The DHS office of health affairs has not put in place an effective structure to meet requirements for safeguarding personally identifiable information it collects and is not ensuring ensure that all employees required to take annual training on that subject are completing it, an IG report says.

“Senior leadership has not placed priority on addressing such issues and instilling a culture of privacy to ensure compliance with privacy protection laws, regulations, and policies,” a report said. “These organizational shortfalls have resulted in a lack of transparency and security controls for protecting personally identifiable information OHA-wide.”

The office collects medical and personal information on persons treated by first responders in emergency situations, as well as identifying information on federal employees and others using its BioWatch web portal that helps the public health and emergency management communities prepare for and respond to biological incidents.

The report said for example that OHA did not require DHS emergency medical first responders to properly notify patients of their privacy rights as required upon collecting their information; and a key OHA system lacked strong authentication protocols to control access. Also, OHA’s public web portal lacked controls needed to effectively secure the information it contained against privacy risks and operated on a non-secure site, it said.