By February 2010, HHS was supposed to have issued implementation guidance to assist healthcare organizations in de-identifying Medicare prescription drug information when it is used for purposes other than providing clinical care to an individual.
“This means ensuring that data cannot be linked to a particular individual, either by removing certain unique identifiers or by applying a statistical method to ensure that the risk is very small that an individual could be identified”, the GAO report explained.
But HHS admitted that it has failed to issue the guidance due to competing priorities for resources and internal reviews.
“Until the guidance is issued, increased risk exists that covered entities are not properly implementing the standards set forth by federal regulations for de-identifying protected health information”, the report from the government watchdog warned.
Also, the department's Office of Civil Rights (OCR) has not implemented an ongoing compliance audit program for the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, GAO said. The OCR is conducting audits this year, but has no plans to continue the audit program beyond December, it added.
“Without a plan for establishing an ongoing audit capability, OCR will have limited assurance that covered entities and business associates are complying with requirements for protecting the privacy and security of individuals’ personal health information”, the report noted.