Office of Health Affairs Has Not Implemented An Effective Privacy Management Program

We evaluated the Office of Health Affairs’ (OHA) privacy safeguards for protecting the personally identifiable information (PII) it collects and maintains. OHA has not implemented an effective organizational framework for safeguarding PII in accordance with Federal requirements. OHA appointed a Privacy Officer, but this official lacks adequate authority and resources to carry out the various required privacy management responsibilities. This official also has not received OHA senior leadership support to issue the policies and procedures needed for effective organization-wide privacy management. Further, there was no central tracking to ensure that all employees completed annual privacy training and to accurately report this information to the Department and Congress as required.