This is the accessible text file for GAO report number GAO-09-355 
entitled 'Privacy And Security: Food and Drug Administration Faces 
Challenges in Establishing Protections for Its Postmarket Risk Analysis 
System' which was released on June 1, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office: 
GAO: 

June 2009: 

Privacy And Security: 

Food and Drug Administration Faces Challenges in Establishing 
Protections for Its Postmarket Risk Analysis System: 

GAO-09-355: 

GAO Highlights: 

Highlights of GAO-09-355, a report to congressional committees. 

Why GAO Did This Study: 

The Food and Drug Administration (FDA) is responsible for assessing the 
safety of certain medical products after approval (a process called 
postmarket risk surveillance). To this end, the Food and Drug 
Administration Amendments Act of 2007 required that FDA establish a 
postmarket risk identification and analysis system based on electronic 
health data. In May 2008, FDA began its Sentinel initiative, intended 
to fulfill this requirement. Additionally, the Act established a 
requirement for GAO to review FDA’s planned system. GAO’s specific 
objectives were to (1) describe the current status of FDA’s 
implementation of the Sentinel system and (2) identify the key privacy 
and security challenges associated with FDA’s plans for the Sentinel 
system. To do so, GAO analyzed available system documentation; reviewed 
key privacy and security laws, guidance, standards, and practices; and 
obtained and analyzed the views of privacy and security experts. 

What GAO Found: 

The Sentinel system is still in the early planning stages, with key 
decisions about development and milestones yet to be made. In planning 
for Sentinel, FDA has held outreach meetings with stakeholders, 
established a senior management team to solicit input from agency 
components; established a working group to share information with 
federal partners; and sought input from projects involving both public 
and private sector entities that are meant to refine research 
approaches and identify challenges and concerns. Although FDA has 
developed a preliminary design of the Sentinel process for making 
medical product safety-related queries (see below), key decisions such 
as developing a governance model for oversight and enforcement of 
relevant policies, establishing an architecture, and setting privacy 
and security policies have not yet been made. Further, FDA has not yet 
developed a plan or set of milestones for when it expects to have these 
issues addressed. 

Because the Sentinel system will rely on sensitive electronic health 
data, FDA will likely be faced with several significant privacy and 
security challenges as it continues to develop the Sentinel system 
including: 

* ensuring that appropriate legal mechanisms are established to protect 
privacy and implement security consistently across the Sentinel system; 

* defining a clear and specific purpose for the system and ensuring 
that partners use personal health information only for specified 
purposes; 

* ensuring public involvement and effectively informing the public of 
the program’s planned uses of their personal health information; 

* ensuring that de-identified information—data stripped of fields that 
uniquely identify individuals—is not re-identified; 

* establishing adequate security controls to protect the personal 
health information associated with Sentinel; and; 

* establishing sufficient oversight and enforcement mechanisms to 
ensure that privacy and security requirements are consistently 
implemented. 

FDA has yet to develop a plan or set milestones for addressing these 
challenges. 

Figure: Overview of the Planned Sentinel Query Process: 

[Refer to PDF for image: illustration] 

FDA and other entities[A]: 
* Query initiated to Sentinel coordinating center; 
* Coordinating center returns summaries of results; 
* Results summaries may potentially be shared with the public. 

Sentinel coordinating center: 
* Query sent to appropriate data sources: 
- Healthcare insurances providers; 
- Academic institutions; 
- Federal and state government agencies; 
- Healthcare providers; 
* Results summaries returned to coordinating center. 

Source: GAO based on FDA data. 

[A] Pharmaceutical companies are potential partners in the system, but 
may be limited in their capabilities. According to FDA officials, 
partners in the pharmaceutical industry are not to have access to 
personal health information but may be provided access to results 
summaries. 

[End of figure] 

What GAO Recommends: 

GAO recommends that the Commissioner of FDA develop a plan, including 
milestones, for developing the Sentinel system and for addressing 
privacy and security challenges. In written comments on this report, 
FDA agreed with GAO’s recommendation, but noted concerns with GAO’s 
representation of the program which FDA stated would lead readers to 
believe that their protected health information was at risk. 

View [hyperlink, http://www.gao.gov/products/GAO-09-355] or key 
components. For more information, contact Gregory C. Wilshusen at (202) 
512-6244 or wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Recommendation for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Briefing to Congressional Committees: 

Appendix II: Comments from the Food and Drug Administration: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Abbreviations: 

CMS: Centers for Medicaid & Medicare Services: 

eHIe: Health Initiative: 

FDA: Food and Drug Administration: 

FDAAA: Food and Drug Administration Amendments Act of 2007: 

FISMA: Federal Information Security Management Act of 2002: 

HHS: Department of Health and Human Services: 

HIPAA: Health Insurance Portability and Accountability Act of 1996: 

HITECH: Health Information Technology for Economic and Clinical Health: 

MMA: Medicare Prescription Drug, Improvement, and Modernization Act of 
2003: 

NIST: National Institute of Standards and Technology: 

OECD: Organization for Economic Cooperation and Development: 

OMB: Office of Management and Budget: 

PIA: privacy impact assessment: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

June 1, 2009: 

The Honorable Edward M. Kennedy: 
Chairman: 
The Honorable Michael B. Enzi: 
Ranking Member: 
Committee on Health, Education, Labor, and Pensions: 
United States Senate: 

The Honorable Henry A. Waxman: 
Chairman: 
The Honorable John D. Dingell: 
Chair Emeritus: 
The Honorable Joe L. Barton: 
Ranking Member Committee on Energy and Commerce: 
House of Representatives: 

The U.S. Food and Drug Administration (FDA), a component of the 
Department of Health and Human Services (HHS), has the responsibility 
to approve medications and certain other medical products for public 
use and then continue to assess the products' risks and benefits after 
they have been made available to the public (a process called 
postmarket risk surveillance). With increased attention to improving 
the safety and quality of health care, there has been growing interest 
in leveraging the large amounts of electronic health data being 
collected on a regular basis to enhance surveillance of postmarket 
risk. 

However, increased analytical use of personal health information raises 
concerns about the privacy and security of that information. According 
to the National Research Council, medical information is often the most 
privacy-sensitive information that individuals provide to others about 
themselves and protecting the privacy of that information has long been 
recognized as an essential element in the administration of health care 
systems. Further, industry groups and professional associations have 
called for stronger protections for personal health information. 

The Food and Drug Administration Amendments Act of 2007 (FDAAA) 
requires that FDA develop methods for the establishment of a postmarket 
risk identification and analysis system of electronic health data. In 
response, FDA announced the start of its Sentinel initiative in May 
2008. The initiative includes planning for the development of an 
integrated system to analyze electronic health data in order to 
identify potential risks and assess the safety of medical products 
after they have been made available to the public. 

FDAAA mandated that no later than 18 months after the date of its 
enactment we (1) evaluate the data privacy, confidentiality, and 
security issues related to accessing, transmitting, and maintaining 
data for the FDA Active Postmarket Risk Identification and Analysis 
System and (2) make recommendations regarding the need for further 
legislative actions to ensure the privacy, confidentiality, and 
security of the system or otherwise address privacy, confidentiality, 
and security issues to ensure the effective operation of the system. 

As agreed with your offices, we fulfilled the FDAAA mandate through a 
briefing provided on March 24, 2009. The specific objectives for our 
study were to (1) describe the current status of FDA's implementation 
of the Sentinel system and (2) identify the key privacy and security 
challenges associated with FDA's plans for the Sentinel system. To 
address the first objective, we: 

* analyzed available documentation and plans for system design and 
development; 

* reviewed the statements of work in contracts to assess specific 
aspects of future Sentinel system development, such as governance 
structures and data sources; 

* reviewed information on current demonstration projects to assess 
their status and their potential contribution to future Sentinel 
development; and: 

* analyzed prior GAO reports to assess prior FDA activities related to 
postmarket risk evaluation. 

To address the second objective, we: 

* obtained and analyzed the views of privacy and security experts from 
the World Privacy Forum, the Health Law & Policy Institute, the Health 
Privacy Project at the Center for Democracy and Technology, and the 
SANS Institute; 

* obtained and analyzed the views of a privacy and information policy 
consultant; 

* obtained and analyzed the views of FDA officials and representatives 
from related projects; 

* analyzed independent studies and previous GAO reports to corroborate 
challenges identified by experts; and: 

* analyzed provisions of key privacy and security laws, guidance, 
standards, and practices with respect to FDA's plans for the Sentinel 
system and challenges identified by privacy and security experts. 

We conducted this performance audit at FDA in the Washington D.C., 
metropolitan area from May 2008 to May 2009 in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. 

This report summarizes the information we provided to your staff during 
our March 24, 2009, briefing, with revisions to reflect information 
obtained through agency comments. The full briefing, including our 
objectives, scope, and methodology, can be found in appendix I. In 
summary, our briefing made the following points: 

The Sentinel system is still in the early planning stages, with key 
decisions about development and milestones yet to be made. FDA has had 
several outreach meetings with a variety of stakeholders, such as the 
health care industry and patient and consumer advocacy groups, and has 
established an FDA senior management team to provide input from various 
agency components. FDA has also established a working group to share 
information with federal partners, such as the Department of Veterans 
Affairs and Department of Defense, and discuss issues related to 
relevant efforts being carried out by federal agencies, and has sought 
input from several projects involving both public and private sector 
entities that are meant to refine research approaches and identify 
challenges and concerns with launching a large-scale public-private 
partnership for postmarket surveillance. Because the Sentinel system is 
still in such an early stage of planning, FDA has yet to make key 
decisions related to major aspects of program development such as 
developing a governance model for oversight and enforcement of relevant 
policies, and establishing an architecture. While FDA has asserted that 
privacy risks will be reduced because Sentinel participants will not 
routinely exchange personal health information, the agency has not yet 
set policies to ensure the protection of privacy and security. Further, 
FDA has not yet developed a plan or set milestones for when it expects 
to have these issues addressed. 

In ensuring that the design of the Sentinel system provides adequate 
privacy and security protections, FDA will likely be faced with several 
significant challenges. These challenges include: 

* ensuring that appropriate legal mechanisms are established to protect 
privacy and implement security consistently across all elements 
associated with the Sentinel system; 

* defining a clear and specific purpose for the system and ensuring 
that partners with varying interests and business missions use personal 
health information only for specified purposes; 

* ensuring public involvement and effectively informing the public of 
the program's planned uses of their personal health information and 
privacy protections that will be applied to it; 

* ensuring that de-identified information--data stripped of fields that 
uniquely identify individuals--is not re-identified and that the use of 
personal health information in individually identifiable form is 
minimized and adequately protected; 

* establishing adequate security controls to protect the personal 
health information associated with Sentinel from unauthorized 
disclosure, modification, and destruction; and: 

* establishing sufficient oversight and enforcement mechanisms to 
ensure that privacy and security requirements are consistently 
implemented across Sentinel's wide range of partners. 

FDA has yet to develop a plan or set milestones for addressing these 
challenges. If these challenges are not adequately addressed, the 
privacy and security of personal health information could be 
compromised. 

Recommendation for Executive Action: 

We are not making recommendations for further legislative actions. 
However, given the significant privacy and security challenges we have 
identified, we recommend that the Commissioner of FDA develop a plan, 
including milestones, for developing the Sentinel system and for 
addressing the privacy and security challenges associated with: 

* ensuring consistent application of protections to all Sentinel 
partners, 

* limiting use of personal health information to a clear and specific 
purpose, 

* involving the public in the development of the system and informing 
the public of the program's planned uses of personal health information 
and privacy protections, 

* using de-identified data, 

* establishing adequate security controls, and: 

* overseeing and enforcing key privacy and security requirements. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report transmitted by the Acting 
Assistant Secretary for Legislation at the Department of Health and 
Human Services, the Acting Commissioner of Food and Drugs stated that 
protecting the privacy and security of protected health information was 
of paramount concern to FDA and agreed with our recommendation to 
develop a plan with milestones for the Sentinel system, noting that 
this recommendation was consistent with ongoing FDA efforts. The letter 
is reprinted in appendix II. 

In its comments, FDA also raised concerns that the report contained 
inaccuracies that seriously misrepresent the program and would lead 
readers to believe that their protected health information was at risk. 
However, we believe the report accurately characterizes the potential 
privacy and security risks with the Sentinel program and related 
analysis. The program is still in its early stages, and while FDA has 
stated its intention to establish controls for privacy and security, no 
specific implementation plans have yet been developed. Moreover, FDA 
officials acknowledged that the concerns raised in our report could be 
relevant to secondary analysis precipitated by Sentinel. It will be 
critical that these concerns are fully addressed as FDA moves forward 
with the Sentinel initiative. 

In explaining its position, the agency maintained that transactions 
that it foresees occurring within the Sentinel program would not pose a 
risk to protected health information. FDA noted that it envisions 
developing Sentinel as a distributed network, wherein protected health 
information would not be exchanged but would remain under the control 
of its owners and be protected by the controls they already have in 
place. As participants in Sentinel, these data owners would separately 
perform analysis on their own data and share only summaries of their 
results with other entities. We agree with FDA that its stated intent 
for conducting basic analysis under Sentinel is designed to minimize 
risk to privacy, and we believe that this approach, if implemented as 
FDA envisions it, could reduce privacy concerns. However, we do not 
believe it is appropriate to focus narrowly on just the transactions 
that FDA classifies as being within Sentinel, because other related 
transactions could pose greater risks. Specifically, FDA has 
acknowledged that there may be a need for secondary analysis based on 
results obtained through Sentinel, stating that this analysis would 
occur outside of Sentinel. Such secondary analysis could involve the 
sharing of protected health information, and many of the concerns 
raised in our report apply in these circumstances. It will be critical 
that these concerns are fully addressed as FDA moves forward with the 
Sentinel initiative. 

In its comments, FDA also noted that privacy and security are of 
paramount concern to the agency, and that the agency had engaged with 
individuals in the privacy and security field to examine privacy and 
security issues. FDA stated that Sentinel would be subject to the 
security requirements of the Federal Information Security Management 
Act of 2002 (FISMA) and would implement policies and procedures to 
ensure computer security. While FDA's stated commitment to 
investigating privacy issues and implementing rigorous security 
controls is important, until specific privacy and security safeguards 
have been implemented, concerns remain. Further, at this early stage of 
development, it is important to highlight areas in which potential 
compromises could occur so that attention can be focused on them. 
Identifying and assessing such concerns can help better ensure that 
planning for the system incorporates a comprehensive set of effective 
privacy and security controls. 

Finally, FDA expressed concern that the figure that appears in the 
Highlights and on page 24 could mislead readers, and it provided an 
alternate figure with modified labels and alternate illustrations for 
the elements of the system. We have made adjustments to the labels to 
address concerns raised by FDA. However, in addition to wording 
changes, FDA expressed concern that the illustrations in our figure 
give the impression that Sentinel is a fully automated system that does 
not include human participation and expertise. We believe the graphic-
-which portrays individuals, systems, and symbols for institutions-- 
accurately portrays the nature of the Sentinel system, which is 
expected to include automated systems as well as human and 
institutional involvement. 

In addition, FDA provided technical comments, which we have 
incorporated as appropriate. 

We are sending copies of this report to interested congressional 
committees and the Commissioner of FDA. In addition, the report will be 
available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staffs have any questions about this report, please 
contact me at (202) 512-6244 or at wilshuseng@gao.gov. Contact points 
for our Offices of Congressional Relations and Public Affairs may be 
found on the last page of this report. Key contributors to this report 
are listed in appendix III. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section] 

Appendix I: Briefing to Congressional Committees: 

Privacy and Security: Food and Drug Administration Faces Challenges in 
Establishing Protections for Its Postmarket Risk Analysis System: 

Briefing to Congressional Committees: 

March 24, 2009: 

Contents: 

* Introduction; 
* Objectives, Scope, and Methodology; 
* Results in Brief; 
* Background; 
* System Is in the Early Stages of Development; 
* FDA Faces Privacy and Security Challenges; 
* Conclusions; 
* Recommendation for Executive Action; 
* Agency Comments and Our Evaluation. 

[End of section] 

Introduction: 

The Food and Drug Administration (FDA), a component of the Department 
of Health and Human Services (HHS), has the responsibility to approve 
medical products for public use and then continue to assess the 
products’ risks and benefits after they have been made available to the 
public (a process called postmarket risk surveillance). With increased 
attention to improving the safety and quality of health care, there has 
been growing interest in leveraging the large amounts of electronic 
health data being collected on a regular basis to enhance surveillance 
of postmarket risk. 

However, increased analytical use of personal health information 
[Footnote 1] raises concerns about the privacy and security of that 
information. According to the National Research Council, medical 
information is often the most privacy-sensitive information that 
patients provide to others about themselves, and protecting the privacy 
of that information has long been recognized as an essential element in 
the regulations of health care systems. Further, industry groups and 
professional associations have called for stronger protections for 
personal health information. 

The Food and Drug Administration Amendments Act of 2007 (FDAAA) 
[Footnote 2] requires that FDA develop methods for the establishment of 
a postmarket risk identification and analysis system of electronic 
health data. In response, FDA announced the start of its Sentinel 
initiative in May 2008. The initiative includes planning for the 
development of an integrated system to analyze electronic health data 
in order to identify potential risks and assess the safety of medical 
products after they have been made available to the public. 

[End of section] 

Objectives, Scope, and Methodology: 

FDAAA mandates that no later than 18 months after the date of its 
enactment we (1)evaluate the data privacy, confidentiality,[Footnote 3] 
and security issues related to accessing, transmitting, and maintaining 
data for the FDA Active Postmarket Risk Identification and Analysis 
System and (2)make recommendations regarding the need for further 
legislative actions to ensure the privacy, confidentiality, and 
security of the system or otherwise address privacy, confidentiality, 
and security issues to ensure the effective operation of the system. 

As agreed with your offices, the objectives for this study were to (1) 
describe the current status of FDA’s implementation of the Sentinel 
system and (2) identify the key privacy and security challenges 
associated with FDA’s plans for the Sentinel system. 

To address the first objective, we: 

* analyzed available documentation and plans for system design and 
development; 

* reviewed the statements of work in contracts to assess specific 
aspects of future Sentinel system development, such as governance 
structures and data sources; 

* reviewed information on current demonstration projects to assess 
their status and their potential contribution to future Sentinel 
development; and; 

* analyzed prior GAO reports to assess prior FDA activities related to 
postmarket risk evaluation. 

To address the second objective, we: 

* obtained and analyzed the views of privacy and security experts on 
key challenges from the World Privacy Forum, the Health Law & Policy 
Institute,the Health Privacy Project at the Center for Democracy and 
Technology, and the SANS Institute; 

* obtained and analyzed the views from a privacy and information policy 
consultant; 

* obtained and analyzed the views of FDA officials and representatives 
from related projects to identify key privacy and security challenges; 

* analyzed independent studies and previous GAO reports to corroborate 
challenges identified by experts; and; 

* analyzed provisions of key privacy and security laws, guidance, 
standards, and practices with respect to FDA’s plans for the Sentinel 
system and challenges identified by privacy and security experts. 

We conducted this performance audit at the Food and Drug Administration 
in the Washington, D.C., metropolitan area from May 2008 to February 
2009, in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

[End of section] 

Results in Brief: 

The Sentinel system is still in the early planning stages, with key 
decisions about development and milestones yet to be made. FDA has had 
several outreach meetings with a variety of stakeholders, such as the 
health care industry and patient and consumer advocacy groups, and has 
established an FDA senior management team to provide input from various 
agency components. FDA has also established a working group to share 
information with federal partners, such as the Department of Veterans 
Affairs and Department of Defense, and discuss issues related to 
relevant efforts being carried out by federal agencies, and it has 
sought input from several projects involving both public and private 
sector entities that are meant to refine research approaches and 
identify challenges and concerns with launching a large-scale public-
private partnership for postmarket surveillance. Because the Sentinel 
system is still in such an early stage of planning, FDA has yet to make 
key decisions related to major aspects of program development such as 
developing a governance model for oversight and enforcement of relevant 
policies, establishing an architecture, and setting privacy and 
security policies. Further, FDA has not yet developed a plan or set 
milestones for when it expects to have these issues addressed. 

In designing and developing the Sentinel system, FDA will likely be 
faced with several significant privacy and security challenges. These 
challenges include: 

* ensuring that appropriate legal mechanisms are established to protect 
privacy and implement security consistently across all elements of the 
Sentinel system;•defining a clear and specific purpose for the system 
and ensuring that partners with varying interests and business missions 
use personal health information only for specified purposes; 

* ensuring public involvement and effectively informing the public of 
the program’s planned uses of their personal health information and 
privacy protections that will be applied to it; 

* ensuring that de-identified information—data stripped of fields that 
uniquely identify individuals—is not re-identified and that the use of 
personal health information in individually identifiable form is 
minimized and adequately protected; 

* establishing adequate security controls to protect the personal 
health information included in Sentinel from unauthorized disclosure, 
modification,and destruction; and; 

* establishing sufficient oversight and enforcement mechanisms to 
ensure that privacy and security requirements are consistently 
implemented across Sentinel’s wide range of partners. 

FDA has yet to develop a plan or set milestones for addressing these 
challenges. If these challenges are not adequately addressed, the 
privacy and security of personal health information could be 
compromised. 

We are not making recommendations for further legislative actions. 
However, given the potential risk to privacy and security, we recommend 
that the Commissioner of FDA develop a plan, including milestones, for 
developing the Sentinel system and for addressing the privacy and 
security challenges associated with ensuring consistent application of 
protections to all Sentinel partners, limiting use of personal health 
information to a clear and specific purpose, involving the public in 
the development of the system, using de-identified data, establishing 
adequate security controls, and overseeing and enforcing key privacy 
and security requirements. 

In comments on a draft of this briefing provided via e-mail, FDA 
generally agreed with our recommendation. FDA asserted that privacy and 
security challenges raised by the use and transfer of personal health 
information would be largely alleviated by current plans for the 
Sentinel system—which call for all personal health information to 
remain with the entities that have custody of it and only analytical 
results to be shared—but acknowledged that secondary analysis involving 
personal health information may be necessary and that the privacy 
challenges we identified would be relevant to such analysis. FDA also 
noted that its ongoing contracts will help to set achievable 
milestones. 

[End of section] 

Background: Postmarket Risk Evaluation: 

FDA approves medical products for marketing when the agency judges that 
their known benefits outweigh known risks. After a product has been 
placed on the market, FDA’s practice is to continue to assess its risks 
and benefits by conducting postmarket evaluation through review of 
reports of adverse reactions (adverse events) and information from 
studies of the product, including clinical trials and studies following 
the use of the product in ongoing medical care (observational studies). 

FDA currently relies predominantly on a “passive” form of evaluation to 
obtain information on adverse events. That is, it is based on data from 
mandatory reports of adverse drug events submitted by manufacturers, as 
well as voluntarily submitted information about such events from health 
care providers and the public. FDA’s Adverse Event Reporting System, 
which captures this information, is the primary means the agency uses 
to collect information to monitor adverse events. In contrast, Sentinel 
would present a more “active” system that would enable linking to 
multiple electronic databases to be queried and analyzed to detect 
early warning signals of adverse events. 

According to FDA, active risk evaluation would result in: 

* utilization of existing electronic databases run by different 
entities, including private health plans, insurance plans, and 
government agencies with health care data; 

* the possibility of early discovery, or more complete understanding, 
of adverse events through review of electronic health data, including 
claims databases; 

* the possibility of timelier and more accurate results, based on the 
rapid review of data on millions of people; and; 

* the ability to identify important medical product safety questions 
and develop mechanisms to protect patients in a more timely and 
efficient fashion. 

The FDA includes five centers that are responsible for ensuring the 
safety and effectiveness of different types of products. Three play an 
important role in the postmarket risk evaluation of medical products: 

* The Center for Biologics Evaluation and Research is responsible,among 
other things, for ensuring the safety and effectiveness of biological 
products such as vaccines, tissues, and blood products. 

* The Center for Devices and Radiological Health is charged with, among 
other things, ensuring the safety and effectiveness of medical devices. 
[Footnote 4] 

* The Center for Drug Evaluation and Research is responsible for, among 
other things, ensuring the safety and effectiveness of all over-the-
counter and prescription drugs. 

As concerns regarding the safety of medical products have increased, 
calls for improving the ability to monitor the postmarket performance 
of the products have also grown. 

* In 2005, the Secretary of HHS requested that FDA work to improve the 
agency’s ability to track the performance of a medical product during 
its entire life cycle, recommending, among other things, that the 
agency explore creating a public-private collaboration and leveraging 
existing large, electronic databases. 

* In 2006, the Institute of Medicine of the National Academies[Footnote 
5] made several recommendations to guide FDA in developing a “more 
structured way to determine the level of postmarket scrutiny and data 
requirements, in other words, to match the evaluation of drugs with the 
way that they will be used in the population.” 

* In 2006, we issued a report identifying areas needing improvement in 
FDA’s decision-making and oversight process and, among other things, 
recommended that FDA systematically track postmarket drug safety 
issues.[Footnote 6] 

In 2007, FDAAA mandated that the Secretary of HHS “establish and 
maintain procedures” for an “active postmarket risk identification and 
analysis system.” Specifically, the act required that the Secretary 
develop a system that: 

* provides standardized reporting of data on all serious adverse 
events; 

* provides active adverse event surveillance from federal health-
related electronic data, private sector health-related data, and other 
data deemed necessary by the Secretary to identify adverse events and 
potential drug safety signals; 

* identifies adverse event trends and patterns from the health-related 
data the system accesses; 

* provides reports on a regular basis to the Secretary concerning 
adverse event trends and patterns, rate of occurrence, and other 
information the Secretary deems appropriate, which may include data on 
comparative national adverse event trends; and; 

* allows the program to export data in a form appropriate for further 
aggregation, statistical analysis, and reporting. 

The act sets the goal of having access to data from 25 million patients 
by July 1, 2010, and 100 million patients by July 1, 2012. 

Background: The Sentinel System: 

Additionally, the act states that the Secretary shall, not later than 2 
years after the date of the enactment, in collaboration with public, 
academic, and private entities, 

* develop methods to obtain access to disparate data sources and, 

* develop validated methods for the establishment of a postmarket risk 
identification and analysis system to link and analyze safety data from 
multiple sources. 

In response to the FDAAA call for an active postmarket risk evaluation 
system, FDA announced in May 2008 the start of its Sentinel initiative, 
which includes planning for development of a long-term national, 
integrated, electronic system for monitoring medical product safety. In 
addition, the planned system is intended to be a mechanism to obtain 
access to disparate data sources and analyze health care data from 
multiple sources (see figure 1). 

FDA anticipates that users of the planned system would transmit 
questions through a coordinating center (likely operated by a nonprofit 
entity) to holders of health data, who would perform analysis of their 
data and provide responses through the center. FDA currently envisions 
that its partners would not transfer personal health information as 
part of their initial responses to Sentinel questions, although 
officials acknowledge that the results of the responses to queries of 
this type would in some cases require follow-up involving access to 
personal health information. 

Figure 1: Overview of the Planned Sentinel Query Process: 

[Refer to PDF for image: illustration] 

FDA and other entities[A]: 
* Query initiated to Sentinel coordinating center; 
* Coordinating center returns summaries of results; 
* Results summaries may potentially be shared with the public. 

Sentinel coordinating center: 
* Query sent to appropriate data sources: 
- Healthcare insurances providers; 
- Academic institutions; 
- Federal and state government agencies; 
- Healthcare providers; 
* Results summaries returned to coordinating center. 

Source: GAO based on FDA data. 

[A] Pharmaceutical companies are potential partners in the system, but 
may be limited in their capabilities. According to FDA officials, 
partners in the pharmaceutical industry are not to have access to 
personal health information but may be provided access to results 
summaries. 

[End of figure] 

Background: Fair Information Practices: 

FDAAA contains provisions requiring FDA to address privacy and security 
within its postmarket analysis system. Widely accepted guidelines exist 
for the protection of privacy and security of sensitive information 
that have driven programmatic requirements for privacy and security. 

The Fair Information Practices are a set of privacy protection 
principles first proposed in 1973 by a U.S. government advisory 
committee. These principles, with some variation, are used by 
organizations to address privacy considerations in their business 
practices and are also the basis of privacy laws and related policies 
in many countries, including the United States, Germany, Sweden, 
Australia, and New Zealand, as well as the European Union. The widely 
adopted version developed by the Organization for Economic Cooperation 
and Development (OECD) is shown in the table on the following page. 

Table 1: Fair Information Practices: 

Principle: Collection limitation; 
Description: The collection of personal information should be limited, 
should be obtained by lawful and fair means, and, where appropriate, 
with the knowledge or consent of the individual. 

Principle: Data quality; 
Description: Personal information should be relevant to the purpose for 
which it is collected, and should be accurate, complete, and current as 
needed for that purpose. 

Principle: Purpose specification; 
Description: The purposes for the collection of personal information 
should be disclosed before collection and upon any change to that 
purpose, and its use should be limited to those purposes and compatible 
purposes. 

Principle: Use limitation; 
Description: Personal information should not be disclosed or otherwise 
used for other than a specified purpose without consent of the 
individual or legal authority. 

Principle: Security safeguards; 
Description: Personal information should be protected with reasonable 
security safeguards against risks such as loss or unauthorized access, 
destruction, use, modification, or disclosure. 

Principle: Openness; 
Description: The public should be informed about privacy policies and 
practices, and individuals should have ready means of learning about 
the use of personal information. 

Principle: Individual participation; 
Description: Individuals should have the following rights: to know 
about the collection of personal information, to access that 
information, to request correction, and to challenge the denial of 
those rights. 

Principle: Accountability; 
Description: Individuals controlling the collection or use of personal 
information should be accountable for taking steps to ensure the 
implementation of these principles. 

Source: OECD. 

[End of table] 

Background: Relevant Laws and Guidance: 

No single federal law governs all use or disclosure of personal 
information. Instead, there are a number of separate statutes and 
guidance that provide privacy and security protections for information 
used for specific purposes or maintained by specific entities. 

The Privacy and Security Rules promulgated under the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) set privacy and 
security requirements for personal health information maintained by 
certain types of health care organizations, likely including a 
significant portion of the personal health information held by 
potential partners in the Sentinel system. The Privacy and Security 
Rules were intended to protect the privacy and security of individually 
identifiable health information held by an entity covered by the act. 

* The HIPAA Privacy Rule requires covered entities to take such actions 
as (1)making reasonable efforts to disclose or use only the minimum 
personal health information necessary; (2) providing notice of privacy 
practices; (3) assuring individuals the right to review and obtain a 
copy of their protected health information and request corrections of 
inaccurate or incomplete data; (4)safeguarding protected health 
information from inappropriate use or disclosure; and (5) obtaining 
written authorization or consent for most uses and disclosures of 
personal health information other than for treatment, payment, and 
health care operations, or as required by law. 

* The HIPAA Security Rule sets standards for safeguards to protect the 
confidentiality, integrity, and availability of protected health 
information in electronic form, including administrative safeguards, 
such as information access management; physical safeguards, such as 
facility access controls; technical safeguards, such as transmission 
security to protect electronic protected health information and control 
access to it; and standards for contracts and other arrangements with 
business partners. 

The Privacy Act of 1974 serves as the major mechanism for controlling 
the collection, use, and disclosure of personally identifiable 
information within the federal government. The act requires federal 
agencies to provide safeguards for all information contained in systems 
of records (any grouping of records containing personal information 
retrieved by individual identifier) that they maintain. The act also 
requires agencies to publish notices about these systems of records, 
which are intended to inform the public of how personal information is 
collected, maintained, used, and disseminated. 

The E-Government Act of 2002 requires agencies to conduct privacy 
impact assessments and would likely have implications for FDA and 
Sentinel’s federal partners. Section 208 of the E-Government Act of 
2002 strives to enhance protection of personal information in 
government information systems by requiring that agencies conduct 
privacy impact assessments (PIA). A PIA is an analysis of the risks and 
effects of collecting, maintaining, and disseminating information in 
identifiable form in an electronic information system. 

The Federal Information Security Management Act of 2002 (FISMA) 
[Footnote 7] is the primary law governing information security in the 
federal government; it addresses the protection of personal information 
in the context of securing federal agency information and systems. 
FISMA requires that federal agency information security programs 
include periodic assessments of risk; policies and procedures that are 
based on risk assessments; and plans for providing adequate information 
security for networks, facilities, information systems, or groups of 
information systems. In addition, FISMA mandates security awareness 
training; periodic testing and evaluation; a process for planning, 
implementing, evaluating, and documenting remedial actions; procedures 
for detecting, reporting, and responding to security incidents; and 
plans and procedures for continuity of operations for information 
systems that support the operations and assets of an agency. 

A number of other laws and regulations also set requirements concerning 
the privacy and security of personal health information.[Footnote 8] 
For example, individual state laws may set constraints and other 
requirements on the use of personal health information by certain 
Sentinel partners. These laws include areas such as mental health and 
HIV/AIDS treatment. For example, Massachusetts state law[Footnote 9] 
prohibits the disclosure of HIV/AIDS test results or the identity of 
the test subject to anyone other than the subject without written 
authorization. Finally, the National Institute of Standards and 
Technology (NIST) established technical guidance and standards used by 
government, industry, and academia. Key publications relevant to 
Sentinel include guidance for planning, establishing, and terminating 
system interconnections;[Footnote 10] standards for categorizing 
information and information systems;[Footnote 11] and minimum security 
requirements for protecting the confidentiality, integrity, and 
availability of federal information systems and the information 
processed, stored, and transmitted by those systems.[Footnote 12] 

[End of section] 

Sentinel Is in the Early Stages of Development: 

FDA is in the early stages of planning and developing Sentinel and has 
yet to make decisions relating to governance, an architecture, data 
sources, research methodologies, and a privacy and security framework. 
In addition, FDA has not yet set milestones for development of the 
system that will support the initiative. 

Despite the project’s being in such an early planning stage, FDA 
officials expect to be able to meet milestones established in FDAAA. 
FDAAA requires that the agency’s postmarket risk assessment system will 
have access to data from 25 million patients by July 1, 2010, and 100 
million patients by July 1, 2012. FDA officials have indicated that the 
involvement of federal partners with large databases of patient 
records, such as the Centers for Medicaid & Medicare Services, the 
Department of Defense, and the Department of Veterans Affairs, will 
allow them to meet this milestone. Additionally, FDAAA requires FDA to 
develop methods to obtain access to disparate data sources and to 
establish a postmarket risk identification and analysis system to link 
and analyze safety data from multiple sources no later than 2 years 
after the date of the enactment. FDA officials plan to address this 
requirement by gathering data from supporting projects and issuing 
contracts to assess specific aspects of future Sentinel system 
development, such as governance structures and data sources. 

To establish a basic system concept and define preliminary 
requirements, FDA has completed the following activities: 

* Established a senior management team to solicit input from various 
FDA components on the overall direction of the system. The team has met 
on a monthly basis to review early progress, including the scope and 
direction of the system and the results of stakeholder meetings. 

* Held outreach meetings with key stakeholders in both the federal and 
private sectors, including the health care industry, vendors, and 
patient and consumer advocacy groups. Stakeholders have been asked to 
provide input on issues such as approaches to data collection, 
establishing appropriate governance and operational policies, and 
determining funding sources. 

* Created a federal partners working group to share information and 
discuss issues related to ongoing efforts being carried out by federal 
agencies that are complementary to Sentinel. This working group 
includes representatives from the Centers for Disease Control and 
Prevention, Centers for Medicare& Medicaid Services, National 
Institutes of Health, Department of Defense, and Department of Veterans 
Affairs. 

To further define requirements and assess the feasibility of technology 
options for the system, FDA has obtained input from several non-FDA 
projects, including the following: 

* The eHealth Initiative (eHI) Foundation’s Connecting for Drug Safety 
Collaboration Pilot is exploring opportunities to use electronic 
clinical information to identify and assess safety signals associated 
with marketed pharmaceuticals. 

* The Centers for Medicaid &Medicare Services (CMS) Project, which is 
designed to establish an environment to execute queries on Medicare 
Part D[Footnote 13] data relating to medical product postmarket risk 
and surveillance. 

* The Observation Medical Outcomes Partnership, a public/private 
partnership supported by the Foundation for the National Institutes of 
Health, is initiating a project using data from commercial health 
information brokers and healthcare providers to conduct a series of 
experiments to assess the value, feasibility, and utility of analyzing 
observational data to identify and evaluate the safety risks and 
potential benefits of prescription drugs. 

Beyond these early planning efforts, FDA has yet to make a variety of 
key programmatic decisions that may affect privacy and security. 
Specifically: 

* A governing and operating structure has not yet been established to 
oversee and enforce policies and procedures among the variety of public 
and private sector entities that are expected to participate in the 
system. FDA has contracted with eHI to examine approaches toward 
potential governance models and to identify and prioritize principles, 
attributes, and other considerations. 

* An architecture has not yet been developed to enable efficient, 
secure queries of distributed data sources; exchange of relevant 
product safety information; communications among partners; and transfer 
and storage of query results. To explore potential models for such an 
architecture, FDA has contracted with Harvard Pilgrim Healthcare to 
define and critically evaluate possible database models for use in 
Sentinel, as well as issues related to policy, performance, privacy and 
security, benefits to stakeholders, and data standards. 

* Partners in the initiative have not yet been identified. As mandated 
by FDAAA, the agency intends to develop the Sentinel initiative in 
collaboration with public, academic, and private-sector entities. Some 
of these entities will likely also be major sources of data for the 
system. Neither collaborating partners nor other data sources have yet 
been identified. To this end, FDA has awarded various contracts 
including one to Booz Allen Hamilton to identify potential data sources 
and describe types of electronic health care data. Potential 
collaborators include federal agencies (such as CMS and the Department 
of Defense), patient and consumer organizations, health care provider 
groups, pharmaceutical companies, health plans, insurance companies, 
and academic institutions. 

* Key methodologies for conducting research on adverse drug events have 
not yet been defined. According to FDA officials, the success of 
Sentinel will depend largely on the sensitivity, specificity, 
robustness, and flexibility of the analytical methods it uses. This 
research is necessary to understand the strengths and limitations of 
existing methods that might be employed in the system. FDA has 
contracted with the Group Health Cooperative Center for Health Studies 
to identify, describe, and evaluate current methods that Sentinel may 
employ. 

* Finally, a policy framework for the privacy and security of personal 
health information has not yet been developed. FDA acknowledges the 
importance of strong privacy and security safeguards, and it is 
assessing how to implement appropriate protections. As part of its 
efforts to obtain the views of patients, consumers, and health care 
professionals regarding, among other things, privacy and security 
concerns related to the use of personal health information, FDA 
contracted with eHI to research and analyze existing or proposed 
policies, rules, regulations, and other requirements related to the 
protection of privacy and security and recommend strategies for 
engaging the participation of patients, consumers, and health care 
professionals. 

FDA officials believe additional research and evaluation are needed in 
these areas and have issued contracts to various entities to address 
these needs. According to FDA, these contracts were awarded in early 
fall 2008, and final reports are to be available starting in spring 
2009. 

FDA faces a number of key privacy and security challenges as it plans 
for the development of the Sentinel system. 

Consistent application of protections: One major challenge will be 
ensuring that appropriate legal mechanisms are established to protect 
privacy and security consistently across all elements of the system, 
parts of which may be controlled by a variety of partner organizations. 
The variety of partners creates a complex legal environment in which 
existing privacy and security requirements may not apply to all 
participants. If adequate agreements and enforcement mechanisms are not 
established to ensure that a minimum set of standard requirements is 
applied consistently, there may be potential gaps in privacy and 
security protections. 

Establishing privacy and security requirements that apply consistently 
to all entities is key to ensuring that no particular entity with 
inadequate protections compromises the overall privacy and security of 
personal health information. In this regard, the National Committee on 
Vital and Health Statistics[Footnote 14]—a key advisory committee—has 
made recommendations in the past aimed at ensuring that HIPAA Privacy 
Rule protections are applied consistently across all entities handling 
personal health information. 

Experts have raised concerns that FDA’s potential delegation of day-to-
day operation of the Sentinel coordinating center to a nonfederal 
entity may result in legal gaps in privacy and security protections, 
because such an organization may not meet the definitions for a HIPAA-
covered entity and may not be covered by laws such as the Privacy Act 
and FISMA. Because of what experts viewed as the potential 
inapplicability of these legal requirements to the entity administering 
this coordinating center, these experts expressed concern that an 
appropriate agreement be established between FDA and this entity to 
ensure that privacy and security requirements are in place. 

Further, while FDAAA requires that all Sentinel partners ensure that 
data are not used in a manner that would violate the HIPAA Privacy 
Rule, there is no similar requirement that all partners abide by 
security requirements. Without explicit provisions in individual 
agreements between FDA and Sentinel partners, potential gaps could 
occur inapplicable security protections. For example, although most 
health plans or health providers would be covered entities under HIPAA 
and would have to abide by the HIPAA Security Rule, a pharmaceutical 
company or an academic institution might not be covered—in this case, 
such an entity might not have to comply with HIPAA security 
requirements if these were not stipulated in its agreement with FDA. 

Similarly, concerns have also been raised regarding the enforcement of 
data use agreements, which specify how personal health information will 
be used and the safeguards that will be in place to protect its 
confidentiality. Under the HIPAA Privacy Rule, such agreements are 
unenforceable by HHS against partners that are not HIPAA-covered 
entities, and covered entities are not liable for breaches of the data 
use agreement by the recipients of partially de-identified data. Such 
agreements are to be the basis for sharing partially de-identified data 
among Sentinel partners for public health purposes. Again, explicit 
provisions in individual agreements between FDA and Sentinel partners 
could address this concern. 

Because existing legal requirements for privacy and security are 
unlikely to apply consistently across potential partners, and the 
enforceability of the HIPAA Privacy Rule’s provisions among partners 
may be limited, FDA faces the challenge of ensuring that adequate 
privacy and security controls for the protection of personal health 
information are appropriately incorporated into cooperative agreements, 
contracts, and memorandums of understanding so that these protections 
are applied consistently by all partners throughout the system. 

Limiting use to clear and specific purposes: A second challenge FDA 
faces is defining clear and specific purposes for the use of personal 
health information for Sentinel, and ensuring that uses are limited to 
these purposes. Defining a clear and specific purpose may be difficult 
because of the differing levels of privacy protection defined under 
HIPAA for different types of uses. Furthermore, because of a wide range 
of potential users with significantly different missions and the ready 
availability of large databases of personal health information, FDA 
faces the challenge of ensuring that uses of data are limited to 
defined program purposes. 

[End of section] 

FDA Faces Privacy and Security Challenges: Limiting Use to Clear and 
Specific Purposes: 

Establishing a clear and specific purpose and limiting the use and 
disclosure of personal data to that purpose are key to assuring 
individuals that their personal information will not be used for 
unauthorized purposes. 

* The purpose specification principle states that the purpose for the 
collection of personal information should be disclosed before the 
collection is made and upon any change to that purpose. 

* The use limitation principle provides that personal information 
should not be disclosed or used for other than a specified purpose 
without consent of the individual or legal authority. 

* The HIPAA Privacy Rule also limits the uses and disclosures of an 
individual’s personal health information by covered entities. 
Specifically, HIPAA requires covered entities to make reasonable 
efforts to disclose or use only the minimum information necessary to 
accomplish the intended purpose, with certain exceptions, such as for 
treatment or as required by law. 

Determining an appropriate set of specific purposes for Sentinel will 
entail striking a balance between narrow and broad definitions. A 
purpose that is too narrowly defined may unnecessarily limit the system’
s usefulness and make it unattractive for private sector data sources 
to participate. On the other hand, an overly permissive definition may 
allow partners to use personal health information for inappropriate 
purposes. 

FDAAA directs FDA to collaborate with public, private, and academic 
entities for the purpose of “advanced analysis of drug safety data.” 
Without additional guidance, this language could be interpreted to 
encompass a wide range of uses. These allowable uses could fall into 
different HIPAA categories, with varying requirements for protection. 

It is not yet clear under which HIPAA purpose category Sentinel’s 
postmarket risk evaluation purpose will fall, but it is likely to be 
included in one of the following categories defined by the HIPAA 
Privacy Rule: 

* Public health activities, which include use and disclosure by a 
covered entity to public health authorities authorized by law to 
collect or receive information necessary to prevent or control disease 
and to entities subject to FDA regulation for adverse event reporting 
and postmarket evaluation. 
- Disclosure under this category would be permitted without need for 
further authorization. 

* Research, which refers to use and disclosure by a covered entity for 
any “systematic investigation” that could develop or contribute to 
generalizable knowledge. 
- Use under this category would require that the covered entity satisfy 
additional requirements. For example, to use or disclose personal 
health information for research purposes without need for individual 
authorization requires that the covered entity receive a waiver or that 
the covered entity obtain a representation from the researcher that 
states, among other things, that the use or disclosure of the personal 
health information is only for preparing a research protocol and that 
no personal health information will be removed from the covered entity. 

Officials from eHI and privacy experts have stated that establishing 
how Sentinel’s uses appropriately fall into these purpose categories 
will be difficult because distinctions between public health and 
research are very subtle. However, as indicated, the decision could 
have ramifications for the extent of legal requirements in place for 
protecting personal health information. For example, there may be 
ambiguities relating to authorization and individual consent, which are 
treated differently depending on the category. 

In addition, privacy experts have expressed concern that the variety of 
public and private organizations and business missions involved in the 
project could make it difficult to effectively limit the use of the 
personal health information to postmarket risk evaluation. Sentinel, as 
currently planned, is expected to encompass millions of health records; 
access to this large amount of data could be very useful for analyses 
or other uses that go beyond assessing postmarket drug safety. For 
example, commercial users may seek to use the data for purposes such as 
marketing campaigns or tracking patient medical product usage and 
physicians’ prescription patterns. Further, academic users may wish to 
publish data they have used to support their research results. Uses 
such as these may be inappropriate and could have the potential to 
compromise patient privacy if not effectively controlled. 

As we previously reported in our 2006 report on the use of commercial 
data, consolidating large databases poses the risk that the use of data 
goes beyond the original system scope and intended uses.[Footnote 15] 
Sentinel could face this risk if the program seeks to bring together 
disparate, large databases of personal health information to be 
analyzed by multiple entities. 

Similarly, in 2007, we raised concerns about the risks associated with 
the availability of large amounts of aggregated data in our review of a 
planned data-mining program at the Department of Homeland Security. 
[Footnote 16] We stated that with the ability to facilitate a broad 
range of potential queries and analyses and aggregate large quantities 
of previously isolated pieces of information, the program could produce 
aggregated, organized information that organizations could be tempted 
to use for purposes beyond that originally specified when the 
information was collected. 

If adequate precautions are not taken to limit secondary uses of data, 
there is increased risk that personal health information may be used 
for purposes not intended for Sentinel. 

Ensuring public confidence: A third challenge that FDA faces is to 
build public trust through mechanisms that will ensure public 
involvement and also appropriately inform the public of the program’s 
planned uses of their personal health information as well as the 
privacy protections that will be applied to it. 

Regarding public involvement, privacy experts acknowledge that it would 
be extremely difficult or impractical to obtain individual consent for 
Sentinel’s planned use of personal health information, given the vast 
number of records involved and the need for timely results. Further, 
HIPAA specifically allows for the use of such information without 
individual consent or authorization for purposes of promoting public 
health. 

This may lead to some instances of uses of personal health information 
that individuals may find objectionable. FDA has acknowledged that risk 
and is trying to ensure that the public’s concerns are adequately 
addressed through public meetings and the creation of a transparent, 
inclusive process for the development of the system. Other mechanisms 
for public involvement in the development of the system could include 
adding privacy advocates and representatives of consumer organizations 
to governing boards to ensure that matters of public concern are raised 
and addressed. 

With regard to informing the public of the program’s planned uses of 
personal health information, the fair information practices and the 
HIPAA Privacy Rule generally require some mechanism for informing 
individuals about how personal information is to be used and protected: 

* The openness principle states that the public should be informed 
about privacy policies and practices, and that individuals should have 
ready means of learning about the use of personal information. 

* The HIPAA Privacy Rule requires that most covered entities provide a 
notice of their privacy practices. In addition to describing types of 
uses and disclosures, the notice, among other things, must also state 
the covered entity’s duties to protect privacy and individuals’ rights. 

In addition to informing individuals of what steps an entity is taking 
to protect the privacy of the personal information, privacy notices 
also help to ensure an organization’s accountability for its stated 
policies. 

According to experts, it may be difficult to develop a privacy notice 
that is at a level of detail that appropriately informs all segments of 
the public about the privacy protections in place for Sentinel, as well 
as promotes a clear understanding of how their personal health 
information is being used. They cited previous experience with privacy 
notices—such as those required of financial institutions by the Gramm-
Leach Bliley Act—which have been difficult for consumers to read and 
understand. 

In prior work, we have highlighted the use of a layered approach to 
creating privacy notices in order to improve comprehension. For 
example, we stated that at one layer, the notice could provide a brief 
description of the information required, the primary purpose for the 
collection, and associated uses and sharing of such data. A second 
layer could include additional details about the system or program’s 
uses and the circumstances under which data could be shared.[Footnote 
17] Using a layered approach to privacy notices could enhance 
effectiveness in communicating with individual patients. 

The many sources and large number of records involved also suggest that 
multiple channels of communication may be needed to ensure that as many 
individuals as possible are informed. 

For example, in addition to publishing a notice in the Federal Register 
as required by the Privacy Act or a privacy impact assessment as 
required by the E-Government Act, other communication methods may be 
useful, including disseminating information through a central Web site, 
developing a publication on Sentinel privacy measures, developing 
notices for health care providers and other collaborating partners 
and/or data sources to use when they collect personal health 
information, and conducting outreach to consumer and public advocacy 
groups. 

Without ensuring transparency into Sentinel’s privacy policies and 
procedures, FDA may risk losing the public’s confidence in its ability 
to protect their personal health information. 

Mitigating risks associated with de-identified data: A fourth challenge 
FDA faces is ensuring that de-identified data—which it plans to use in 
most cases when presenting the results of Sentinel analysis—is not used 
to re-identify individuals, as may be possible in certain 
circumstances. Further, in cases in which de-identified data may not be 
sufficient to fulfill program goals, FDA faces the challenge of 
ensuring that disclosure of personally identifiable health information 
is limited, monitored, and controlled. 

De-identification is the process of stripping data of fields that 
uniquely identify individuals. According to the Privacy Rule, 
information is de-identified when the data fields are insufficient to 
identify an individual and when there is no reasonable basis to believe 
that the data can be used to re-identify an individual. According to 
the Privacy Rule, de-identification can be achieved by stripping out 
fields that uniquely identify individuals, including: 

* names, 
* geographic subdivisions smaller than a state, 
* Social Security numbers, and, 
* dates of birth. 

HIPAA also allows covered entities to use an expert opinion to 
determine whether data have been de-identified. Under the Privacy Rule, 
once data have been successfully de-identified using an approved 
method, those data can be used and disclosed freely without being 
subject to the privacy rule. 

Various levels of de-identification are possible, and the risk of re-
identification varies accordingly (see figure 2). FDA officials have 
stated that their plan is to provide analytical results using only 
summary information known as aggregate output data, the least risky 
type of de-identified data. Experts generally agree that there is 
reduced risk of re-identification when this type of data is used. 
However, ensuring that de-identified data are not re-identified when 
disclosed to outside entities will pose challenges for FDA because 
useful analysis may require that riskier levels of de-identified data 
be used. 

Figure 2: Levels of De-identified Data: 

[Refer to PDF for image: illustration] 

Level of data: Aggregate data from multiple records; 
Data: Number of persons; year; Drug used; Reaction; 
Risk level: lowest. 

Level of data: Individual record, de-identified; 
Data: Gender; Age; Year; Drug Used; Reaction; 
Risk level: second lowest. 

Level of data: Individual record, partially de-identified; 
Data: Zip code; Gender; Age; Year; Drug Used; Reaction; 
Risk level: Second highest. 

Level of data: Individual record, full set of personally identifiable 
information; 
Data: Social Security number; Name; Zip code; Gender; Age; Year; Drug 
Used; Reaction; 
Risk level: Highest. 

Source: GAO analysis of industry and FDA data. 

[End of figure] 

However, the eHI project has found that aggregate data are often not 
useful as a research tool and that “limited data sets,” which include 
some identifying information, are often needed instead. Such data sets 
pose increased privacy risks because it may be possible to combine data 
fields in these limited data sets with other publicly available data to 
re-identify individuals. For example, according to published research 
by an expert in the field, 87 percent of individuals are uniquely 
identifiable given their gender, ZIP code, and date of birth.[Footnote 
18] 

Because of the significant risk of re-identification, the use of 
certain methods of de-identifying data, such as limited data sets, may 
require additional controls to mitigate risks. Actions to reduce the 
risk of re-identification could include: 

* using the least identifiable form of data to respond to queries, 

* ensuring that contractual requirements prohibit recipients from re-
identifying individuals and ensuring that individuals are not contacted 
or their personal health information otherwise disclosed, and, 

* establishing enhanced security controls to protect the data from 
inadvertent disclosure, given the risk of re-identification. 

According to FDA officials, while de-identified data may provide all 
necessary information for a majority of information queries, there are 
instances in which users may require access to personally identifiable 
health information to fully process query requests. For example, users 
may require personal health information to: 

* independently verify and validate certain results or perform targeted 
follow-up on a particular query or; 

* track individuals across de-identified output or aggregate results 
from various data sources in order to minimize double counting and 
produce more accurate query results. 

Providing partners access to personally identifiable health information 
introduces significant privacy and security risks that would likely 
require increased protection measures and oversight. Such measures 
could include: 

* monitoring and strictly limiting disclosure of personally 
identifiable health information to where there is a justified need and; 

* establishing stringent procedures for protecting the privacy and 
security of sensitive personally identifiable health information when 
such disclosure occurs between partners. 

If these challenges are not addressed, individuals’ sensitive health 
information could be inappropriately disclosed, and individuals’ 
privacy could be compromised. 

Establishing comprehensive security controls: FDA faces the challenge 
of determining the appropriate security controls that Sentinel will 
need to protect personal health information from loss or unauthorized 
disclosure to the extent that it is transferred between Sentinel 
partners. In doing so, FDA will need to establish a uniform set of 
security controls for all of its partners to ensure that potential 
weaknesses in controls at partner systems do not place personal health 
information in Sentinel at unnecessary risk of unauthorized disclosure, 
use, modification, or destruction. Such controls will need to 
demonstrate that the security of personal health information is 
protected both at rest and in transmission among Sentinel and its 
partners. 

Safeguarding personal health information is critical because its loss 
or unauthorized disclosure can lead to serious adverse consequences for 
individuals. The confidentiality of personal health information could 
be threatened not only by the risk of improper access to stored 
information, but also by the risk of interception during electronic 
transmission of the information. 

Through its planned distributed network of public and private partners, 
Sentinel queries may involve the exchange of electronic health 
information among partners in the public and private sector when 
secondary analysis is required. Although FDA does not anticipate that 
electronic health information will be routinely exchanged among 
partners, the large number of potential partners could provide many 
potential access points through which sensitive information could be 
compromised. Given this risk, FDAAA mandates that personal health 
information not be revealed in disclosing the results of analysis of 
drug safety signals and trends or responding to inquiries regarding 
drug safety signals and trends. 

A basic objective for any organization is to protect the resources that 
support its critical operations from unauthorized access. Organizations 
accomplish this objective by designing and implementing access controls 
that are intended to prevent, limit, and detect unauthorized access to 
computing resources, programs, and information. Inadequate access 
controls diminish the reliability of computerized information and 
increase the risk of unauthorized disclosure, modification, and 
destruction of sensitive information and the disruption of service. 
Such controls include protecting the physical boundary around a set of 
information resources, assigning unique user accounts to specific users 
to distinguish one user from another, and employing cryptography such 
as encryption to prevent unauthorized access to computing resources, 
programs, and information. 

Information security risks to the system could originate from within 
the system itself as well as from its partners. Within the system, 
inadequate security controls could lead to loss or disclosure of 
sensitive information. For example, if the system fails to ensure that 
controls adequately protect external and internal boundaries, that 
users are identified and authenticated, and that appropriate levels of 
encryption are consistently applied to protect sensitive data, there 
may be increased risk that individuals could gain unauthorized access 
to personal health information. 

Security risks could arise among Sentinel partners if their systems do 
not contain adequate security controls and personal health information 
is inadvertently disclosed, either from partner systems or while that 
information is being transmitted from one system to another. 

* As previously reported,[Footnote 19] the aggregate effect of 
inadequate access controls and weaknesses in other system controls 
places information and information systems supporting a larger system 
(such as Sentinel) at increased risk of unauthorized disclosure, use, 
modification, or destruction, possibly without detection. These 
weaknesses increase the risk that unauthorized individuals could read, 
copy, delete, add, and modify sensitive information—including 
personally identifiable information—on supporting systems. 

* Additionally, according to NIST,[Footnote 20] interconnecting 
information technology systems can expose the participating 
organizations to risk. If the interconnection is not properly designed, 
security failures could compromise the connected systems and the data 
that they store, process, or transmit. Similarly, if one of the 
connected systems is compromised, the interconnection could be used as 
a conduit to compromise the other system and its data. 

If appropriate security controls are not implemented and maintained 
within the system and among Sentinel partners, there is increased risk 
of unauthorized disclosure, use, modification, or destruction of 
personal health information. 

Establishing oversight and enforcement: Finally, concerns about the 
wide range of expected Sentinel partners as well as the authority that 
a nonprofit entity would have over these entities highlight the 
challenge that FDA will face in creating and implementing an effective 
oversight and enforcement mechanism to ensure, among other things, the 
privacy and security of personal health information maintained by 
Sentinel. 

Oversight and enforcement are key mechanisms for ensuring that security 
and privacy controls are consistently implemented and effective at 
mitigating risks. For example, federal agencies are subject to 
oversight, as required by FISMA.[Footnote 21] FISMA states that 
continuous monitoring of security controls is a key part of managing 
enterprise risk and maintaining an accurate understanding of security 
risks. Additional oversight is applied through reporting requirements 
to the Office of Management and Budget (OMB) and the Congress. In 
setting annual reporting requirements, OMB has directed agencies to 
provide details regarding their privacy protections for personally 
identifiable information as well as information security measures. An 
effective oversight and enforcement program is also consistent with the 
accountability principle, which states that individuals controlling the 
collection or use of personal information should be accountable for 
taking steps to ensure the implementation of the fair information 
practices. 

The wide range of partners expected in Sentinel creates an oversight 
and enforcement challenge for FDA. FDA has previously used a variety of 
mechanisms, including cooperative agreements and memorandums of 
understanding, to establish collaborative relationships with various 
members of the public and private sector. Similarly, Sentinel will 
likely require a range of contractual arrangements with its many 
partners. 

An official with the Observation Medical Outcomes Partnership—one of 
the projects that is informing Sentinel’s planned development—said that 
different contractual arrangements were needed depending on the type of 
data in use and the partner performing the analysis. Additionally, FDA 
has indicated that some organizations may choose to provide data to 
Sentinel via secondary contracts with Sentinel partners rather than 
belonging to the partnership themselves; such relationships would 
require different contractual arrangements. Further, some partners may 
restrict access to the data sets they own, requiring the ability to 
choose whether to respond to individual queries. 

Factors such as these could complicate FDA’s ability to establish a 
comprehensive oversight and enforcement mechanism. Agreements will 
likely need to include provisions requiring strict adherence to 
established security and privacy standards. However, beyond stating 
such requirements consistently, it may not be possible for FDA to 
establish the same enforcement and oversight mechanisms for all of its 
partners. 

In addition, it is unclear what authority the nonprofit entity that is 
expected to operate the coordinating center will have over Sentinel 
partners, as FDA has not yet determined which nonprofit entity, if any, 
will be responsible for this function.One possible entity under 
consideration by FDA is the Reagan-Udall Foundation, established by 
FDAAA to advance the mission of the FDA and enhance product safety, 
among other things. 

* Under FDAAA, the Reagan-Udall Foundation is authorized to award 
grants to or enter into contracts, memorandums of understanding, or 
cooperative agreements with a wide range of entities, including public-
private partnerships, academic institutions, and industry, to advance 
its goals and priorities. 

* FDAAA requires the foundation to establish a Board of Directors whose 
duties include establishing policies for the execution of memorandums 
of understanding and cooperative agreements between the foundation and 
other entities. 

Experts have raised concerns with designating Reagan-Udall to implement 
key Sentinel functions because most of the funds for the foundation’s 
operations are expected to originate from private industry. Under these 
circumstances, it may be difficult to ensure that security and privacy 
requirements are strictly enforced. Thus far, budget provisions have 
directed FDA to withhold funds from Reagan-Udall. 

If adequate oversight and enforcement mechanisms are not in place, 
privacy and security requirements may not be appropriately implemented 
by all partners, potentially placing personal health information at 
increased risk. 

While FDA officials acknowledge that they face privacy and security 
challenges and have taken steps to begin exploring these issues, they 
have not yet established a plan or milestones for fully addressing them 
and incorporating the results into the development of Sentinel. 

[End of section] 

Conclusions: 

The Sentinel system is still in the early stages of development. FDA 
has made progress in laying the groundwork for establishing the system, 
but many critical decisions remain to be made, including decisions 
about how the project is to be managed, who its many partners will be, 
and what privacy and security controls will be implemented. FDA has not 
yet established a plan or milestones for development of the system or 
for making these critical decisions. 

Although personal health information is not expected to be exchanged as 
part of most routine Sentinel operations, FDA will face a number of 
privacy and security challenges in developing the system, including (1) 
applying protections consistently, (2)limiting use of personal health 
information to a clear and specific purpose, (3) ensuring appropriate 
public involvement, (4) mitigating risks associated with de-identified 
data, (5) establishing comprehensive security controls, and (6) 
establishing oversight and enforcement mechanisms. FDA has yet to 
develop a plan, including milestones, to address these challenges. 
Until challenges are addressed, concerns are likely to remain that the 
Sentinel initiative may not be fully addressing risks to the privacy 
and security of personal health information. 

[End of section] 

Recommendation for Executive Action: 

We are not making recommendations for further legislative actions. 
However, given the privacy and security challenges we have identified, 
we recommend that the Commissioner of FDA develop a plan, including 
milestones, for developing the Sentinel system and for addressing the 
privacy and security challenges associated with: 

* ensuring consistent application of protections to all Sentinel 
partners, 

* limiting use of personal health information to a clear and specific 
purpose, 

* involving the public in the development of the system and informing 
the public of the program’s planned uses of personal health information 
and privacy protections, 

* using de-identified data, 

* establishing adequate security controls, and, 

* overseeing and enforcing key privacy and security requirements. 

[End of section] 

Agency Comments and Our Evaluation: 

In comments on a draft of this briefing provided via e-mail by the GAO 
Coordinator of the HHS Office of the Assistant Secretary for 
Legislation, FDA generally agreed that there are many privacy and 
security challenges related to the Sentinel initiative and that 
attention will need to be paid to computer security with respect to the 
transmission of queries and summaries of results. However, FDA asserted 
that privacy and security challenges raised by the use and transfer of 
personal health information would be largely alleviated by current 
plans for the Sentinel system, which call for all personal health 
information to remain with the entities that have custody of it and 
only analytical results to be shared. FDA acknowledged that secondary 
analysis involving personal health information maybe necessary and that 
the privacy challenges we identified would be relevant to such 
analysis, but stated that this analysis would likely take place outside 
the bounds of the Sentinel system. 

Regardless of whether secondary analysis using personal health 
information is within the bounds of the Sentinel system, such analysis 
remains a key element in an overall assessment of the data privacy, 
confidentiality, and security issues related to accessing, 
transmitting, and maintaining data for FDA’s postmarket risk 
identification and analysis system. Any analysis involving the transfer 
of personal health information could introduce significant privacy and 
security risks, and would thus require privacy and security protections 
and oversight commensurate to this increased risk. Thus the privacy and 
security challenges we have identified remain of critical importance as 
planning for the Sentinel system moves forward. 

FDA generally agreed with the recommendation made in this briefing, 
with the exception of the challenge associated with using de-identified 
data. Regarding this challenge, FDA asserted that activities involving 
the disclosure of personal health information would be outside the 
scope of the Sentinel system. However, as previously discussed, the use 
and disclosure of personal health information through secondary 
analysis is also an important consideration, and in this regard the 
challenge associated with using de-identified data will need to be 
addressed to ensure that risks to the privacy and security of personal 
health information are fully addressed. 

FDA also provided technical comments, which we incorporated into the 
briefing as appropriate. 

[End of appendix] 

Appendix II: Comments from the Food and Drug Administration: 

Department Of Health & Human Services: 
Office Of The Secretary: 
Assistant Secretary For Legislation: 
Washington, DC 20201: 

May 19, 2009: 

Gregory C. Wilshusen: 
Director: 
information Security Issues: 
U.S. Government Accountability Office: 
441 G Street N.W. 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

Enclosed are comments on the U.S. Government Accountability Office's 
(GAO) report entitled: Privacy and Security: Food and Drug 
Administration Faces Challenges in Establishing Protections for its 
Postmarket Risk Analysis System (GAO-09-355). 

The Department appreciates the opportunity to review this report before 
its publication. 

Sincerely, 

Signed by: 

Barbara Pisaro Clark: 
Acting Assistant Secretary for Legislation: 

Attachment: 

[End of letter] 

Department Of Health & Human Services: 
Food and Drug Administration: 
Silver Spring, MD 20993: 

Date: May 15, 2009: 

To: Acting Assistant Secretary for Legislation: 

FROM: Acting Commissioner of Food and Drugs: 

Subject: FDA's General Comments to GAO's Draft Report Entitled, Privacy 
and Security--Food and Drug Administration Faces Challenges in 
Establishing Protections for as Postmarket Risk Analysis System (GAO-09-
355). 

FDA is providing the attached general comments to the U.S. Government 
Accountability Offices draft report entitled, Privacy and Security--
Food and Drug Administration Faces Challenges in Establishing 
Protection Postmarket Risk Analysis System (GAO-09-355). 

FDA appreciates the opportunity to review and comment on this draft 
report before it is published. 

Signed by: 

[Illegible], for: 
Joshua M. Sharfstein, M.D. 
Principal Deputy Commissioner: 
Acting Commissioner of Food and Drugs: 

Attachment: 

[End of letter] 

FDA's General Comments to the U.S. Government Accountability Office's 
Draft Report, Privacy and Security - Food and Drug Administration Faces 
Challenges in Establishing Protections for its Postmarket Risk Analysis 
System (GAO-09-355): 

The Food and Drug Administration (FDA) appreciates the opportunity to 
review and comment on the Government Accountability Office's (GAO) 
draft report, and we agree with GAO's overall recommendation to develop 
a plan (with multiple milestones), which is completely consistent with 
ongoing FDA efforts. However, we are very concerned that the report 
contains inaccuracies that seriously misrepresent the program and will 
lead readers of the report, especially patients and consumers, to 
believe that their protected health information[Footnote 22] is at 
risk. These inaccuracies most likely result from a fundamental 
misunderstanding of how phase I Sentinel will he implemented. We would 
like to provide you with some key clarifications. 

Phase 1[Footnote 23] of Sentinel: 

As explained in the Sentinel report and in most every summary of the 
initiative or discussion of Sentinel, we have emphasized that FDA is 
working towards establishing a distributed network. This means that no 
protected health information will be transferred to the agency. In 
fact, no protected health information will be transferred at all. All 
health information will remain under the control of current data 
owners, behind existing firewalls, protected by privacy and security 
safeguards. Participating data owners will continue to manage their 
data protected in their secure environment. Those data owners who wish 
to participate in Sentinel will perform data searches and analyses of 
their own data upon request and submit only summaries of their findings 
as part of Sentinel. To reiterate, data from individual data holders 
will not he centralized or aggregated in any way into a common 
database. 

Privacy and Security: 

Protecting the privacy and security of protected health information, as 
well as the security of all information FDA receives, is of paramount 
concern to FDA and part of FDA's ongoing responsibilities as it 
fulfills its mission to protect public health. We work every day to 
protect the security of the data we receive. Thus, from the beginning 
of this program. we have sought to engage thought leaders in the 
privacy and security field at every juncture. One of the first 
contracts we let under the initiative involved the identification and 
analysis of potential privacy issues that might need to he addressed. 
(This report is complete and has been posted on FDA's Sentinel Web 
site.) 

We understand that there may well be a need for further studies of 
signals obtained through Sentinel. However, the Agency's expects that 
such studies would take place outside of Sentinel in precisely the same 
manner that we investigate public health concerns today. For example, 
an analysis might be carried out pursuant to a contract between FDA and 
an individual data holder. In such a case, privacy challenges such as 
those identified in the GAO report could become relevant within the 
framework of this specific contractual agreement, but would not involve 
Sentinel. If protected health information were to be transmitted by a 
participating data holder for analysis at any point, including during a 
follow-up analysis, controls and measures consistent with the Health 
Insurance Portability and Accountability Act (HIPAA) or with the 
Privacy Act would he put into place and tested to ensure the security 
of protected health information. In fact, all systems that process, 
publish, transmit, or store FDA information or information on behalf of 
FDA must be protected in accordance with the Federal Information 
Security Management Act (FISMA). Because Sentinel is being sponsored by 
FDA and is being established in response to the FDA Amendments Act of 
2007. Sentinel must be assessed as part of the FDA Certification and 
Accreditation (C&A) process as required by FISMA. The C&A process, 
milestones, and project plan will he provided by the FDA Security 
Office and executed by the FDA Security Office contractors once the 
environment is ready. The C&A will he completed prior to moving 
Sentinel into production. 

Computer Security: 

The draft report mentions computer security issues within the context 
of the privacy concerns on which the report focuses. Because Sentinel 
will be a distributed network and protected health information will not 
be transmitted as part of Sentinel, there is not a risk of security 
breaches resulting in disclosure of protected health information. FDA 
recognizes, however, that attention will need to be paid to computer 
security with respect to the transmission of queries and results 
summaries, and FDA will require implementation of policies and 
procedures to ensure computer security at each stage of the process. 
This and other issues need to be carefully explored in the governance 
structure: we expect to post an analysis of issues related to 
governance for public comment in several weeks. 

Graphic Figure: 

To communicate the intended structure of Sentinel, the draft report 
uses a figure, titled Overview of the Planned Sentinel Query Process, 
both on the Highlights page and as slide 17 of the GAO presentation to 
Congress. Because FDA is concerned that the figure that was used may 
mislead some readers about important aspects of the proposed system, we 
have attached a new version of the figure to explain what is intended: 
the attached figure explains the Sentinel query process as planned by 
FDA. The following points clarify specific concerns we have about the 
earlier figure included in the draft GAO report. 

* FDA and other partners-This would be more accurate if it read "FDA 
and other entities" and was depicted by an image of a person looking at 
graphs and data. The current display gives the impression that this is 
a fully automated system that does not include human participation and 
expertise. As policies and procedures are developed for Sentinel, they 
will include descriptions of who will be able to access this resource 
and under what circumstances. Other entities besides FDA and "partners" 
may have access. 

* Partner initiates query-This would be more accurate if it read "Query 
initiated." As noted above. once established, policies and procedures 
will determine who has access to initiate queries. 

*Sentinel Coordinating Center-The drawing of a "server" does not 
adequately portray the responsibilities of the coordinating center. 
Coordinating center personnel will perform a number of key roles 
including determining appropriate methodologies and data sources for 
obtaining meaningful responses to a query. The coordinating center will 
not be just an IT architecture to administer queries and receive 
results. 

* Academic institutions and Federal and state government agencies-
Without further qualification. this is potentially confusing. Only 
those academic institutions and federal and state government agencies 
with automated healthcare data will be recipients of queries. 

* Results returned to coordinating center-This would be clearer if it 
read "Result summaries returned to Sentinel Coordinating Center." 
Results summaries will not include protected health information. 

* Coordinating center returns results-This would he clearer if it read 
"Sentinel Coordinating Center returns summary results." Results 
summaries will not include protected health information. 

* Results may potentially be shared with the public. This would he more 
accurate if it read "Result summaries will be used to help inform 
health care decisions" and was, as in FDA's figure, depicted by an 
image of people silting around a table discussing documents. The 
summary results received in response to Sentinel queries will be 
considered with other available data to provide information about 
medical products to help inform their proper use. 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Gregory C. Wilshusen (202) 512-6244, or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the individual named above, John de Ferrari, Assistant 
Director; Idris Adjerid; Monica Anatalio; Susan Czachor; Season 
Dietrich; Neil Doherty; Nancy Glover; and Rebecca Eyler made key 
contributions to this report. 

[End of section] 

Footnotes: 

[1] Personal health information in this briefing refers to information 
relating to the health or health care of an individual and that 
identifies, or can be used to identify, the individual. 

[2] Pub. L. No. 110-85, § 905,121 Stat. 823, 944 (Sept. 27, 2007). 

[3] As confidentiality is a key aspect of information security, it was 
included under our review of security issues. 

[4] These do not include medical devices used for collecting, 
processing, testing, manufacturing, and administration of licensed 
blood, blood components, and cellular products, which are governed by 
the Center for Biologics Evaluation and Research. 

[5] The Institute of Medicine was created by the National Academy of 
Sciences in 1970 to provide advice to the federal government on issues 
relating to medical care, research, and education. 

[6] GAO, Drug Safety: Improvement Needed in FDA’s Postmarket Decision-
making and Oversight Process, [hyperlink, 
http://www.gao.gov/products/GAO-06-402] (Washington, D.C.: Mar. 31, 
2006). 

[7] FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 
(Dec. 17, 2002). 

[8] The recently enacted Health Information Technology for Economic and 
Clinical Health (HITECH) Act contains provisions relating to the 
promotion and testing of health information technology, and privacy and 
security protections for health information technology. HITECH Act 
Title XIII, American Recovery and Reinvestment Act of 2009, Pub. L. No. 
111-5 (Feb.17, 2009). 

[9] Mass. Gen. Laws ch. 111, § 70F. 

[10] NIST, Security Guide for Interconnecting Information Technology 
Systems, Special Publication 800-47 (Washington D.C., August 2002). 

[11] NIST, Standards for Security Categorization of Federal Information 
and Information Systems, Federal Information Processing Standard (FIPS) 
199 (Washington D.C., February 2004). 

[12] NIST, Minimum Security Requirements for Federal Information and 
Information Systems, FIPS 200 (Washington D.C., March 2006). 

[13] The Medicare Prescription Drug, Improvement, and Modernization Act 
of 2003 (MMA) established an outpatient drug benefit, known as Medicare 
Part D, that provides prescription drug coverage for beneficiaries who 
opt to enroll in the program. Congress designed Medicare Part D to be a 
market-driven program that promotes competition among private health 
plans. 

[14] The National Committee on Vital and Health Statistics was 
established in 1949 as a public advisory committee that is statutorily 
authorized to advise the Secretary of HHS on health data, statistics, 
and national health information policy, including the implementation of 
health information technology standards. 

[15] GAO, Personal Information: Agency and Reseller Adherence to Key 
Privacy Principles, [hyperlink, http://www.gao.gov/products/GAO-06-421] 
(Washington, D.C.: Apr. 4, 2006). 

[16] GAO, Data Mining: Early Attention to Privacy in Developing a Key 
DHS Program Could Reduce Risks, [hyperlink, 
http://www.gao.gov/products/GAO-07-293] (Washington, D.C.: Feb. 28, 
2007). 

[17] GAO, Privacy: Alternatives Exist for Enhancing Protection for 
Personally Identifiable Information, [hyperlink, 
http://www.gao.gov/products/GAO-08-536] (Washington, D.C.: May 19, 
2008). 

[18] L. Sweeney, “k-Anonymity: A Model for Protecting Privacy,” 
International Journal on Uncertainty, Fuzziness and Knowledge-based 
Systems, vol. 10, no. 5 (2002). 

[19] GAO, Information Security: Homeland Security Needs to Immediately 
Address Significant Weaknesses in Systems Supporting the US-VISIT 
Program, [hyperlink, http://www.gao.gov/products/GAO-07-870 
(Washington, D.C.: July 13, 2007). 

[20] NIST, Security Guide for Interconnecting Information Technology 
Systems, Special Publication 800-47 (Washington, D.C.: August 2002). 

[21] FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 
(Dec. 17, 2002). 

[22] The Privacy Rule protects all "individually identifiable health 
information" held or transmitted by a covered entity or its business 
associate, in any form or media, whether electronic, paper, or oral. 
The Privacy Rule calls this information "protected health information 
(PHI). See [hyperlink, 
http://www.hhs.gov./ocr/privacy/hipaa/understanding/summary/privacysumma
ry.pdf] 

[23] We refer to the initial roll out of Sentinel as phase 1, 
recognizing that as the availability of electronic health records 
increases, coupled with advances in data standards development, 
Sentinel will necessarily evolve. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: