Health Information Technology:

Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy

GAO-07-238: Published: Jan 10, 2007. Publicly Released: Feb 1, 2007.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The expanding implementation of health information technology (IT) and electronic health information exchange networks raises concerns regarding the extent to which the privacy of individuals' electronic health information is protected. In April 2004, President Bush called for the Department of Health and Human Services (HHS) to develop and implement a strategic plan to guide the nationwide implementation of health IT. The plan is to recommend methods to ensure the privacy of electronic health information. GAO was asked to describe HHS's efforts to ensure privacy as part of its national strategy and to identify challenges associated with protecting electronic personal health information. To do this, GAO assessed relevant HHS privacy-related initiatives and analyzed information from health information organizations.

HHS and its Office of the National Coordinator for Health IT have initiated actions to identify solutions for protecting personal health information through several contracts and with two health information advisory committees. For example, in late 2005, HHS awarded several health IT contracts that include requirements for addressing the privacy of personal health information exchanged within a nationwide health information exchange network. Its privacy and security solutions contractor is to assess the organization-level privacy- and security-related policies, practices, laws, and regulations that affect interoperable health information exchange. Additionally, in June 2006, the National Committee on Vital and Health Statistics made recommendations to the Secretary of HHS on protecting the privacy of personal health information within a nationwide health information network, and in August 2006, the American Health Information Community convened a work group to address privacy and security policy issues for nationwide health information exchange. While these activities are intended to address aspects of key principles for protecting the privacy of health information, HHS is in the early stages of its efforts and has therefore not yet defined an overall approach for integrating its various privacy-related initiatives and addressing key privacy principles, nor has it defined milestones for integrating the results of these activities. GAO identified key challenges associated with protecting electronic personal health information in four areas.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In September 2007, we reported on the results of a follow-up engagement on health IT and privacy. In that report (GAO-08-1138), we noted that HHS and its Office of the National Coordinator for Health IT had taken important steps toward protecting the privacy of electronic health information by, for example, (1) documenting milestones for privacy-related objectives and tasks in the federal health IT strategic plan and (2) assigning responsibility for integrating the outcomes of its privacy-related activities and developing a planned privacy framework to the Director of the Office of Policy and Research within the National Coordinator's office. These activities addressed our recommendation that the department identify milestones and the entity responsible for integrating the outcomes of privacy-related initiatives.

    Recommendation: The Secretary of Health and Human Services should define and implement an overall approach for protecting health information as part of the strategic plan called for by the President. This approach should identify milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, including the results of its four health IT contracts and recommendations from the National Committee on Vital and Health Statistics and the American Health Information Community advisory committees.

    Agency Affected: Department of Health and Human Services

  2. Status: Closed - Implemented

    Comments: In December 2008, the Department of Health and Human Services' Office of the National Coordinator for Health IT published a privacy framework which encompassed HIPAA privacy principles. The stated goal of the office's effort was to establish a policy framework to guide the adoption of health IT and improve the availability of information through electronic health information exchange. The department, through the National Coordinator's office, also developed a privacy and security toolkit intended to help health care providers implement the principles in the privacy framework. The toolkit is a series of guidance documents that clarify how each section of the HIPAA Privacy and Security Rules can be used to help structure privacy and security policies related to electronic health information exchange. By taking these actions, HHS has developed a privacy framework and tools that health care providers and health information exchange entities can use as guidance to help them ensure that key HIPAA privacy principles are addressed by their efforts to protect electronic personal health information.

    Recommendation: The Secretary of Health and Human Services should define and implement an overall approach for protecting health information as part of the strategic plan called for by the President. This approach should ensure that key privacy principles in the Health Insurance Portability and Accountability Act are fully addressed.

    Agency Affected: Department of Health and Human Services

  3. Status: Closed - Implemented

    Comments: In efforts related to the Federal Health IT Strategic Plan, HHS and the Office of the National Coordinator for Health IT developed and implemented initiatives intended to address the key challenges related to this recommendation. For example, the Health Information Security and Privacy Collaboration (HISPC) and the State Alliance for e-Health took steps to address challenges associated with legal and policy issues. Specifically, HISPC researched solutions for legal and policy issues resulting from varying state laws and business practices, and the State Alliance for e-Health worked to reach consensus among 42 states on privacy and security issues, such as the resolution of variations in legal and policy requirements. In addition, the National Committee on Vital and Health Statistics addressed challenges associated with the disclosure of personal health information by defining standards for the protection of such information from unintentional disclosures. Also, the American Health Information Community established guidelines for interaction with users to ensure appropriate access rights, to help address challenges associated with individuals' rights to request access and amendments to health information. Finally, the Healthcare Information Technology Standards Panel defined standards for implementing security features in health IT systems that process personal health information. This activity was intended to help providers and other health IT entities address challenges associated with implementing security mechanisms for protecting health information. Through these initiatives, the department took steps intended to address key privacy and security challenges in protecting electronic personal health information. The outcomes of these efforts provide guidance that can be used to help health care providers and other entities address challenges they face in protecting personal health information exchanged within electronic health information networks.

    Recommendation: The Secretary of Health and Human Services should define and implement an overall approach for protecting health information as part of the strategic plan called for by the President. This approach should address key challenges associated with legal and policy issues, disclosure of personal health information, individuals' rights to request access and amendments to health information, and security measures for protecting health information within a nationwide exchange of health information.

    Agency Affected: Department of Health and Human Services

 

Explore the full database of GAO's Open Recommendations »

Dec 10, 2014

Sep 25, 2014

Sep 23, 2014

Jun 10, 2014

May 22, 2014

May 12, 2014

May 8, 2014

Looking for more? Browse all our products here