The Department of Homeland Security's Office of the Inspector General, an independent government watchdog, has found the Coast Guard seriously lagging in its efforts to protect personal health information.

The problem in a nutshell? It has not made it a health data security a priority.

"The Coast Guard has made progress in identifying its privacy data," OIG wrote in its May 7 report. "However, it faces challenges in protecting privacy data effectively because it has not placed a priority on a strong organizational approach to resolving privacy issues."

The Coast Guard signed a $14M EHR contract with Epic Systems in October of 2010. The report, however, does not mention the Epic EHR as a concern.

[See also: Coast Guard awards Epic $14M contract for new EHR.]

The IBM-Epic team remains in the running for an $11 billion EHR system for the Department of Defense. Also vying for the 10-year contract are two other teams: Computer Sciences Corp., partnered with HP and Allscripts  and a team composed of Cerner, Leidos, Accenture Federal and Intermountain Healthcare.  DoD is expected to announce the contract award next month.

[See also: One out, three bids left for DoD EHR.]

The privacy concerns OIG raised in its report were focused on processes – specifically concerning its charge that the Coast Guard had failed to make privacy a priority. Among them:

• USCG does not have formal communications, such as regular meetings, between its respective Privacy and HIPAA Offices, which are necessary for improving privacy oversight and incident reporting. Without such coordination, USCG is limiting its ability to assess risks and mitigate potential privacy or HIPAA breaches.
• USCG does not have consistent instructions for managing and securing health records. Without updated instructions for records retention and disposal, USCG may expose personnel and their families to loss of privacy or identify theft.
• USCG clinics have not completed contingency planning for protecting privacy data from loss in case of emergency or disaster.
• USCG clinics do not have a process for periodically reviewing physical security to mitigate risks to privacy data.
• USCG has not conducted an assessment of the merchant mariner credentialing program and processes to identify and reduce privacy risk.

OIG offered put forth five recommendations:

• The Vice Commandant of the Coast Guard establish a formal mechanism to ensure communication between the USCG Privacy Officer and the HIPAA Privacy and Security Official for enhanced privacy oversight and reporting.
• The Vice Commandant of the Coast Guard ensure consistent instructions for managing the health records retention and disposal.
• The Vice Commandant of the Coast Guard prepare a plan of action and milestones to ensure that USCG has complete contingency planning for safeguarding privacy data in the event of emergency or disaster.
• The Vice Commandant of the Coast Guard prepare a plan of action and milestones to periodically review physical safeguards to mitigate risks to SPII and PHI at clinics.
• The Vice Commandant of the Coast Guard prepare a plan of action and milestones to improve internal controls for the merchant mariner credentialing program and processes to ensure protection of privacy data.

The Coast Guard concurred with all the recommendations.

Read the full OIG report here.