The DHS OIG has found that the Office of Health Affairs (OHA), DHS does not have a proper framework for protecting Personally Identifiable Information (PII). The OIG reviewed the Office’s current privacy safeguards for protecting the multitude of personally identifiable information (PII) that it collects and maintains. While OHA did have a Privacy Officer in place, the official in this position lacked the adequate authority and resources to carry out their responsibilities. The disregard for privacy protection has resulted in a lack of transparency and security concerns for protecting PII OHA-wide. The OIG found issues with notification of patients privacy rights, lack of strong authentication protocols, and a disorganized web portal operating on a non-secure site.
The OIG developed 11 recommendations for OHA to improve their current system for safeguarding PII that include:
- assigning the appropriate authority, roles and responsibilities to the Privacy Officer (including written statement of responsibilities and adequate funding),
- creating a system that will track employee completion of Privacy Awareness training that is mandatory for all staff,
- implementing a process to ensure that patients are provided Privacy Act notifications,
- an overhaul of the ePCR system including stronger passwords and updates,
- and establishing plans of action for the BioWatch system with system security requirements.OHA concurred with all 11 recommendations.