Privacy and Security: Food and Drug Administration Faces Challenges in Establishing Protections for Its Postmarket Risk Analysis System
Highlights
The Food and Drug Administration (FDA) is responsible for assessing the safety of certain medical products after approval (a process called postmarket risk surveillance). To this end, the Food and Drug Administration Amendments Act of 2007 required that FDA establish a postmarket risk identification and analysis system based on electronic health data. In May 2008, FDA began its Sentinel initiative, intended to fulfill this requirement. Additionally, the Act established a requirement for GAO to review FDA's planned system. GAO's specific objectives were to (1) describe the current status of FDA's implementation of the Sentinel system and (2) identify the key privacy and security challenges associated with FDA's plans for the Sentinel system. To do so, GAO analyzed available system documentation; reviewed key privacy and security laws, guidance, standards, and practices; and obtained and analyzed the views of privacy and security experts.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Food and Drug Administration | Given the significant privacy and security challenges, the Commissioner of FDA should develop a plan, including milestones, for developing the Sentinel system and for addressing the privacy and security challenges associated with (1) ensuring consistent application of protections to all Sentinel partners, (2) limiting use of personal health information to a clear and specific purpose, (3) involving the public in the development of the system and informing the public of the program's planned uses of personal health information and privacy protections, (4) using de-identified data, (5) establishing adequate security controls, and (6) overseeing and enforcing key privacy and security requirements. |
In fiscal year 2013, we verified that FDA, in response to our recommendation, implemented the Mini-Sentinel pilot program to improve the agency's development of its Sentinel system. As part of its pilot program, FDA has developed policies and procedures to ensure that the system provides consistent application of protections to all system partners, personal health information will be used for the specific purpose of only postmarket safety surveillance, comprehensive security controls are implemented, and key privacy and security requirements are enforced. These actions reduce the potential risk that personal health information used and maintained by the Sentinel system could be compromised.
|