Skip to main content

Privacy and Security: Food and Drug Administration Faces Challenges in Establishing Protections for Its Postmarket Risk Analysis System

GAO-09-355 Published: Jun 01, 2009. Publicly Released: Jun 01, 2009.
Jump To:
Skip to Highlights

Highlights

The Food and Drug Administration (FDA) is responsible for assessing the safety of certain medical products after approval (a process called postmarket risk surveillance). To this end, the Food and Drug Administration Amendments Act of 2007 required that FDA establish a postmarket risk identification and analysis system based on electronic health data. In May 2008, FDA began its Sentinel initiative, intended to fulfill this requirement. Additionally, the Act established a requirement for GAO to review FDA's planned system. GAO's specific objectives were to (1) describe the current status of FDA's implementation of the Sentinel system and (2) identify the key privacy and security challenges associated with FDA's plans for the Sentinel system. To do so, GAO analyzed available system documentation; reviewed key privacy and security laws, guidance, standards, and practices; and obtained and analyzed the views of privacy and security experts.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Food and Drug Administration Given the significant privacy and security challenges, the Commissioner of FDA should develop a plan, including milestones, for developing the Sentinel system and for addressing the privacy and security challenges associated with (1) ensuring consistent application of protections to all Sentinel partners, (2) limiting use of personal health information to a clear and specific purpose, (3) involving the public in the development of the system and informing the public of the program's planned uses of personal health information and privacy protections, (4) using de-identified data, (5) establishing adequate security controls, and (6) overseeing and enforcing key privacy and security requirements.
Closed – Implemented
In fiscal year 2013, we verified that FDA, in response to our recommendation, implemented the Mini-Sentinel pilot program to improve the agency's development of its Sentinel system. As part of its pilot program, FDA has developed policies and procedures to ensure that the system provides consistent application of protections to all system partners, personal health information will be used for the specific purpose of only postmarket safety surveillance, comprehensive security controls are implemented, and key privacy and security requirements are enforced. These actions reduce the potential risk that personal health information used and maintained by the Sentinel system could be compromised.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

DocumentationElectronic health recordsGovernment information disseminationInformation disclosureInformation managementProduct evaluationProduct safetyProgram evaluationProgram managementRight of privacyRisk assessmentRisk managementSafetySecurity assessmentsSecurity policiesStandardsSystems analysisSystems designSystems evaluationPrivacy policiesPolicies and proceduresProgram goals or objectivesProgram implementation