Recommendations Tracker
HHS-OIG provides independent and objective oversight that promotes economy, efficiency, and effectiveness in HHS programs and operations. To drive this positive change, we produce reports and identify recommendations for improvement. We have developed this public-facing page for tracking all of our open recommendations.
Use the Top Unimplemented View below to read OIG's Top Unimplemented Recommendations. In OIG’s view, these top recommendations for HHS programs, if implemented, would have the greatest impact in terms of cost savings, program effectiveness and efficiency, and public health and safety. Learn more
Summary of All Recommendations
Updated Monthly · Last updated on November 14, 2025
1,188
Unimplemented
recommendations
3,135
Implemented and Closed
recommendations since FY 2017
Views
OIG Recommendations Grouped by Report
Showing 101–120 of 1,340 reports, containing 4,323 recommendations
Sorted by latest release date
-
How FDA Used Its Accelerated Approval Pathway Raised Concerns in 3 of 24 Drugs Reviewed
25-E-01-010.01FDA should define specific factors that would require FDA's accelerated approval council to advise on certain drug applications.- Status
- Open Unimplemented
- Responsible Agency
- FDA
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- 07/16/2025
- Next Update Expected
- 09/22/2026
- Legislative Related
- No
25-E-01-010.02FDA should take steps to ensure appropriate documentation of meetings with sponsors in drug approval administrative files.- Status
- Open Unimplemented
- Responsible Agency
- FDA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 07/16/2025
- Next Update Expected
- 09/22/2026
- Legislative Related
- No
-
Medicare Could Save Billions With Comparable Access for Enrollees if Critical Access Hospital Payments for Swing-Bed Services Were Similar to Those of the Fee-for-Service Prospective Payment System
25-A-05-036.01We recommend that CMS seek a legislative change that will allow it to reimburse CAHs at rates that align with those paid to alternative facilities when it determines that similar care is available at alternative facilities.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Non-Concur
- Potential Savings
- $7,710,443,385
- Last Update Received
- 06/30/2025
- Next Update Expected
- 12/30/2025
- Legislative Related
- No
-
Florida Did Not Comply With Federal Waiver and State Requirements at 18 of 20 Adult Day Care Facilities Reviewed
25-A-04-035.01We recommend that the Florida Agency for Health Care Administration ensure that providers correct the 120 instances of provider noncompliance identified in this report.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 10/15/2025
- Next Update Expected
- 05/04/2026
- Legislative Related
- No
25-A-04-035.02We recommend that the Florida Agency for Health Care Administration improve its oversight and monitoring of providers.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 10/15/2025
- Next Update Expected
- 05/04/2026
- Legislative Related
- No
25-A-04-035.03We recommend that the Florida Agency for Health Care Administration work with providers to improve their facilities, staffing, and training.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 10/15/2025
- Next Update Expected
- 05/04/2026
- Legislative Related
- No
-
Medicare Advantage Compliance Audit of Specific Diagnosis Codes That UCare Minnesota (Contract H2459) Submitted to CMS
25-A-07-034.01We recommend that UCare Minnesota refund to the Federal Government the $4,761,271 of estimated net overpayments.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $4,761,271
- Last Update Received
- 09/15/2025
- Next Update Expected
- 03/15/2026
- Legislative Related
- No
25-A-07-034.02We recommend that UCare Minnesota identify, for the high-risk diagnoses included in this report, similar instances of noncompliance that occurred before or after our audit period and refund any resulting overpayments to the Federal Government.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 09/15/2025
- Next Update Expected
- 03/15/2026
- Legislative Related
- No
25-A-07-034.03We recommend that UCare Minnesota continue its examination of its existing compliance procedures to identify areas where improvements can be made to ensure that diagnoses that are at high risk for being miscoded comply with Federal requirements (when submitted to CMS for use in CMS's risk adjustment program) and take the necessary steps to enhance those procedures.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 09/15/2025
- Next Update Expected
- 03/15/2026
- Legislative Related
- No
-
Medicare Advantage Compliance Audit of Specific Diagnosis Codes Blue Care Network of Michigan (Contract H5883) Submitted to CMS
25-A-06-033.01We recommend that Blue Care Network of Michigan refund to the Federal Government the $3,412,369 of estimated overpayments.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $3,412,369
- Last Update Received
- 09/22/2025
- Next Update Expected
- 03/24/2026
- Legislative Related
- No
25-A-06-033.02We recommend that Blue Care Network of Michigan identify, for the high-risk diagnoses included in this report, similar instances of noncompliance that occurred before or after our audit period and refund any resulting overpayments to the Federal Government.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 09/22/2025
- Next Update Expected
- 03/24/2026
- Legislative Related
- No
25-A-06-033.03We recommend that Blue Care Network of Michigan continue to examine its existing compliance procedures to identify areas where improvements can be made to ensure that diagnosis codes that are at high risk for being miscoded comply with Federal requirements (when submitted to CMS for use in CMS's risk adjustment program) and take the necessary steps to enhance those procedures.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 09/22/2025
- Next Update Expected
- 03/24/2026
- Legislative Related
- No
-
ICAP at Columbia University Generally Managed Its PEPFAR Expenditures Appropriately but Lacked a Robust Financial Management System
25-A-04-032.01We recommend that ICAP refund $58,111 to CDC for transactions that it could not adequately support.- Status
- Open Unimplemented
- Responsible Agency
- CDC
- Response
- Concur
- Potential Savings
- $58,111
- Last Update Received
- 07/14/2025
- Next Update Expected
- 01/14/2026
- Legislative Related
- No
25-A-04-032.02We recommend that ICAP fully implement its new grants management system, which will allow it to track and record its PEPFAR expenditures by CoAg and award year; and maintain supporting documentation for expenditures contained in its accounting records.- Status
- Open Unimplemented
- Responsible Agency
- CDC
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 07/14/2025
- Next Update Expected
- 01/14/2026
- Legislative Related
- No
-
Medicare Home Health Agency Provider Compliance Audit: Bridge Home Health
25-A-05-031.01We recommend that Bridge Home Health refund the $6,046 in overpayments to the Medicare program.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $6,046
- Last Update Received
- -
- Closed Date
- 07/03/2025
- Legislative Related
- No
25-A-05-031.02We recommend that Bridge Home Health identify similar instances of noncompliance that occurred before, during, and after the audit period and determine the impact and return any overpayments to the Federal Government.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/03/2025
- Legislative Related
- No
25-A-05-031.03We recommend that Bridge Home Health strengthen its review of medical record documentation to ensure compliance with Medicare billing requirements.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/17/2025
- Legislative Related
- No
-
Medicare Advantage Compliance Audit of Specific Diagnosis Codes That Triple-S Advantage, Inc., (Contract H5774) Submitted to CMS
25-A-04-030.01We recommend that Triple-S Advantage, Inc. refund to the Federal Government $296,758 in net overpayments.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $296,758
- Last Update Received
- 09/30/2025
- Next Update Expected
- 03/30/2026
- Legislative Related
- No
25-A-04-030.02We recommend that Triple-S Advantage, Inc. identify, for the high-risk diagnoses included in this report, similar instances of noncompliance that occurred before or after our audit period and refund any resulting overpayments to the Federal Government.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 09/30/2025
- Next Update Expected
- 03/30/2026
- Legislative Related
- No
25-A-04-030.03We recommend that Triple-S Advantage, Inc. continue to examine its existing compliance procedures to identify areas where improvements can be made to ensure that diagnosis codes that are at high risk of being miscoded comply with Federal requirements (when submitted to CMS for use in CMS's risk adjustment program) and take the necessary steps to enhance those procedures.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 09/30/2025
- Next Update Expected
- 03/30/2026
- Legislative Related
- No
-
Some Selected Skilled Nursing Facilities Did Not Comply With Medicare Requirements for Reporting Related-Party Costs
25-A-07-028.01We recommend that the Centers for Medicare & Medicaid services require the MACs to include, as part of the normal desk review or audit process, a review of reporting and disclosure of related-party costs.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- 05/12/2025
- Next Update Expected
- 11/12/2025
- Legislative Related
- No
25-A-07-028.02We recommend that the Centers for Medicare & Medicaid Services develop and implement guidance for skilled nursing facilities on the appropriate methods for providers to determine their allowable related-party costs.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 06/17/2025
- Legislative Related
- No
25-A-07-028.03We recommend that the Centers for Medicare & Medicaid Services provide guidance to reeducate Medicare Administrative Contractors on the need to review, grant, and document requests from skilled nursing facilities for exceptions to cost reporting requirements in compliance with 42 CFR § 413.17(d).- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 06/17/2025
- Legislative Related
- No
-
Some HHS Requirements for Vetting Mobile Apps Were Not Followed Prior to the Release of the AHRQ Question Builder App
25-A-18-027.01We recommend that the Agency for Healthcare Research and Quality reassess the Question Builder app to determine if the unnecessary functionality and privileges built into the app can and should be removed or formally assess, document, and accept the risk of not removing them.- Status
- Open Unimplemented
- Responsible Agency
- AHRQ
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 06/16/2025
- Legislative Related
- No
25-A-18-027.02We recommend that the Agency for Healthcare Research and Quality update the AHRQ Mobile Application Development Policy to require project officers and app developers to assess AHRQ mobile apps for unnecessary or unused functionality and remove or disable such functionality where feasible before submitting it to an app store and establish a procedure to ensure adherence to these requirements.- Status
- Open Unimplemented
- Responsible Agency
- AHRQ
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 06/16/2025
- Legislative Related
- No
25-A-18-027.03We recommend that the Agency for Healthcare Research and Quality update the AHRQ Mobile Application Development Policy to require vetting the security of all AHRQ mobile apps for compliance with the HHS secure coding policy requirements and correcting any security vulnerabilities identified before releasing a mobile app to app stores for public use and establish a procedure to ensure adherence to these requirements- Status
- Open Unimplemented
- Responsible Agency
- AHRQ
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 06/16/2025
- Legislative Related
- No
-
Indiana Made at Least $56 Million in Improper Fee-for-Service Medicaid Payments for Applied Behavior Analysis Provided to Children Diagnosed With Autism
25-A-09-026.01We recommend that the Indiana Family and Social Services Administration refund $39,432,556 (Federal share) to the Federal Government for FFS Medicaid ABA payments that did not comply with Federal and State requirements.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $39,432,556
- Last Update Received
- 10/07/2025
- Next Update Expected
- 04/08/2026
- Legislative Related
- No
25-A-09-026.02We recommend that the Indiana Family and Social Services Administration provide additional guidance to ABA facilities for documenting ABA, including services that must be provided to support the use of CPT codes 97155 and 97156, State signature requirements, the detail in session notes needed to support ABA provided, and what the State agency considers billable ABA time.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 10/07/2025
- Next Update Expected
- 04/08/2026
- Legislative Related
- No
25-A-09-026.03We recommend that the Indiana Family and Social Services Administration periodically perform a statewide postpayment review of Medicaid ABA payments, including reviewing medical records, to educate providers on requirements and to recover payments that did not comply with Federal and State requirements.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/26/2025
- Legislative Related
- No
25-A-09-026.04We recommend that the Indiana Family and Social Services Administration periodically review its prior authorization contractor's procedures for verifying ABA facilities' compliance with requirements for State diagnostic evaluations and treatment referrals for ABA.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/26/2025
- Legislative Related
- No
25-A-09-026.05We recommend that the Indiana Family and Social Services Administration exercise reasonable diligence to review and determine whether any of the estimated $53,236,026 (Federal share) in potentially improper ABA payments complied with Federal and State requirements and refund the Federal share of any improper payment amount to the Federal Government.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $53,236,026
- Last Update Received
- 10/07/2025
- Next Update Expected
- 04/08/2026
- Legislative Related
- No
-
Twelve Selected States Did Not Accurately Calculate the Federal Share of Medicaid Collections Subject to the Increased COVID-19 Federal Medical Assistance Percentages
25-A-06-024.01We recommend that the Centers for Medicare & Medicaid Services require the States to correct the reported Federal share of collections that were subject to the increased COVID-19 FMAP by recouping $62,504,429 from the 11 States that underreported the Federal share of Medicaid collections and refunding $711,715 to 1 State that overreported the Federal share of Medicaid collections.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $61,792,714
- Last Update Received
- 08/19/2025
- Next Update Expected
- 02/25/2026
- Legislative Related
- No
25-A-06-024.02We recommend that the Centers for Medicare & Medicaid Services emphasize to States that they should consistently follow their procedures for calculating the Federal share of collections, including during periods of increased FMAPs.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 08/19/2025
- Next Update Expected
- 02/25/2026
- Legislative Related
- No
25-A-06-024.03We recommend that the Centers for Medicare & Medicaid Services reinforce with reviewers that they should verify that the increased Federal share for TPL collections was properly supported.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 08/25/2025
- Legislative Related
- No
25-A-06-024.04We recommend that the Centers for Medicare & Medicaid Services revise its policies and procedures for reviewing States' reported collections to include review of States' calculations of the Federal share for all collections.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 08/19/2025
- Next Update Expected
- 02/25/2026
- Legislative Related
- No
-
Summary Report of Prior Office of Inspector General Cyber Threat Hunt Audits of Eight HHS Operating Division Networks
25-A-18-023.01We recommend that the Department of Health and Human Services Office of the Chief Information Officer enforce existing information security continuous monitoring (ISCM) requirements for detecting, preventing, and reporting the installation of unauthorized software across OpDivs referenced in HHS Policy for Information Security and Privacy Protection (IS2P) and enforce the new ISCM policy once approved.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 09/30/2025
- Next Update Expected
- 03/30/2026
- Legislative Related
- No
25-A-18-023.02We recommend that the Department of Health and Human Services Office of the Chief Information Officer enforce HHS's continuous monitoring policy for detecting, preventing, and reporting unauthorized or suspicious network activity across OpDivs.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/30/2025
- Legislative Related
- No
25-A-18-023.03We recommend that the Department of Health and Human Services Office of the Chief Information Officer update the HHS IS2P to require OpDivs to implement NIST 800-53, Revision 5, CA-8 (2) Red Team Exercises at least every 2 years and RA-10 Threat Hunting yearly for high and moderate Federal Information Processing Standards Publication 199 impact systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 09/30/2025
- Next Update Expected
- 03/30/2026
- Legislative Related
- No
-
Staffing Shortages Limited IHS’s Capacity To Effectively Administer Much-Needed Sanitation Projects Funded by the Infrastructure Investment and Jobs Act
25-E-06-006.01IHS should assess the relative benefits of its current recruitment and retention strategies to guide future staffing plans, as well as exploring new tools to address staffing shortfalls.- Status
- Open Unimplemented
- Responsible Agency
- IHS
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 06/04/2025
- Legislative Related
- No
25-E-06-006.02IHS should explore options for expanding housing for DSFC staff.- Status
- Open Unimplemented
- Responsible Agency
- IHS
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 06/04/2025
- Legislative Related
- No
-
The Organ Procurement and Transplantation Network IT System’s Cybersecurity Controls Were Partially Effective and Improvements Are Needed
25-A-18-022.01We recommend that the Health Resources and Services Administration require the OPTN IT system contractor to remediate the 22 vulnerabilities identified and verify that the 22 vulnerabilities identified were remediated.- Status
- Closed Implemented
- Responsible Agency
- HRSA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 05/19/2025
- Legislative Related
- No
25-A-18-022.02We recommend that the Health Resources and Services Administration require the OPTN IT system contractor to improve network monitoring by implementing NIST SP 800-53, Revision 5, for the OPTN IT system, to include data loss prevention technology to prevent unauthorized exfiltration of information (Control SC-7(10)) and red-team exercises to simulate attempts by adversaries to compromise organizational systems (Control CA-8(2)).- Status
- Open Unimplemented
- Responsible Agency
- HRSA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 05/19/2025
- Next Update Expected
- 11/19/2025
- Legislative Related
- No
25-A-18-022.03We recommend that the Health Resources and Services Administration implement procedures to help ensure that the OPTN IT system contractor maintains compliance with federally required cybersecurity controls policies and standards on a continuing basis.- Status
- Open Unimplemented
- Responsible Agency
- HRSA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 05/19/2025
- Next Update Expected
- 03/30/2026
- Legislative Related
- No
-
Nonprofit and Government-Owned Nursing Homes Generally Complied With Federal Requirements Regarding the Infection Preventionist Position
25-A-01-021.01We recommend that the Centers for Medicare & Medicaid Services instruct the SSAs to follow up with the five nursing homes (three nonprofit and two Government-owned) that may not have complied with Federal requirements to verify that they have taken corrective actions.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/21/2025
- Legislative Related
- No
-
CGS Administrators, LLC, Did Not Reopen and Recalculate Most Selected Hospices’ Caps for Years Prior to 2020
25-A-06-020.01We recommend that CGS Administrators, LLC discontinue its practices that limit the reopening of prior years' cap calculations and start reopening all prior years' cap calculations.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/26/2025
- Legislative Related
- No
25-A-06-020.02We recommend that CGS Administrators, LLC revise its policies and procedures so that it meets the reopening deadlines established in Federal requirements.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/26/2025
- Legislative Related
- No
25-A-06-020.03We recommend that CGS Administrators, LLC conduct the prior years' hospice cap calculations for the five hospices with UPIC recoupments and collect any additional overpayments.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/26/2025
- Legislative Related
- No
-
Puerto Rico Did Not Designate a Medicaid Contracts Oversight Lead in a Timely Manner and Certified Contracts That Were Noncompliant
25-A-02-017.01We recommend that the Puerto Rico Health Department (the Health Department) update its policies and procedures to conform to Federal procurement standards—including policies and procedures related to contracts for leases, goods, and nonprofessional services—and to address the role of the Oversight Lead and the certification process.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 11/13/2025
- Next Update Expected
- 05/13/2026
- Legislative Related
- No
25-A-02-017.02We recommend that the Puerto Rico Department of Health (the Health Department) provide training to staff on policies and procedures.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 10/10/2025
- Next Update Expected
- 04/10/2026
- Legislative Related
- No
-
The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information
25-A-18-015.01We recommend that the Office for Civil Rights expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule.- Status
- Open Unimplemented
- Responsible Agency
- OCR
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 05/20/2025
- Legislative Related
- No
25-A-18-015.02We recommend that the Office for Civil Rights document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner.- Status
- Open Unimplemented
- Responsible Agency
- OCR
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 05/20/2025
- Legislative Related
- No
25-A-18-015.03We recommend that the Office for Civil Rights define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review.- Status
- Open Unimplemented
- Responsible Agency
- OCR
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 05/20/2025
- Legislative Related
- No
25-A-18-015.04We recommend that the Office for Civil Rights define metrics for monitoring the effectiveness of OCR's HIPAA audits at improving audited entities' protections over ePHI and periodically review whether these metrics should be refined.- Status
- Open Unimplemented
- Responsible Agency
- OCR
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 05/20/2025
- Legislative Related
- No
-
Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024
25-A-18-014.01We recommend that HHS update its enterprise architecture system inventory and software/hardware asset inventories to include the information systems and components that are active on the HHS network. HHS should utilize the inventories to continuously monitor assets and identify and remediate vulnerabilities timely to better manage the risks to these assets.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 05/23/2025
- Next Update Expected
- 11/27/2025
- Legislative Related
- No
25-A-18-014.02We recommend that HHS complete implementation of a cybersecurity risk management strategy to assess and respond to identified risks within the agency and identified across OpDivs, watch for new risks, and monitor risks and confirm implementation. The strategy should define a standardized process to accept and monitor risks that cannot be adequately mitigated.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 05/27/2025
- Legislative Related
- No
25-A-18-014.03We recommend that HHS require OpDivs incorporate analyses of security impacts of significant changes prior to implementation to measure its impacts to the organizations' security and enterprise architecture and confirm implementation.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 05/23/2025
- Next Update Expected
- 11/27/2025
- Legislative Related
- No
25-A-18-014.04We recommend that HHS require OpDivs to implement an effective SCRM program that meets the defined standards across HHS and confirm implementation is consistent with established standard. This should include requiring OpDivs to assess vendors and submit said monitoring results to HHS to assist with tracking and monitoring components on the network.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 05/23/2025
- Next Update Expected
- 11/27/2025
- Legislative Related
- No
25-A-18-014.05We recommend that HHS require OpDivs to establish oversight of background investigations performed for employees and contractors with logical access across the agency and perform continuous monitoring for new and existing users to ensure OpDivs are aware of the investigation status of their users.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 05/23/2025
- Next Update Expected
- 11/27/2025
- Legislative Related
- No
25-A-18-014.06We recommend that HHS confirm that OpDivs' policies require monitoring of privileged user accounts for both logging and activity reviews, in an automated manner.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/17/2025
- Legislative Related
- No