COVID-19: HHS Needs to Identify Duplicative Pandemic IT Systems and Implement Key Privacy Requirements
Fast Facts
The Department of Health and Human Services gathers key information needed for public health emergencies, such as pandemics. This includes data on critical response resources and medical care capacity, among other things.
We reviewed HHS's efforts to reduce unnecessary duplication, overlap, or fragmentation in the systems it uses to collect this kind of data, and its efforts to protect personal information.
HHS doesn't have a comprehensive list of these systems and hasn't identified or reduced unnecessary duplication
HHS didn't fully implement key privacy safeguards for the 9 systems we reviewed
Our 14 recommendations address these issues.
Highlights
What GAO Found
The Department of Health and Human Services (HHS) has not identified and reduced unnecessary duplication of data in its systems supporting pandemic public health preparedness and response. Because the department did not have a comprehensive list of these systems, GAO worked with key HHS component agencies and identified a total of 99 systems. HHS did not attempt to identify duplication or overlap for these systems. However, in its high-level review of the 99 systems, GAO identified instances of duplicative pandemic public health preparedness and response data in multiple systems. For example, two pandemic systems that collected similar COVID-19 data, such as cases, deaths, and hospitalization data are managed by the same program office.
Regarding privacy, according to the component agencies, 68 of the 99 identified systems collect and store personally identifiable information (PII). These agencies developed privacy impact assessments (PIA) for 53 of the 68; 15 did not have such assessments. Such assessments are essential to identifying and mitigating the privacy risks of systems containing PII. Until HHS ensures that PIAs are developed for all of its systems containing PII, it will have less assurance that privacy risks are assessed to prevent unauthorized disclosure.
Further, HHS and its component agencies did not implement all of the key privacy safeguards for the nine systems that GAO randomly selected for review (see figure). As a result, information collected and stored by some of these systems may be at higher risk for unauthorized disclosure.
HHS Component Agencies Implementation of Key Privacy Safeguards for Selected Pandemic Systems
Why GAO Did This Study
HHS and its component agencies are responsible for managing data collection activities to support public health preparedness and response during public health emergencies, such as the COVID-19 pandemic. The Consolidated Appropriations Act of 2023 reiterates the need for HHS to improve these data collection capabilities and includes provisions for GAO to review those capabilities. In addition, the CARES Act includes a provision for GAO to monitor and oversee the federal response to the COVID-19 pandemic.
This report addresses, among other things, the extent to which HHS has (1) identified and reduced unnecessary duplication, overlap, or fragmentation in its preparedness and response data capabilities; and (2) instituted privacy safeguards on selected systems when collecting public health preparedness and response data.
GAO identified lists of systems and compared HHS and component agency efforts to identify unnecessary duplication, overlap, and fragmentation to federal law and guidance. GAO also randomly selected nine systems for review of component agency implementation of privacy safeguards for systems that collect and store PII.
Recommendations
GAO is making 14 recommendations to HHS, including establishing a systems inventory, addressing duplicative data, and fully implementing privacy safeguards. HHS generally agreed with the recommendations, although stating that two may not be feasible. GAO continues to believe they are valid.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Health and Human Services | The Secretary of HHS should ensure that the HHS CIO develops and maintains a department-wide comprehensive list of systems, including component systems, that support pandemic public health preparedness and response. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the HHS CIO conducts reviews of systems that support pandemic public health preparedness and response across the department to identify and reduce any unnecessary duplication, overlap, or fragmentation and identify mitigation options, such as consolidation or elimination of systems. The HHS CIO should share the results of its reviews with components when identifying any instances of unnecessary duplication, overlap, or fragmentation. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that component agencies proactively and consistently identify and track the funding sources and costs dedicated to operating and maintaining all of their systems supporting pandemic public health preparedness and response. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that component agencies proactively and consistently identify and track staffing resources, including the type and number of staff dedicated to managing all of their systems supporting pandemic public health preparedness and response. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the Administration for Strategic Preparedness and Response has an updated privacy impact assessment for the Cooperative Agreement Accountability and Management Platform. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the Administration of Strategic Preparedness and Response revises the system privacy plan for ASPR Ready to include the privacy controls in place or planned for meeting the privacy requirements. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the Administration for Strategic Preparedness and Response develops assessments of privacy controls for ASPR Ready and the Electronic Medical Records System. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the Administration for Strategic Preparedness and Response develops the authorization to operate for the Electronic Medical Records System. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the Director of the Centers for Disease Control and Prevention conducts and develops privacy impact assessments for all pandemic public health preparedness and response systems that include personally identifiable information. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the Director of the Centers for Disease Control and Prevention ensures that the senior official for privacy reviews and approves the system security categorizations for the COVID-19 Clearinghouse and HHS Protect. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the Commissioner of the Food and Drug Administration conducts and develops privacy impact assessments for all pandemic public health preparedness and response systems that include personally identifiable information. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the Commissioner of the Food and Drug Administration conducts an assessment to determine if a system of records notice is required for the Biologics Information Tracking System – Compliance. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the Commissioner of the Food and Drug Administration ensures that the senior official for privacy reviews and approves the system security categorization for the Biologics Information Tracking System – Compliance. (Recommendation 13) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Health and Human Services | The Secretary of HHS should ensure that the Commissioner of the Food and Drug Administration develops an assessment of privacy controls for the Biologics Information Tracking System – Compliance. (Recommendation 14) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|