The Department of Health and Human Services has established guidance for use by covered entities in their efforts to comply with Health Insurance Portability and Accountability Act requirements regarding the privacy and security of protected health information, but it does not address all elements called for by other federal cybersecurity guidance, according to a new report by the Government Accountability Office. “Specifically, HHS's guidance does not address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology to their specific needs,” GAO said. “Such controls include developing risk responses, among others. Further, covered entities and business associates have been challenged to comply with HHS requirements for risk assessment and management. Without more comprehensive guidance, covered entities may not be adequately protecting electronic health information from compromise.” The report recommends that HHS update its guidance for protecting electronic health information to address key security elements; improve its technical assistance to covered entities; follow up on corrective actions; and establish metrics for gauging the effectiveness of its audit program. HHS generally concurred with the recommendations and stated it would take actions to implement them.