The Department of Health and Human Services needs to improve its security and privacy guidance and oversight program, according to a report from the Government Accountability Office (GAO).

What does this mean? Read the full article and report, and draw your own conclusions, but from our experience we are heading towards the days of more oversight by OCR. We've been trumpeting to our healthcare clients for over a year now that the day IS COMING when we (covered entities, BAA's, etc) will be subject to regular audits, the rules will become less generic and more focused similar to what we see in the banking industry. This article points this out in more detail as the GAO is critical of OCR for not fully addressing the all the elements of the NIST guidance - which was published in 2014 and a crosswalk between it and the IT Security rule was released earlier this year.

The handwriting continues to not only show up on the wall, but to be illuminated in neon. Covered entities must take this seriously and get in front of the curve, and not wait for it to catch you empty handed.