Health Information Technology
HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains
Gao ID: GAO-08-1138 September 17, 2008
Although advances in information technology (IT) can improve the quality and other aspects of health care, the electronic storage and exchange of personal health information introduces risks to the privacy of that information. In January 2007, GAO reported on the status of efforts by the Department of Health and Human Services (HHS) to ensure the privacy of personal health information exchanged within a nationwide health information network. GAO recommended that HHS define and implement an overall privacy approach for protecting that information. For this report, GAO was asked to provide an update on HHS's efforts to address the January 2007 recommendation. To do so, GAO analyzed relevant HHS documents that described the department's privacy-related health IT activities.
Since GAO's January 2007 report on protecting the privacy of electronic personal health information, the department has taken steps to address the recommendation that it develop an overall privacy approach that included (1) identifying milestones and assigning responsibility for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of GAO's recommendation, and it has taken important steps in addressing the two other parts. The HHS Office of the National Coordinator for Health IT has continued to develop and implement health IT initiatives related to nationwide health information exchange. These initiatives include activities that are intended to address key privacy principles and challenges. For example: (1) The Healthcare Information Technology Standards Panel defined standards for implementing security features in systems that process personal health information. (2) The Certification Commission for Healthcare Information Technology defined certification criteria that include privacy protections for both outpatient and inpatient electronic health records. (3) Initiatives aimed at the state level have convened stakeholders to identify and propose solutions for addressing challenges faced by health information exchange organizations in protecting the privacy of electronic health information. In addition, the office has identified milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, as recommended. Further, the Secretary released a federal health IT strategic plan in June 2008 that includes privacy and security objectives along with strategies and target dates for achieving them. Nevertheless, while these steps contribute to an overall privacy approach, they have fallen short of fully implementing GAO's recommendation. In particular, HHS's privacy approach does not include a defined process for assessing and prioritizing the many privacy-related initiatives to ensure that key privacy principles and challenges will be fully and adequately addressed. As a result, stakeholders may lack the overall policies and guidance needed to assist them in their efforts to ensure that privacy protection measures are consistently built into health IT programs and applications. Moreover, the department may miss an opportunity to establish the high degree of public confidence and trust needed to help ensure the success of a nationwide health information network.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-08-1138, Health Information Technology: HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains
This is the accessible text file for GAO report number GAO-08-1138
entitled 'Health Information Technology: HHS Has Taken Important Steps
to Address Privacy Principles and Challenges, Although More Work
Remains' which was released on September 17, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Chairman, Subcommittee on Oversight of Government
Management, the Federal Workforce, and the District of Columbia,
Committee on Homeland Security and Governmental Affairs, U.S. Senate:
United States Government Accountability Office:
GAO:
September 2008:
Health Information Technology:
HHS Has Taken Important Steps to Address Privacy Principles and
Challenges, Although More Work Remains:
GAO-08-1138:
GAO Highlights:
Highlights of GAO-08-1138, a report to the Chairman, Subcommittee on
Oversight of Government Management, the Federal Workforce, and the
District of Columbia, Committee on Homeland Security and Governmental
Affairs, U.S. Senate.
Why GAO Did This Study:
Although advances in information technology (IT) can improve the
quality and other aspects of health care, the electronic storage and
exchange of personal health information introduces risks to the privacy
of that information. In January 2007, GAO reported on the status of
efforts by the Department of Health and Human Services (HHS) to ensure
the privacy of personal health information exchanged within a
nationwide health information network. GAO recommended that HHS define
and implement an overall privacy approach for protecting that
information. For this report, GAO was asked to provide an update on
HHS‘s efforts to address the January 2007 recommendation. To do so, GAO
analyzed relevant HHS documents that described the department‘s privacy-
related health IT activities.
What GAO Found:
Since GAO‘s January 2007 report on protecting the privacy of electronic
personal health information, the department has taken steps to address
the recommendation that it develop an overall privacy approach that
included (1) identifying milestones and assigning responsibility for
integrating the outcomes of its privacy-related initiatives, (2)
ensuring that key privacy principles are fully addressed, and (3)
addressing key challenges associated with the nationwide exchange of
health information. In this regard, the department has fulfilled the
first part of GAO‘s recommendation, and it has taken important steps in
addressing the two other parts. The HHS Office of the National
Coordinator for Health IT has continued to develop and implement health
IT initiatives related to nationwide health information exchange. These
initiatives include activities that are intended to address key privacy
principles and challenges. For example:
* The Healthcare Information Technology Standards Panel defined
standards for implementing security features in systems that process
personal health information.
* The Certification Commission for Healthcare Information Technology
defined certification criteria that include privacy protections for
both outpatient and inpatient electronic health records.
* Initiatives aimed at the state level have convened stakeholders to
identify and propose solutions for addressing challenges faced by
health information exchange organizations in protecting the privacy of
electronic health information.
In addition, the office has identified milestones and the entity
responsible for integrating the outcomes of its privacy-related
initiatives, as recommended. Further, the Secretary released a federal
health IT strategic plan in June 2008 that includes privacy and
security objectives along with strategies and target dates for
achieving them.
Nevertheless, while these steps contribute to an overall privacy
approach, they have fallen short of fully implementing GAO‘s
recommendation. In particular, HHS‘s privacy approach does not include
a defined process for assessing and prioritizing the many privacy-
related initiatives to ensure that key privacy principles and
challenges will be fully and adequately addressed. As a result,
stakeholders may lack the overall policies and guidance needed to
assist them in their efforts to ensure that privacy protection measures
are consistently built into health IT programs and applications.
Moreover, the department may miss an opportunity to establish the high
degree of public confidence and trust needed to help ensure the success
of a nationwide health information network.
What GAO Recommends:
GAO recommends that HHS include in its overall privacy approach a
process for ensuring that key privacy principles and challenges are
completely and adequately addressed. In written comments on a draft of
this report, HHS generally agreed with the information discussed in the
report.
To view the full product, including the scope and methodology, click on
GAO-08-1138. For more information, contact Valerie C. Melvin, (202) 512-
6304 or melvinv@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
HHS Has Taken Steps to Address Privacy Principles and Challenges, but
It Has Not Fully Implemented an Overall Privacy Approach:
Conclusions:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objective, Scope, and Methodology:
Appendix II: Comments from the Department of Health and Human Services:
Appendix III: GAO Contacts and Staff Acknowledgments:
Tables:
Table 1: Key Privacy Principles in HIPAA's Privacy Rule:
Table 2: Challenges to Exchanging Electronic Health Information:
Abbreviations:
HHS: Department of Health and Human Services:
HIPAA: Health Insurance Portability and Accountability Act of 1996:
IT: information technology:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
September 17, 2008:
The Honorable Daniel K. Akaka:
Chairman:
Subcommittee on Oversight of Government Management, the Federal
Workforce, and the District of Columbia:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
Dear Mr. Chairman:
Advances in health information technology (IT) have the potential to
improve the quality of health care, to increase the availability of
health information for treatment, and to implement safeguards that
cannot be applied easily or cost-effectively to paper-based health
records. However, the automation of health information also introduces
new risks to the privacy of that information. A September 2007 survey
sponsored by the Institute of Medicine indicated that nearly 60 percent
of the respondents did not believe that the privacy of personal medical
records and health information was adequately protected by federal and
state laws and organization practices.[Footnote 1] According to the
National Research Council,[Footnote 2] medical information is often the
most privacy-sensitive information that patients provide to others
about themselves, and protecting medical privacy has long been
recognized as an essential element in a health care system. Further,
industry groups and professional associations have called for stronger
privacy protection of personal health information.
In April 2004, President Bush issued an executive order that called for
the development and implementation of a strategic plan to guide the
nationwide implementation of interoperable health IT in both the public
and private sectors.[Footnote 3] The order required the plan to address
privacy and security issues related to interoperable health IT and
recommend methods to ensure appropriate authorization, authentication,
and encryption of data for transmission over the Internet. In 2004, the
Secretary of Health and Human Services, through the Office of the
National Coordinator for Health Information Technology, documented a
framework for health IT as the first step toward the development of a
national strategy.[Footnote 4] This framework stated that strengthening
privacy protections for electronic personal health information was a
critical health care need.
In January 2007, we reported on activities of the Department of Health
and Human Services (HHS) and its Office of the National Coordinator for
Health IT to identify solutions for protecting personal health
information.[Footnote 5] We noted that HHS was in the early stages of
these activities and had not yet defined an overall approach for
addressing key privacy principles and challenges, nor had it defined
milestones or identified a responsible entity for integrating the
results of these activities. Consequently, we recommended that the
Secretary of Health and Human Services define and implement an overall
approach for protecting health information that would (1) identify
milestones and the entity responsible for integrating the outcomes of
its privacy-related initiatives, (2) ensure that key privacy principles
in the Health Insurance Portability and Accountability Act of 1996
(HIPAA)[Footnote 6] are fully addressed, and (3) address key challenges
associated with the nationwide exchange of health information.
Subsequently, the department's National Coordinator for Health IT
agreed with the need for an overall approach to protect health
information and stated that the department was initiating steps to
address our recommendation.
As you requested, we conducted a follow-up study of the Office of the
National Coordinator's efforts to ensure the privacy of electronic
personal health information exchanged within a nationwide health
information network. Our objective was to provide an update on the
department's efforts to define and implement an overall privacy
approach, as we recommended.
To address our objective, we analyzed reports and other documentation
of the Office of the National Coordinator's current health IT
initiatives related to privacy. We also obtained and analyzed the
department's documents describing plans and outcomes from the Office of
the National Coordinator's health IT initiatives related to privacy,
and we supplemented our analysis with interviews of officials from the
National Coordinator's office to discuss the department's current
approaches and future plans for developing and implementing an overall
approach for addressing privacy protection within a nationwide health
information network.
We conducted this performance audit from April 2008 through September
2008 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives. Our
objective, scope, and methodology are described in appendix I.
Results in Brief:
Since we reported in January 2007 on HHS's efforts to protect
electronic personal health information, the department has undertaken
various initiatives that are contributing to its efforts to develop and
implement an overall privacy approach. We recommended that this
approach include (1) identifying milestones and the entity responsible
for integrating the outcomes of its privacy-related initiatives, (2)
ensuring that key privacy principles in HIPAA are fully addressed, and
(3) addressing key challenges associated with the nationwide exchange
of health information. In this regard, the department has fulfilled the
first part of our recommendation, and it has taken important steps in
addressing the two other parts. The Office of the National Coordinator
for Health IT has continued to develop and implement initiatives
related to a nationwide health information network, and these
initiatives include activities that are intended to address certain key
privacy principles and challenges. For example:
* The Healthcare Information Technology Standards Panel defined
standards for implementing security features in health IT systems that
process personal health information.
* The Certification Commission for Healthcare Information Technology
defined certification criteria that include privacy protections for
both outpatient and inpatient electronic health records.
* State-level initiatives (such as the Health Information Security and
Privacy Collaboration and the State Alliance for e-Health) have
convened stakeholders to identify and propose solutions for addressing
challenges to protecting the privacy of electronic health information
faced by health information exchange organizations.
In addition, the Office of the National Coordinator has identified
milestones and the entity responsible for integrating the outcomes of
its privacy-related initiatives, as we recommended. Further, the
Secretary released a federal health IT strategic plan in June 2008 that
includes privacy and security objectives along with strategies and
target dates for achieving them. The strategic plan also outlines the
Office of the National Coordinator's plans for developing a
confidentiality, privacy, and security framework to incorporate the
outcomes of privacy-related initiatives, which it expects to publish by
December 2008.
Nevertheless, while the aforementioned initiatives are significant to
addressing privacy issues and challenges, they fall short of fully
implementing our recommendation. Specifically, HHS has not defined, as
part of its approach, a process for ensuring that all privacy
principles and challenges will be fully and adequately addressed. Given
the large number and variety of activities being undertaken and the
many federal, state, and private-sector entities contributing to the
health IT initiatives, it is important that the department and its
Office of the National Coordinator define a process for ensuring that
all stakeholders' contributions will be appropriately considered and
that inputs to the privacy framework will be effectively assessed and
prioritized to achieve comprehensive coverage of all privacy principles
and challenges. In the absence of an overall approach that includes
such a process, HHS faces the risk that privacy protection measures may
not be consistently and effectively built into health IT programs, thus
jeopardizing patient privacy as well as the public confidence and trust
that are essential to the success of a future nationwide health
information network.
We are recommending that HHS include in its overall privacy approach a
process for assessing and prioritizing initiatives and the
stakeholders' needs to ensure that key privacy principles and
challenges are completely and adequately addressed.
HHS's Assistant Secretary for Legislation provided written comments on
a draft of this report. In the comments, the department generally
agreed with the information provided in the draft report; however, it
neither agreed nor disagreed with our recommendation. HHS agreed that
more work remains to be done in the department's efforts to protect the
privacy of electronic personal health information and stated that the
department is actively pursuing a process for assessing and
prioritizing privacy-related initiatives intended to build public trust
and confidence in health IT. As we recommended, effective
implementation of such a process could help ensure that the
department's overall privacy approach fully addresses key privacy
principles and challenges.
Background:
Recognizing the potential value of IT for public and private health
systems,[Footnote 7] the federal government has, for several years,
been working to promote the nationwide use of health IT.[Footnote 8] In
April 2004, President Bush called for widespread adoption of
interoperable electronic health records within 10 years and issued an
executive order[Footnote 9] that established the position of the
National Coordinator for Health IT within HHS. The National
Coordinator's responsibilities include developing, maintaining, and
directing the implementation of a strategic plan to guide the
nationwide implementation of interoperable health IT in both the public
and private sectors. According to the strategic plan, the National
Coordinator is to lead efforts to build a national health IT
infrastructure that is intended to, among other things, ensure that
patients' individually identifiable health information[Footnote 10] is
secure, protected, and available to the patient to be used for medical
and nonmedical purposes, as directed by the patient and as appropriate.
In January 2007, we reported on the steps that HHS was taking to ensure
the protection of personal health information exchanged within a
nationwide network and on the challenges facing health information
exchange organizations in protecting electronic personal health
information.[Footnote 11] We reported that although HHS and the Office
of the National Coordinator had initiated actions to identify solutions
for protecting electronic personal health information, the department
was in the early stages of its efforts and had not yet defined an
overall privacy approach. As described earlier, we made recommendations
regarding the need for an overall privacy approach, which we reiterated
in subsequent testimonies in February 2007, June 2007, and February
2008.[Footnote 12]
In our report, we described applicable provisions of HIPAA and other
federal laws that are intended to protect the privacy of certain health
information, along with the HIPAA Privacy Rule[Footnote 13] and key
principles that are reflected in the rule. Table 1 summarizes these
principles.
Table 1: Key Privacy Principles in HIPAA's Privacy Rule:
Principle: Uses and disclosures;
Description: Provides limits to the circumstances in which an
individual's protected health information may be used or disclosed by
covered entities and provides for accounting of certain disclosures;
requires covered entities to make reasonable efforts to disclose or use
only the minimum necessary information to accomplish the intended
purpose for the uses, disclosures, or requests, with certain
exceptions, such as for treatment or as required by law.
Principle: Notice;
Description: Requires most covered entities to provide a notice of
their privacy practices, including how personal health information may
be used and disclosed.
Principle: Access;
Description: Establishes individuals' right to review and obtain a copy
of their protected health information held in a designated record
set.[A]
Principle: Security[B];
Description: Requires covered entities to safeguard protected health
information from inappropriate use or disclosure.
Principle: Amendments;
Description: Gives individuals the right to request from covered
entities changes to inaccurate or incomplete protected health
information held in a designated record set.[A]
Principle: Administrative requirements;
Description: Requires covered entities to analyze their own needs and
implement solutions appropriate for their own environment based on a
basic set of requirements for which they are accountable.
Principle: Authorization;
Description: Requires covered entities to obtain the individual's
written authorization or consent for uses and disclosures of personal
health information, with certain exceptions, such as for treatment,
payment, and health care operations, or as required by law. Covered
entities may choose to obtain the individual's consent to use or
disclose protected health information to carry out treatment, payment,
or health care operations but are not required to do so.
Source: GAO analysis of HIPAA Privacy Rule.
[A] According to the HIPAA Privacy Rule, a designated record set is a
group of records maintained by or for a covered entity that is (1) the
medical records and billing records about individuals maintained by or
for a covered health care provider; (2) the enrollment, payment, claims
adjudication, and case or medical management record systems maintained
by or for a health plan; or (3) used, in whole or in part, by or for
the covered entity to make decisions about individuals.
[B] The HIPAA Security Rule further defines safeguards that covered
entities must implement to provide assurance that health information is
protected from inappropriate uses and disclosure.
[End of table]
We also described in our report and testimonies challenges associated
with protecting electronic health information that are faced by federal
and state health information exchange organizations and health care
providers. These challenges are summarized in table 2.
Table 2: Challenges to Exchanging Electronic Health Information:
Challenge: Understanding and resolving legal and policy issues;
Description:
* Resolving uncertainties regarding varying the extent of federal
privacy protection required of various organizations;
* Understanding and resolving data-sharing issues introduced by varying
state privacy laws and organization-level practices;
* Reaching agreement on organizations' differing interpretations and
applications of HIPAA privacy and security rules;
* Determining liability and enforcing sanctions in cases of breach of
confidentiality.
Challenge: Ensuring appropriate disclosure;
Description:
* Determining the minimum data necessary that can be disclosed in order
for requesters to accomplish their intended purposes;
* Obtaining individuals' authorization and consent for use and
disclosure of personal health information;
* Determining the best way to allow individuals to participate in and
consent to electronic health information exchange;
* Educating consumers so that they understand the extent to which their
consent to use and disclose health information applies.
Challenge: Ensuring individuals' rights to request access and
amendments to health information to ensure it is correct;
Description:
* Ensuring that individuals understand that they have rights to request
access and amendments to their own health information to ensure that it
is correct;
* Ensuring that individuals' amendments are properly made and tracked
across multiple locations.
Challenge: Implementing adequate security measures for protecting
health information;
Description:
* Determining and implementing adequate techniques for authenticating
requesters of health information;
* Implementing proper access controls and maintaining adequate audit
trails for monitoring access to health data;
* Protecting data stored on portable devices and transmitted between
business partners.
Source: GAO analysis of information provided by state-level health
information exchange organizations, federal health care providers, and
health IT professional associations.
[End of table]
We reported that HHS had undertaken several initiatives intended to
address aspects of key principles and challenges for protecting the
privacy of health information. For example, in 2005, the department
awarded four health IT contracts that included requirements for
developing solutions to comply with federal privacy requirements and
identifying techniques and standards for securing health information.
HHS Has Taken Steps to Address Privacy Principles and Challenges, but
It Has Not Fully Implemented an Overall Privacy Approach:
Since January 2007, HHS has undertaken various initiatives that are
contributing to its development of an overall privacy approach,
although more work remains. We recommended that this overall approach
include (1) identifying milestones and the entity responsible for
integrating the outcomes of its privacy-related initiatives, (2)
ensuring that key privacy principles in HIPAA are fully addressed, and
(3) addressing key challenges associated with the nationwide exchange
of health information. In this regard, the department has fulfilled the
first part of our recommendation, and it has taken important steps in
addressing the two other parts. Nevertheless, these steps have fallen
short of fully implementing our recommendation because they do not
include a process for ensuring that all key privacy principles and
challenges will be fully and adequately addressed. In the absence of
such a process, HHS may not be effectively positioned to ensure that
health IT initiatives achieve comprehensive privacy protection within a
nationwide health information network.
HHS Has Taken Steps to Address Privacy Principles and Challenges
through Its Various Health IT Initiatives:
The department and its Office of the National Coordinator have
continued taking steps intended to address key privacy principles and
challenges through various health IT initiatives. Among other things,
these initiatives have resulted in technical requirements, standards,
and certification criteria related to the key privacy principles
described in table 1. The following are examples of ways that the
Office of the National Coordinator's health IT initiatives relate to
privacy principles reflected in HIPAA.
* As part of its efforts to advance health IT, the American Health
Information Community[Footnote 14] defines "use cases," which are
descriptions of specific business processes and ways that systems
should interact with users and with other systems to achieve specific
goals. Among other things, several of the use cases include
requirements and specifications that address aspects of the access,
uses and disclosures, and amendments privacy principles. For example,
the "consumer empowerment" use case describes at a high level specific
capabilities that align with the access principle. It requires that
health IT systems include mechanisms that allow consumers to access
their own clinical information, such as lab results and diagnosis
codes, from other sources to include in their personal health records.
The use case also aligns with the uses and disclosures principle and
includes requirements that allow consumers to control access to their
personal health record information and specify which information can be
accessed by health care providers and organizations within health
information networks. Further, the consumer empowerment use case aligns
with the amendments privacy principle, emphasizing the need for
policies to guide decisions about which data consumers should be able
to modify, annotate, or request that organizations change. (Other use
cases that are related to these privacy principles are the
"personalized healthcare"[Footnote 15] and "remote monitoring"[Footnote
16] use cases.)
* Under HHS's initiative to implement a nationwide health information
network,[Footnote 17] in January 2007, four test network
implementations, or prototypes, demonstrated potential nationwide
health information exchange and laid the foundation for the Office of
the National Coordinator's ongoing network trial implementations.
Activities within the prototypes and the trial implementations are
related to privacy principles, including the security, access, uses and
disclosures, and administrative requirements principles. For example,
the prototypes produced specific requirements for security mechanisms
(such as data access control and encryption) that address aspects of
the security principle. Additionally, the ongoing trial implementations
are guided by requirements for using personal health data intended to
address the access, uses and disclosures, and administrative
requirements principles. For example, participants in the trial
implementations are to provide the capability for consumers to access
information, such as registration and medication history data, from
other sources to include in their personal health records, to control
access to self-entered data or clinical information held in a personal
health record, and to control the types of information that can be
released from personal health records for health information exchange.
In addition, organizations participating in the network are required to
provide system administrators the ability to monitor and audit all
access to and use of the data stored in their systems.
* The Healthcare Information Technology Standards Panel continued work
to "harmonize" standards directly related to several key privacy
principles, primarily the security principle.[Footnote 18] In addition,
the panel developed technical guidelines that are intended to address
other privacy principles, such as the authorization principle and the
uses and disclosures principle. For example, the panel's guidelines
specify that systems should be designed to ensure that consumers'
instructions related to authorization and consent are captured,
managed, and available to those requesting the health information.
* The Certification Commission for Healthcare Information Technology,
which is developing and evaluating the criteria and process for
certifying the functionality, security, and interoperability of
electronic health records, took steps that primarily address the
security principle. For example, the commission defined specific
security criteria for both ambulatory and inpatient electronic health
records that require various safeguards to be in place before
electronic health record systems are certified. Among other things,
these safeguards include ensuring that system administrators can modify
the privileges of users so that only those who have a need to access
patients' information are allowed to do so and that the minimum amount
of information necessary can be accessed by system users.
* The State-Level Health Information Exchange Consensus Project, a
consortium of public and private-sector stakeholders, is intended to
promote consistent organizational policies regarding privacy and health
information exchange. The consortium issued a report in February 2007
that addresses, among other principles, the uses and disclosures
privacy principle. For example, the report advises health information
exchange organizations to maintain information about access to and
disclosure of patients' personal health information and to make that
data available to patients. The consortium subsequently issued another
report in March 2008 that recommended practices to ensure the
appropriate access, use, and control of health information.
Additionally, two of HHS's key advisory groups continued to develop and
provide recommendations to the Secretary of HHS for addressing privacy
issues and concerns:
* The Confidentiality, Privacy, and Security Workgroup was formed in
2006 by the American Health Information Community to focus specifically
on these issues and has submitted recommendations to the community that
address privacy principles. Among these are recommendations related to
the notice principle that the workgroup submitted in February and April
2008. These recommendations stated that health information exchange
organizations should provide patients, via the Web or another means,
information in plain language on how these organizations use and
disclose health information, their privacy policies and practices, and
how they safeguard patient or consumer information. The work group also
submitted recommendations related to the administrative requirements
principle, stating that the obligation to provide individual rights and
a notice of privacy practices under HIPAA should remain with the health
care provider or plan that has an established, independent relationship
with a patient, not with the health information exchange.
* The National Committee on Vital and Health Statistics, established in
1949, advises the Secretary of HHS on issues including the
implementation of health IT standards and safeguards for protecting the
privacy of personal health information.[Footnote 19] The committee's
recent recommendations related to HHS's health IT initiatives
addressed, among others, the uses and disclosures principle. For
example, in February 2008, the National Committee submitted five
recommendations to the Secretary that support an individual's right to
control the disclosure of certain sensitive health information for the
purposes of treatment.
Although the recommendations from these two advisory groups are still
under consideration by the Secretary, according to HHS officials,
contracts for the nationwide health information network require
participants to consider these recommendations when conducting network
trials once they are accepted by the Secretary.
The Office of the National Coordinator also took actions intended to
address key challenges to protecting exchanges of personal electronic
health information. Specifically, state-level initiatives (described
below) were formed to bring stakeholders from states together to
collaborate, propose solutions, and make recommendations to state and
federal policymakers for addressing challenges to protecting the
privacy of electronic personal health information within a nationwide
health information exchange. Outcomes of these initiatives provided
specific state-based solutions and recommendations for federal policy
and guidance for addressing key challenges described by our prior work
(see table 2).[Footnote 20]
* The Health Information Security and Privacy Collaboration is pursuing
privacy and security projects directly related to several of the
privacy challenges identified in our prior work, including the need to
resolve legal and policy issues resulting from varying state laws and
organizational-level business practices and policies, and the need to
obtain individuals' consent for the use and disclosure of personal
health information. For example, the state teams noted the need for
clarification about how to interpret and apply the "minimum necessary"
standard, and they recommended that HHS provide additional guidance to
clarify this issue. In addition, most of the state teams cited the need
for a process to obtain patient permission to use and disclose personal
health information, and the teams identified multiple solutions to
address differing definitions of patient permission, including the
creation of a common or uniform permission form for both paper and
electronic environments.
* The State Alliance for e-Health created an information protection
task force that in August 2007 proposed five recommendations that are
intended to address the challenge of understanding and resolving legal
and policy issues. The recommendations, which the alliance accepted,
focused on methods to facilitate greater state-federal interaction
related to protecting privacy and developing common solutions for the
exchange of electronic health information.
Beyond the initiatives previously discussed, in June 2008, the
Secretary released a federal health IT strategic plan[Footnote 21] that
includes a privacy and security objective for each of its strategic
goals, along with strategies and target dates for achieving the
objectives. [Footnote 22] For example, one of the strategies is to
complete the development of a confidentiality, privacy, and security
framework by the end of 2008, and another is to address inconsistent
statutes or regulations for the exchange of electronic health
information by the end of 2011. The strategic plan emphasized the
importance of privacy protection for electronic personal health
information by acknowledging that the success of a nationwide,
interoperable health IT infrastructure in the United States will
require a high degree of public confidence and trust.
In accordance with this strategy, the Office of the National
Coordinator is responsible for developing the confidentiality, privacy,
and security framework. The National Coordinator has indicated that
this framework, which is to be developed and published by the end of
calendar year 2008,[Footnote 23] is to incorporate the outcomes of the
department's privacy-related initiatives, and that milestones have been
developed and responsibility assigned for integrating these outcomes.
The National Coordinator has assigned responsibility for these
integration efforts and the development of the framework to the
Director of the Office of Policy and Research within the Office of the
National Coordinator. In this regard, the department has fulfilled the
first part of our recommendation.
Steps Taken Have Not Fully Implemented an Overall Privacy Approach:
While the various initiatives that HHS has undertaken are contributing
to the development and implementation of an overall privacy approach,
more work remains. In particular, the department has not defined a
process for ensuring that all privacy principles and challenges will be
fully and adequately addressed. This process would include, for
example, steps for ensuring that all stakeholders' contributions to
defining privacy-related activities are appropriately considered and
that individual inputs to the privacy framework will be effectively
assessed and prioritized to achieve comprehensive coverage of all key
privacy principles and challenges.
Such a process is important given the large number and variety of
activities being undertaken and the many stakeholders contributing to
the health IT initiatives. In particular, the contributing activities
involve a wide variety of stakeholders, including federal, state and
private-sector entities. Further, certain privacy-related activities
are relevant only to specific principles or challenges, and are
generally not aimed at comprehensively addressing all privacy
principles and challenges. For example, the certification and standards
harmonization efforts primarily address the implementation of technical
solutions for interoperable health IT and, therefore, are aimed at
system-level security measures, such as data encryption and password
protections, while the recommendations submitted by HHS's advisory
committees and state-level initiatives are primarily aimed at policy
and legal issues. Effectively assessing the contributions of individual
activities could play an important role in determining how each
activity contributes to the collective goal of ensuring comprehensive
privacy protection. Additionally, the outcomes of the various
activities may address privacy principles and challenges to varying
degrees. For example, while a number of the activities address the uses
and disclosures principle, HHS's advisory committees have made
recommendations that the department's activities more extensively
address the notice principle. Consequently, without defined steps for
thoroughly assessing the contributions of the activities, some
principles and challenges may be addressed extensively, while others
may receive inadequate attention, leading to gaps in the coverage of
the principles and challenges.
In discussing this matter with us, officials in the Office of the
National Coordinator pointed to the various health IT initiatives as an
approach that it is taking to manage privacy-related activities in a
coordinated and integrated manner. For example, the officials stated
that the purpose of the American Health Information Community's use
cases is to provide guidance and establish requirements for privacy
protections that are intended to be implemented throughout the
department's health IT initiatives (including standards harmonization,
electronic health records certification, and the nationwide health
information network). Similarly, contracts for the nationwide health
information network require participants to adopt approved health IT
standards (defined by the Healthcare Information Technology Standards
Panel) and, as mentioned earlier, to consider recommendations from the
American Health Information Community and the National Committee on
Vital and Health Statistics when conducting network trials, once these
recommendations are accepted or adopted by the Secretary.
While these are important activities for addressing privacy, they do
not constitute a defined process for assessing and prioritizing the
many privacy-related initiatives and the needs of stakeholders to
ensure that privacy issues and challenges will be addressed fully and
adequately. Without a process that accomplishes this, HHS faces the
risk that privacy protection measures may not be consistently and
effectively built into health IT programs, thus jeopardizing patient
privacy as well as the public confidence and trust that are essential
to the success of a future nationwide health information network.
Conclusions:
HHS and its Office of the National Coordinator for Health IT intend to
address key privacy principles and challenges through integrating the
privacy-related outcomes of the department's health IT initiatives.
Although it has established milestones and assigned responsibility for
integrating these outcomes and for the development of a
confidentiality, privacy, and security framework, the department has
not fully implemented our recommendation for an overall privacy
approach that is essential to ensuring that privacy principles and
challenges are fully and adequately addressed. Unless HHS's privacy
approach includes a defined process for assessing and prioritizing the
many privacy-related initiatives, the department may not be able to
ensure that key privacy principles and challenges will be fully and
adequately addressed. Further, stakeholders may lack the overall
policies and guidance needed to assist them in their efforts to ensure
that privacy protection measures are consistently built into health IT
programs and applications. As a result, the department may miss an
opportunity to establish the high degree of public confidence and trust
needed to help ensure the success of a nationwide health information
network.
Recommendation for Executive Action:
To ensure that key privacy principles and challenges are fully and
adequately addressed, we recommend that the Secretary of Health and
Human Services direct the National Coordinator for Health IT to include
in the department's overall privacy approach a process for assessing
and prioritizing its many privacy-related initiatives and the needs of
stakeholders.
Agency Comments and Our Evaluation:
HHS's Assistant Secretary for Legislation provided written comments on
a draft of this report. In the comments, the department generally
agreed with the information discussed in our report; however, it
neither agreed nor disagreed with our recommendation.
HHS agreed that more work remains to be done in the department's
efforts to protect the privacy of electronic personal health
information and stated that it is actively pursuing a two-phased
process for assessing and prioritizing privacy-related initiatives
intended to build public trust and confidence in health IT,
particularly in electronic health information exchange. According to
HHS, the process will include work with stakeholders to ensure that
real-world privacy challenges are understood. In addition, the
department stated that the process will assess the results and
recommendations from the various health IT initiatives and measure
progress toward addressing privacy-related milestones established by
the health IT strategic plan. As we recommended, effective
implementation of such a process could help ensure that the
department's overall privacy approach fully addresses key privacy
principles and challenges.
HHS also provided technical comments, which we have incorporated into
the report as appropriate. The department's written comments are
reproduced in appendix II.
We are sending copies of this report to interested congressional
committees and to the Secretary of HHS. Copies of this report will be
made available at no charge on our Web site at [hyperlink,
http://www.gao.gov].
If you have any questions on matters discussed in this report, please
contact me at (202) 512-6304 or Linda Koontz at (202) 512-6240, or by e-
mail at melvinv@gao.gov or koontzl@gao.gov. Contact points for our
offices of Congressional Relations and Public Affairs may be found on
the last page of this report. Other contacts and key contributors to
this report are listed in appendix III.
Sincerely yours,
Signed by:
Valerie C. Melvin:
Director, Human Capital and Management Information Systems Issues:
Signed by:
Linda D. Koontz:
Director, Information Management Issues:
[End of section]
Appendix I: Objective, Scope, and Methodology:
Our objective was to provide an update on the department's efforts to
define and implement an overall privacy approach, as we recommended in
an earlier report.[Footnote 24] Specifically, we recommended that the
Secretary of Health and Human Services define and implement an overall
approach for protecting health information that would (1) identify
milestones and the entity responsible for integrating the outcomes of
its privacy-related initiatives, (2) ensure that key privacy principles
in the Health Insurance Portability and Accountability Act of 1996
(HIPAA) are fully addressed, and (3) address key challenges associated
with the nationwide exchange of health information.
To determine the status of HHS's efforts to develop an overall privacy
approach, we analyzed the department's federal health IT strategic plan
and documents related to its planned confidentiality, privacy, and
security framework. We also analyzed plans and documents that described
activities of each of the health IT initiatives under the Office of the
National Coordinator and identified those intended to (1) develop and
implement mechanisms for addressing privacy principles and (2) develop
recommendations for overcoming challenges to ensuring the privacy of
patients' information. Specifically, we assessed descriptions of the
intended outcomes of the office's health IT initiatives to determine
the extent to which they related to these privacy principles and
challenges identified by our prior work.
To supplement our data collection and analysis, we conducted interviews
with officials from the Office of the National Coordinator to discuss
the department's approaches and future plans for addressing the
protection of personal health information within a nationwide health
information network.
We conducted this performance audit at the Department of Health and
Human Services in Washington, D.C., from April 2008 through September
2008, in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
[End of section]
Appendix II: Comments from the Department of Health and Human Services:
Department Of Health & Human Services:
Office Of The Secretary:
Assistant Secretary for Legislation:
Washington, DC 20201:
September 11, 2008:
Valerie C. Melvin:
Director, Human Capital and Management Information Systems:
U.S. Government Accountability Office:
441 G Street N.W.
Washington, DC 20548:
Dear Ms. Melvin:
Enclosed are comments on the U.S. Government Accountability Office's
(GAO) report entitled: "Health Information Technology: HHS Has Taken
Important Steps to Address Privacy Principles and Challenges, Although
More Work Remains" (GAO 08-1138).
The Department appreciates the opportunity to review this report before
its publication.
Sincerely,
Signed by:
Jennifer R. Luong, for:
Vincent J. Ventimiglia, Jr.
Assistant Secretary for Legislation:
Attachment:
Comments Of The Department Of Health And Human Services (HHS) On The
U.S. Government Accountability Office's (GAO) Draft Report Entitled:
Health Information Technology - HHS Has Taken Important Steps To
Address Privacy Principles And Challenges, Although More Work Remains
(GAO 08-1138):
General Comments:
The Department of Health and Human Services (HHS) appreciates the
opportunity to review the Government Accountability Office's (GAO)
draft report entitled "Health Information Technology - HHS Has Taken
Important Steps to Address Privacy Principles and Challenges, Although
More Work Remains."
In this update to the GAO's previous report on this subject, we
appreciate the GAO's recognition that "HHS has taken important steps to
address privacy principles and challenges" related to health
information technology (health IT). We agree that more work remains.
Progress is being made toward the President's goal that most Americans
have secure electronic health records by 2014. HHS will continue to
address privacy and security from both a technology and policy
perspective as we advance a nationwide, interoperable health IT
infrastructure that has sufficient flexibility to be able to
incorporate privacy and security solutions as they are developed.
The GAO correctly identifies many ongoing HHS initiatives that address
privacy and security. It is important to note that the report lists
representative examples of HHS initiatives in this area, and is not
intended to provide a complete compilation of HHS's privacy and
security activities.
In June 2008, HHS published the ONC-Coordinated Federal Health IT
Strategic Plan: 2008-2012 (the Strategic Plan), which includes several
specific strategies to address privacy and security of personal health
information in health IT initiatives. The key concept of coordination
reflected in the Strategic Plan's title is an essential component of
all our privacy and security strategies. While HHS is a leader in
health care and health IT, we recognize that our mission cannot be
accomplished without coordination and input from a wide range of
stakeholders. To that end, HHS has joined with state and other Federal
agencies, as well as the private sector, to engage a variety of
stakeholders in our health IT initiatives. Some examples of HHS's
privacy and security initiatives and activities include the Healthcare
Information Technology Standards Panel, the Certification Commission
for Healthcare Information Technology, the Health Information Security
and Privacy Collaboration, the State Alliance for e-Health, the State-
level Health Information Exchange Consensus Project, the Nationwide
Health Information Network Trial Implementations, the American Health
Information Community, and the National Committee on Vital and Health
Statistics. Thousands of participants are engaged in these efforts.
HHS is actively pursuing a two-stage process for assessing and
prioritizing privacy and security-related initiatives to build public
trust and confidence in health IT and in particular electronic health
information exchange. This process reflects our role as coordinators
and our belief that public-private dialogue is necessary to inform next
steps and achieve trust. First, we work with stakeholders to understand
concerns and real-world privacy and security challenges. Second, we
address privacy principles and challenges by assessing results and
recommendations from our initiatives, evaluating how each activity
builds on or influences the others, and measuring progress toward the
milestones established in the Strategic Plan. The process has and will
continue to address key privacy principles and challenges, develop
policies and guidance needed by stakeholders, and build a nationwide,
interoperable health IT infrastructure that includes the privacy and
security protections needed to ensure public confidence and trust.
HHS initiatives will continue to assure that electronic health
information is private and secure while concurrently improving
individual and population health through the advancement and adoption
of interoperable health IT.
[End of section]
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Valerie C. Melvin, (202) 512-6304 or melvinv@gao.gov Linda D. Koontz,
(202) 512-6240 or koontzl@gao.gov:
Acknowledgments:
In addition to those named above, key contributors to this report were
John A. de Ferrari, Assistant Director; Teresa F. Tucker, Assistant
Director; Barbara Collier; Heather A. Collins; Susan S. Czachor; Amanda
C. Gill; Nancy Glover; M. Saad Khan; Thomas E. Murphy; and Sylvia L.
Shanks.
[End of section]
Footnotes:
[1] Institute of Medicine, How the Public Views Privacy and Health
Research (Washington, D.C.: November 2007).
[2] The National Research Council is sponsored by the National Academy
of Sciences, the National Academy of Engineering, and the Institute of
Medicine. The mission of the council is to improve government decision
making and public policy, increase public education and understanding,
and promote the acquisition and dissemination of knowledge in matters
involving science, engineering, technology, and health.
[3] Executive Order 13335, Incentives for the Use of Health Information
Technology and Establishing the Position of the National Health
Information Technology Coordinator (Washington, D.C.: Apr. 27, 2004).
[4] Department of Health and Human Services, The Decade of Health
Information Technology: Delivering Consumer-centric and Information-
rich Health Care--Framework for Strategic Action (Washington, D.C.:
July 21, 2004).
[5] GAO, Health Information Technology: Early Efforts Initiated but
Comprehensive Privacy Approach Needed for National Strategy,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-238] (Washington,
D.C.: Jan. 10, 2007).
[6] The act provided for the Secretary of HHS to establish the first
broadly applicable federal privacy and security protections designed to
protect individually identifiable health information. Pub. L. No. 104-
191 (Aug. 21, 1996), sec. 262(a); 42 U.S.C. 1320d-2. Throughout this
report, when we refer to key privacy principles in HIPAA, we are
referring to the privacy principles promulgated under HIPAA's
Administrative Simplification provisions.
[7] The nation's public health system is made up of the federal, state,
tribal, and local agencies that deliver health care services to and
monitor the health of the population. Private health system
participants include hospitals, physicians, pharmacies, nursing homes,
and other organizations that deliver health care services to individual
patients.
[8] Health IT is the use of technology to electronically collect,
store, retrieve, and transfer clinical, administrative, and financial
health information.
[9] Executive Order 13335, April 27, 2004.
[10] Individually identifiable health information is the term used in
the Health Insurance Portability and Accountability Act of 1996 to
describe "personal health information" as defined in this report.
[11] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-238.
[12] GAO, Health Information Technology: Early Efforts Initiated, but
Comprehensive Privacy Approach Needed for National Strategy,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-400T] (Washington,
D.C.: Feb. 1, 2007); Health Information Technology: Efforts Continue
but Comprehensive Privacy Approach Needed for National Strategy,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-988T] (Washington,
D.C.: June 19, 2007); Health Information Technology: HHS Is Pursuing
Efforts to Advance Nationwide Implementation, but Has Not Yet Completed
a National Strategy, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-
08-499T] (Washington, D.C.: Feb. 14, 2008).
[13] The Secretary of HHS issued HIPAA's Privacy Rule in December 2000,
and, after modification, in August 2002. The Privacy Rule governs the
use and disclosure of individually identifiable health information
that, with some exceptions, is held or transmitted in any form or
medium by a covered entity.
[14] The community is a federal advisory body set up to make
recommendations on how to accelerate the development and adoption of
health IT, including identifying health IT standards, advancing
nationwide health information exchange, and protecting personal health
information.
[15] The personalized healthcare use case focuses on the exchange of
genetic/genomic test information, personal and family health history,
and the use of analytical tools in electronic health records to support
clinical decision making.
[16] Remote monitoring refers to the ability to monitor patient
information--such as physiological, diagnostic, medication tracking,
and activities of daily living measurements--using the patient's
electronic or personal health record.
[17] HHS's nationwide health information network initiative is managed
by the Office of National Coordinator for Health IT. Building on the
results of its earlier prototypes, HHS awarded contracts to nine health
information exchange organizations and cooperative agreements to six
additional organizations to develop trial implementations for testing
real-time information exchange and interoperability (that is, the
ability of two or more systems or components to exchange information
and to use the information that has been exchanged). The Social
Security Administration, the Departments of Defense and Veterans
Affairs, and HHS's Indian Health Services are also participating in
these trials.
[18] "Harmonizing" is the process of identifying overlaps and gaps in
relevant standards and developing recommendations to address these
overlaps and gaps.
[19] The National Committee on Vital and Health Statistics was
established as a public advisory committee that is statutorily
authorized to advise the Secretary of HHS on health data, statistics,
and national health information policy, including the implementation of
health IT standards.
[20] A third state-level initiative, the State-Level Health Information
Exchange Consensus Project (described earlier), issued a report in
March 2008 that also discusses internal challenges facing state health
IT organizations, such as organizational structure and resource
sustainability.
[21] HHS, Office of the National Coordinator for Health Information
Technology, The ONC-Coordinated Federal Health IT Strategic Plan: 2008-
2012 (Washington, D.C.: June 3, 2008).
[22] The two goals defined in the strategic plan are to (1) enable the
transformation to higher quality, more efficient, patient-focused
health care through electronic health information access and use by
care providers and by patients and their designees; and (2) enable the
appropriate, authorized, and timely access and use of electronic health
information to benefit public health, biomedical research, quality
improvement, and emergency preparedness.
[23] The outcomes of these initiatives are also to be integrated into
the development of the nationwide health information network.
[24] GAO, Health Information Technology: Early Efforts Initiated but
Comprehensive Privacy Approach Needed for National Strategy,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-238] (Washington,
D.C.: Jan. 10, 2007).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: