Health Information Technology: HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains

As of July 2012, the Office of the National Coordinator for Health Information Technology (ONC) had taken steps to implement this recommendation by centralizing responsibility for privacy and security issues, taking steps to formalize its management of privacy and security issues, and obtaining greater input from stakeholders. Among the specific actions taken, ONC established the following mechanisms for assessing and prioritizing initiatives and addressing stakeholder needs: (1) issued, in December 2008, the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, a set of privacy and security principles used for evaluating potential gaps in privacy policies; (2) established, in December 2009, the Office of the Chief Privacy Officer within ONC, and in February 2010, appointed a Chief Privacy Officer to advise the National Coordinator and coordinate with privacy officers in other agencies and countries regarding the privacy, security, and data stewardship of electronic, individually identifiable health information; and (3) implemented a multi-pronged approach to managing privacy-related initiatives that involves prioritizing privacy and security work to meet statutory deadlines and incorporating feedback from various stakeholders. As part of this approach, the Office of the Chief Privacy Officer proposes privacy policy issues for review and input to a workgroup of Health IT Policy Committee members representing health information exchange stakeholders, including small providers, large health care systems, vendors, privacy and security experts, and consumer groups. This workgroup submits draft recommendations to the Policy Committee for consideration and, after public discussion and deliberation, the Policy Committee adopts, modifies, or rejects the team's suggestions and submits recommendations to ONC. Upon receipt, ONC prioritizes these recommendations in light of other policies and activities and obtains from the directors of its various programs, internal input regarding the impact on various stakeholders, in order to inform decision-making regarding whether the recommendation should be accepted, modified, rejected, or tabled. Recommendations accepted are referred to the HHS Task Force, which deliberates and reaches consensus on, and recommends policies to address, specific privacy issues. ONC also incorporates feedback about privacy issues from program grantees and from participants in roundtable meetings it sponsors about emerging issues and determines privacy and security priorities through the analysis of public surveys and government data. By taking these actions, HHS strengthened its efforts to address key privacy principles and challenges related to protecting personal health information.