reporting process. According to GAO, OCR currently does not have a feedback mechanism for covered entities to use regarding the breach reporting process. GAO recommends that OCR establish a clear feedback method to help eliminate challenges for covered entities during the breach reporting process. GAO also suggests that soliciting feedback could help improve the process.