GAO: Electronic Health Information: HHS Needs to Improve Communications for Breach Reporting

Fast Facts

Health IT systems can enhance health care delivery and empower providers to make informed decisions about patient health. But these systems may be vulnerable to breaches.

The Department of Health and Human Services sets standards for protecting electronic health information and enforces compliance with them. Health care providers, health plans, their business associates, and other entities are required to report breaches to HHS.

The HHS Office of Civil Rights manages the breach reporting process, but it lacks a way for entities to provide feedback on it. This feedback could help improve the process…

What GAO Found

Since 2015, the Department of Health and Human Services (HHS) has seen an increase in reported breaches while the number of affected individuals has varied each year from approximately 5 to 113 million. Such breaches of health information involve the unauthorized (intentional or unintentional) exposure, disclosure, or loss of an individual’s identifiable health information…


GAO is making one recommendation to HHS to establish a feedback mechanism to improve the effectiveness of its breach reporting process. HHS concurred with GAO’s recommendation and described actions it would take to address it.

Agency Affected: Department of Health and Human Services

Recommendation: The Secretary of HHS should ensure that OCR establishes a mechanism for covered entities and business associates to provide feedback on OCR’s breach reporting process. (Recommendation 1)

Status: Open

Access the full 37-page report here.



Please enter your comment!
Please enter your name here