Health Information Technology

HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains Gao ID: GAO-08-1138 September 17, 2008

Although advances in information technology (IT) can improve the quality and other aspects of health care, the electronic storage and exchange of personal health information introduces risks to the privacy of that information. In January 2007, GAO reported on the status of efforts by the Department of Health and Human Services (HHS) to ensure the privacy of personal health information exchanged within a nationwide health information network. GAO recommended that HHS define and implement an overall privacy approach for protecting that information. For this report, GAO was asked to provide an update on HHS's efforts to address the January 2007 recommendation. To do so, GAO analyzed relevant HHS documents that described the department's privacy-related health IT activities.

Since GAO's January 2007 report on protecting the privacy of electronic personal health information, the department has taken steps to address the recommendation that it develop an overall privacy approach that included (1) identifying milestones and assigning responsibility for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of GAO's recommendation, and it has taken important steps in addressing the two other parts. The HHS Office of the National Coordinator for Health IT has continued to develop and implement health IT initiatives related to nationwide health information exchange. These initiatives include activities that are intended to address key privacy principles and challenges. For example: (1) The Healthcare Information Technology Standards Panel defined standards for implementing security features in systems that process personal health information. (2) The Certification Commission for Healthcare Information Technology defined certification criteria that include privacy protections for both outpatient and inpatient electronic health records. (3) Initiatives aimed at the state level have convened stakeholders to identify and propose solutions for addressing challenges faced by health information exchange organizations in protecting the privacy of electronic health information. In addition, the office has identified milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, as recommended. Further, the Secretary released a federal health IT strategic plan in June 2008 that includes privacy and security objectives along with strategies and target dates for achieving them. Nevertheless, while these steps contribute to an overall privacy approach, they have fallen short of fully implementing GAO's recommendation. In particular, HHS's privacy approach does not include a defined process for assessing and prioritizing the many privacy-related initiatives to ensure that key privacy principles and challenges will be fully and adequately addressed. As a result, stakeholders may lack the overall policies and guidance needed to assist them in their efforts to ensure that privacy protection measures are consistently built into health IT programs and applications. Moreover, the department may miss an opportunity to establish the high degree of public confidence and trust needed to help ensure the success of a nationwide health information network.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:

GAO-08-1138, Health Information Technology: HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains This is the accessible text file for GAO report number GAO-08-1138 entitled 'Health Information Technology: HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains' which was released on September 17, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, Committee on Homeland Security and Governmental Affairs, U.S. Senate: United States Government Accountability Office: GAO: September 2008: Health Information Technology: HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains: GAO-08-1138: GAO Highlights: Highlights of GAO-08-1138, a report to the Chairman, Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, Committee on Homeland Security and Governmental Affairs, U.S. Senate. Why GAO Did This Study: Although advances in information technology (IT) can improve the quality and other aspects of health care, the electronic storage and exchange of personal health information introduces risks to the privacy of that information. In January 2007, GAO reported on the status of efforts by the Department of Health and Human Services (HHS) to ensure the privacy of personal health information exchanged within a nationwide health information network. GAO recommended that HHS define and implement an overall privacy approach for protecting that information. For this report, GAO was asked to provide an update on HHS‘s efforts to address the January 2007 recommendation. To do so, GAO analyzed relevant HHS documents that described the department‘s privacy- related health IT activities. What GAO Found: Since GAO‘s January 2007 report on protecting the privacy of electronic personal health information, the department has taken steps to address the recommendation that it develop an overall privacy approach that included (1) identifying milestones and assigning responsibility for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of GAO‘s recommendation, and it has taken important steps in addressing the two other parts. The HHS Office of the National Coordinator for Health IT has continued to develop and implement health IT initiatives related to nationwide health information exchange. These initiatives include activities that are intended to address key privacy principles and challenges. For example: * The Healthcare Information Technology Standards Panel defined standards for implementing security features in systems that process personal health information. * The Certification Commission for Healthcare Information Technology defined certification criteria that include privacy protections for both outpatient and inpatient electronic health records. * Initiatives aimed at the state level have convened stakeholders to identify and propose solutions for addressing challenges faced by health information exchange organizations in protecting the privacy of electronic health information. In addition, the office has identified milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, as recommended. Further, the Secretary released a federal health IT strategic plan in June 2008 that includes privacy and security objectives along with strategies and target dates for achieving them. Nevertheless, while these steps contribute to an overall privacy approach, they have fallen short of fully implementing GAO‘s recommendation. In particular, HHS‘s privacy approach does not include a defined process for assessing and prioritizing the many privacy- related initiatives to ensure that key privacy principles and challenges will be fully and adequately addressed. As a result, stakeholders may lack the overall policies and guidance needed to assist them in their efforts to ensure that privacy protection measures are consistently built into health IT programs and applications. Moreover, the department may miss an opportunity to establish the high degree of public confidence and trust needed to help ensure the success of a nationwide health information network. What GAO Recommends: GAO recommends that HHS include in its overall privacy approach a process for ensuring that key privacy principles and challenges are completely and adequately addressed. In written comments on a draft of this report, HHS generally agreed with the information discussed in the report. To view the full product, including the scope and methodology, click on GAO-08-1138. For more information, contact Valerie C. Melvin, (202) 512- 6304 or melvinv@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: HHS Has Taken Steps to Address Privacy Principles and Challenges, but It Has Not Fully Implemented an Overall Privacy Approach: Conclusions: Recommendation for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objective, Scope, and Methodology: Appendix II: Comments from the Department of Health and Human Services: Appendix III: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Key Privacy Principles in HIPAA's Privacy Rule: Table 2: Challenges to Exchanging Electronic Health Information: Abbreviations: HHS: Department of Health and Human Services: HIPAA: Health Insurance Portability and Accountability Act of 1996: IT: information technology: [End of section] United States Government Accountability Office: Washington, DC 20548: September 17, 2008: The Honorable Daniel K. Akaka: Chairman: Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia: Committee on Homeland Security and Governmental Affairs: United States Senate: Dear Mr. Chairman: Advances in health information technology (IT) have the potential to improve the quality of health care, to increase the availability of health information for treatment, and to implement safeguards that cannot be applied easily or cost-effectively to paper-based health records. However, the automation of health information also introduces new risks to the privacy of that information. A September 2007 survey sponsored by the Institute of Medicine indicated that nearly 60 percent of the respondents did not believe that the privacy of personal medical records and health information was adequately protected by federal and state laws and organization practices.[Footnote 1] According to the National Research Council,[Footnote 2] medical information is often the most privacy-sensitive information that patients provide to others about themselves, and protecting medical privacy has long been recognized as an essential element in a health care system. Further, industry groups and professional associations have called for stronger privacy protection of personal health information. In April 2004, President Bush issued an executive order that called for the development and implementation of a strategic plan to guide the nationwide implementation of interoperable health IT in both the public and private sectors.[Footnote 3] The order required the plan to address privacy and security issues related to interoperable health IT and recommend methods to ensure appropriate authorization, authentication, and encryption of data for transmission over the Internet. In 2004, the Secretary of Health and Human Services, through the Office of the National Coordinator for Health Information Technology, documented a framework for health IT as the first step toward the development of a national strategy.[Footnote 4] This framework stated that strengthening privacy protections for electronic personal health information was a critical health care need. In January 2007, we reported on activities of the Department of Health and Human Services (HHS) and its Office of the National Coordinator for Health IT to identify solutions for protecting personal health information.[Footnote 5] We noted that HHS was in the early stages of these activities and had not yet defined an overall approach for addressing key privacy principles and challenges, nor had it defined milestones or identified a responsible entity for integrating the results of these activities. Consequently, we recommended that the Secretary of Health and Human Services define and implement an overall approach for protecting health information that would (1) identify milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, (2) ensure that key privacy principles in the Health Insurance Portability and Accountability Act of 1996 (HIPAA)[Footnote 6] are fully addressed, and (3) address key challenges associated with the nationwide exchange of health information. Subsequently, the department's National Coordinator for Health IT agreed with the need for an overall approach to protect health information and stated that the department was initiating steps to address our recommendation. As you requested, we conducted a follow-up study of the Office of the National Coordinator's efforts to ensure the privacy of electronic personal health information exchanged within a nationwide health information network. Our objective was to provide an update on the department's efforts to define and implement an overall privacy approach, as we recommended. To address our objective, we analyzed reports and other documentation of the Office of the National Coordinator's current health IT initiatives related to privacy. We also obtained and analyzed the department's documents describing plans and outcomes from the Office of the National Coordinator's health IT initiatives related to privacy, and we supplemented our analysis with interviews of officials from the National Coordinator's office to discuss the department's current approaches and future plans for developing and implementing an overall approach for addressing privacy protection within a nationwide health information network. We conducted this performance audit from April 2008 through September 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Our objective, scope, and methodology are described in appendix I. Results in Brief: Since we reported in January 2007 on HHS's efforts to protect electronic personal health information, the department has undertaken various initiatives that are contributing to its efforts to develop and implement an overall privacy approach. We recommended that this approach include (1) identifying milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles in HIPAA are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of our recommendation, and it has taken important steps in addressing the two other parts. The Office of the National Coordinator for Health IT has continued to develop and implement initiatives related to a nationwide health information network, and these initiatives include activities that are intended to address certain key privacy principles and challenges. For example: * The Healthcare Information Technology Standards Panel defined standards for implementing security features in health IT systems that process personal health information. * The Certification Commission for Healthcare Information Technology defined certification criteria that include privacy protections for both outpatient and inpatient electronic health records. * State-level initiatives (such as the Health Information Security and Privacy Collaboration and the State Alliance for e-Health) have convened stakeholders to identify and propose solutions for addressing challenges to protecting the privacy of electronic health information faced by health information exchange organizations. In addition, the Office of the National Coordinator has identified milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, as we recommended. Further, the Secretary released a federal health IT strategic plan in June 2008 that includes privacy and security objectives along with strategies and target dates for achieving them. The strategic plan also outlines the Office of the National Coordinator's plans for developing a confidentiality, privacy, and security framework to incorporate the outcomes of privacy-related initiatives, which it expects to publish by December 2008. Nevertheless, while the aforementioned initiatives are significant to addressing privacy issues and challenges, they fall short of fully implementing our recommendation. Specifically, HHS has not defined, as part of its approach, a process for ensuring that all privacy principles and challenges will be fully and adequately addressed. Given the large number and variety of activities being undertaken and the many federal, state, and private-sector entities contributing to the health IT initiatives, it is important that the department and its Office of the National Coordinator define a process for ensuring that all stakeholders' contributions will be appropriately considered and that inputs to the privacy framework will be effectively assessed and prioritized to achieve comprehensive coverage of all privacy principles and challenges. In the absence of an overall approach that includes such a process, HHS faces the risk that privacy protection measures may not be consistently and effectively built into health IT programs, thus jeopardizing patient privacy as well as the public confidence and trust that are essential to the success of a future nationwide health information network. We are recommending that HHS include in its overall privacy approach a process for assessing and prioritizing initiatives and the stakeholders' needs to ensure that key privacy principles and challenges are completely and adequately addressed. HHS's Assistant Secretary for Legislation provided written comments on a draft of this report. In the comments, the department generally agreed with the information provided in the draft report; however, it neither agreed nor disagreed with our recommendation. HHS agreed that more work remains to be done in the department's efforts to protect the privacy of electronic personal health information and stated that the department is actively pursuing a process for assessing and prioritizing privacy-related initiatives intended to build public trust and confidence in health IT. As we recommended, effective implementation of such a process could help ensure that the department's overall privacy approach fully addresses key privacy principles and challenges. Background: Recognizing the potential value of IT for public and private health systems,[Footnote 7] the federal government has, for several years, been working to promote the nationwide use of health IT.[Footnote 8] In April 2004, President Bush called for widespread adoption of interoperable electronic health records within 10 years and issued an executive order[Footnote 9] that established the position of the National Coordinator for Health IT within HHS. The National Coordinator's responsibilities include developing, maintaining, and directing the implementation of a strategic plan to guide the nationwide implementation of interoperable health IT in both the public and private sectors. According to the strategic plan, the National Coordinator is to lead efforts to build a national health IT infrastructure that is intended to, among other things, ensure that patients' individually identifiable health information[Footnote 10] is secure, protected, and available to the patient to be used for medical and nonmedical purposes, as directed by the patient and as appropriate. In January 2007, we reported on the steps that HHS was taking to ensure the protection of personal health information exchanged within a nationwide network and on the challenges facing health information exchange organizations in protecting electronic personal health information.[Footnote 11] We reported that although HHS and the Office of the National Coordinator had initiated actions to identify solutions for protecting electronic personal health information, the department was in the early stages of its efforts and had not yet defined an overall privacy approach. As described earlier, we made recommendations regarding the need for an overall privacy approach, which we reiterated in subsequent testimonies in February 2007, June 2007, and February 2008.[Footnote 12] In our report, we described applicable provisions of HIPAA and other federal laws that are intended to protect the privacy of certain health information, along with the HIPAA Privacy Rule[Footnote 13] and key principles that are reflected in the rule. Table 1 summarizes these principles. Table 1: Key Privacy Principles in HIPAA's Privacy Rule: Principle: Uses and disclosures; Description: Provides limits to the circumstances in which an individual's protected health information may be used or disclosed by covered entities and provides for accounting of certain disclosures; requires covered entities to make reasonable efforts to disclose or use only the minimum necessary information to accomplish the intended purpose for the uses, disclosures, or requests, with certain exceptions, such as for treatment or as required by law. Principle: Notice; Description: Requires most covered entities to provide a notice of their privacy practices, including how personal health information may be used and disclosed. Principle: Access; Description: Establishes individuals' right to review and obtain a copy of their protected health information held in a designated record set.[A] Principle: Security[B]; Description: Requires covered entities to safeguard protected health information from inappropriate use or disclosure. Principle: Amendments; Description: Gives individuals the right to request from covered entities changes to inaccurate or incomplete protected health information held in a designated record set.[A] Principle: Administrative requirements; Description: Requires covered entities to analyze their own needs and implement solutions appropriate for their own environment based on a basic set of requirements for which they are accountable. Principle: Authorization; Description: Requires covered entities to obtain the individual's written authorization or consent for uses and disclosures of personal health information, with certain exceptions, such as for treatment, payment, and health care operations, or as required by law. Covered entities may choose to obtain the individual's consent to use or disclose protected health information to carry out treatment, payment, or health care operations but are not required to do so. Source: GAO analysis of HIPAA Privacy Rule. [A] According to the HIPAA Privacy Rule, a designated record set is a group of records maintained by or for a covered entity that is (1) the medical records and billing records about individuals maintained by or for a covered health care provider; (2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions about individuals. [B] The HIPAA Security Rule further defines safeguards that covered entities must implement to provide assurance that health information is protected from inappropriate uses and disclosure. [End of table] We also described in our report and testimonies challenges associated with protecting electronic health information that are faced by federal and state health information exchange organizations and health care providers. These challenges are summarized in table 2. Table 2: Challenges to Exchanging Electronic Health Information: Challenge: Understanding and resolving legal and policy issues; Description: * Resolving uncertainties regarding varying the extent of federal privacy protection required of various organizations; * Understanding and resolving data-sharing issues introduced by varying state privacy laws and organization-level practices; * Reaching agreement on organizations' differing interpretations and applications of HIPAA privacy and security rules; * Determining liability and enforcing sanctions in cases of breach of confidentiality. Challenge: Ensuring appropriate disclosure; Description: * Determining the minimum data necessary that can be disclosed in order for requesters to accomplish their intended purposes; * Obtaining individuals' authorization and consent for use and disclosure of personal health information; * Determining the best way to allow individuals to participate in and consent to electronic health information exchange; * Educating consumers so that they understand the extent to which their consent to use and disclose health information applies. Challenge: Ensuring individuals' rights to request access and amendments to health information to ensure it is correct; Description: * Ensuring that individuals understand that they have rights to request access and amendments to their own health information to ensure that it is correct; * Ensuring that individuals' amendments are properly made and tracked across multiple locations. Challenge: Implementing adequate security measures for protecting health information; Description: * Determining and implementing adequate techniques for authenticating requesters of health information; * Implementing proper access controls and maintaining adequate audit trails for monitoring access to health data; * Protecting data stored on portable devices and transmitted between business partners. Source: GAO analysis of information provided by state-level health information exchange organizations, federal health care providers, and health IT professional associations. [End of table] We reported that HHS had undertaken several initiatives intended to address aspects of key principles and challenges for protecting the privacy of health information. For example, in 2005, the department awarded four health IT contracts that included requirements for developing solutions to comply with federal privacy requirements and identifying techniques and standards for securing health information. HHS Has Taken Steps to Address Privacy Principles and Challenges, but It Has Not Fully Implemented an Overall Privacy Approach: Since January 2007, HHS has undertaken various initiatives that are contributing to its development of an overall privacy approach, although more work remains. We recommended that this overall approach include (1) identifying milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles in HIPAA are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of our recommendation, and it has taken important steps in addressing the two other parts. Nevertheless, these steps have fallen short of fully implementing our recommendation because they do not include a process for ensuring that all key privacy principles and challenges will be fully and adequately addressed. In the absence of such a process, HHS may not be effectively positioned to ensure that health IT initiatives achieve comprehensive privacy protection within a nationwide health information network. HHS Has Taken Steps to Address Privacy Principles and Challenges through Its Various Health IT Initiatives: The department and its Office of the National Coordinator have continued taking steps intended to address key privacy principles and challenges through various health IT initiatives. Among other things, these initiatives have resulted in technical requirements, standards, and certification criteria related to the key privacy principles described in table 1. The following are examples of ways that the Office of the National Coordinator's health IT initiatives relate to privacy principles reflected in HIPAA. * As part of its efforts to advance health IT, the American Health Information Community[Footnote 14] defines "use cases," which are descriptions of specific business processes and ways that systems should interact with users and with other systems to achieve specific goals. Among other things, several of the use cases include requirements and specifications that address aspects of the access, uses and disclosures, and amendments privacy principles. For example, the "consumer empowerment" use case describes at a high level specific capabilities that align with the access principle. It requires that health IT systems include mechanisms that allow consumers to access their own clinical information, such as lab results and diagnosis codes, from other sources to include in their personal health records. The use case also aligns with the uses and disclosures principle and includes requirements that allow consumers to control access to their personal health record information and specify which information can be accessed by health care providers and organizations within health information networks. Further, the consumer empowerment use case aligns with the amendments privacy principle, emphasizing the need for policies to guide decisions about which data consumers should be able to modify, annotate, or request that organizations change. (Other use cases that are related to these privacy principles are the "personalized healthcare"[Footnote 15] and "remote monitoring"[Footnote 16] use cases.) * Under HHS's initiative to implement a nationwide health information network,[Footnote 17] in January 2007, four test network implementations, or prototypes, demonstrated potential nationwide health information exchange and laid the foundation for the Office of the National Coordinator's ongoing network trial implementations. Activities within the prototypes and the trial implementations are related to privacy principles, including the security, access, uses and disclosures, and administrative requirements principles. For example, the prototypes produced specific requirements for security mechanisms (such as data access control and encryption) that address aspects of the security principle. Additionally, the ongoing trial implementations are guided by requirements for using personal health data intended to address the access, uses and disclosures, and administrative requirements principles. For example, participants in the trial implementations are to provide the capability for consumers to access information, such as registration and medication history data, from other sources to include in their personal health records, to control access to self-entered data or clinical information held in a personal health record, and to control the types of information that can be released from personal health records for health information exchange. In addition, organizations participating in the network are required to provide system administrators the ability to monitor and audit all access to and use of the data stored in their systems. * The Healthcare Information Technology Standards Panel continued work to "harmonize" standards directly related to several key privacy principles, primarily the security principle.[Footnote 18] In addition, the panel developed technical guidelines that are intended to address other privacy principles, such as the authorization principle and the uses and disclosures principle. For example, the panel's guidelines specify that systems should be designed to ensure that consumers' instructions related to authorization and consent are captured, managed, and available to those requesting the health information. * The Certification Commission for Healthcare Information Technology, which is developing and evaluating the criteria and process for certifying the functionality, security, and interoperability of electronic health records, took steps that primarily address the security principle. For example, the commission defined specific security criteria for both ambulatory and inpatient electronic health records that require various safeguards to be in place before electronic health record systems are certified. Among other things, these safeguards include ensuring that system administrators can modify the privileges of users so that only those who have a need to access patients' information are allowed to do so and that the minimum amount of information necessary can be accessed by system users. * The State-Level Health Information Exchange Consensus Project, a consortium of public and private-sector stakeholders, is intended to promote consistent organizational policies regarding privacy and health information exchange. The consortium issued a report in February 2007 that addresses, among other principles, the uses and disclosures privacy principle. For example, the report advises health information exchange organizations to maintain information about access to and disclosure of patients' personal health information and to make that data available to patients. The consortium subsequently issued another report in March 2008 that recommended practices to ensure the appropriate access, use, and control of health information. Additionally, two of HHS's key advisory groups continued to develop and provide recommendations to the Secretary of HHS for addressing privacy issues and concerns: * The Confidentiality, Privacy, and Security Workgroup was formed in 2006 by the American Health Information Community to focus specifically on these issues and has submitted recommendations to the community that address privacy principles. Among these are recommendations related to the notice principle that the workgroup submitted in February and April 2008. These recommendations stated that health information exchange organizations should provide patients, via the Web or another means, information in plain language on how these organizations use and disclose health information, their privacy policies and practices, and how they safeguard patient or consumer information. The work group also submitted recommendations related to the administrative requirements principle, stating that the obligation to provide individual rights and a notice of privacy practices under HIPAA should remain with the health care provider or plan that has an established, independent relationship with a patient, not with the health information exchange. * The National Committee on Vital and Health Statistics, established in 1949, advises the Secretary of HHS on issues including the implementation of health IT standards and safeguards for protecting the privacy of personal health information.[Footnote 19] The committee's recent recommendations related to HHS's health IT initiatives addressed, among others, the uses and disclosures principle. For example, in February 2008, the National Committee submitted five recommendations to the Secretary that support an individual's right to control the disclosure of certain sensitive health information for the purposes of treatment. Although the recommendations from these two advisory groups are still under consideration by the Secretary, according to HHS officials, contracts for the nationwide health information network require participants to consider these recommendations when conducting network trials once they are accepted by the Secretary. The Office of the National Coordinator also took actions intended to address key challenges to protecting exchanges of personal electronic health information. Specifically, state-level initiatives (described below) were formed to bring stakeholders from states together to collaborate, propose solutions, and make recommendations to state and federal policymakers for addressing challenges to protecting the privacy of electronic personal health information within a nationwide health information exchange. Outcomes of these initiatives provided specific state-based solutions and recommendations for federal policy and guidance for addressing key challenges described by our prior work (see table 2).[Footnote 20] * The Health Information Security and Privacy Collaboration is pursuing privacy and security projects directly related to several of the privacy challenges identified in our prior work, including the need to resolve legal and policy issues resulting from varying state laws and organizational-level business practices and policies, and the need to obtain individuals' consent for the use and disclosure of personal health information. For example, the state teams noted the need for clarification about how to interpret and apply the "minimum necessary" standard, and they recommended that HHS provide additional guidance to clarify this issue. In addition, most of the state teams cited the need for a process to obtain patient permission to use and disclose personal health information, and the teams identified multiple solutions to address differing definitions of patient permission, including the creation of a common or uniform permission form for both paper and electronic environments. * The State Alliance for e-Health created an information protection task force that in August 2007 proposed five recommendations that are intended to address the challenge of understanding and resolving legal and policy issues. The recommendations, which the alliance accepted, focused on methods to facilitate greater state-federal interaction related to protecting privacy and developing common solutions for the exchange of electronic health information. Beyond the initiatives previously discussed, in June 2008, the Secretary released a federal health IT strategic plan[Footnote 21] that includes a privacy and security objective for each of its strategic goals, along with strategies and target dates for achieving the objectives. [Footnote 22] For example, one of the strategies is to complete the development of a confidentiality, privacy, and security framework by the end of 2008, and another is to address inconsistent statutes or regulations for the exchange of electronic health information by the end of 2011. The strategic plan emphasized the importance of privacy protection for electronic personal health information by acknowledging that the success of a nationwide, interoperable health IT infrastructure in the United States will require a high degree of public confidence and trust. In accordance with this strategy, the Office of the National Coordinator is responsible for developing the confidentiality, privacy, and security framework. The National Coordinator has indicated that this framework, which is to be developed and published by the end of calendar year 2008,[Footnote 23] is to incorporate the outcomes of the department's privacy-related initiatives, and that milestones have been developed and responsibility assigned for integrating these outcomes. The National Coordinator has assigned responsibility for these integration efforts and the development of the framework to the Director of the Office of Policy and Research within the Office of the National Coordinator. In this regard, the department has fulfilled the first part of our recommendation. Steps Taken Have Not Fully Implemented an Overall Privacy Approach: While the various initiatives that HHS has undertaken are contributing to the development and implementation of an overall privacy approach, more work remains. In particular, the department has not defined a process for ensuring that all privacy principles and challenges will be fully and adequately addressed. This process would include, for example, steps for ensuring that all stakeholders' contributions to defining privacy-related activities are appropriately considered and that individual inputs to the privacy framework will be effectively assessed and prioritized to achieve comprehensive coverage of all key privacy principles and challenges. Such a process is important given the large number and variety of activities being undertaken and the many stakeholders contributing to the health IT initiatives. In particular, the contributing activities involve a wide variety of stakeholders, including federal, state and private-sector entities. Further, certain privacy-related activities are relevant only to specific principles or challenges, and are generally not aimed at comprehensively addressing all privacy principles and challenges. For example, the certification and standards harmonization efforts primarily address the implementation of technical solutions for interoperable health IT and, therefore, are aimed at system-level security measures, such as data encryption and password protections, while the recommendations submitted by HHS's advisory committees and state-level initiatives are primarily aimed at policy and legal issues. Effectively assessing the contributions of individual activities could play an important role in determining how each activity contributes to the collective goal of ensuring comprehensive privacy protection. Additionally, the outcomes of the various activities may address privacy principles and challenges to varying degrees. For example, while a number of the activities address the uses and disclosures principle, HHS's advisory committees have made recommendations that the department's activities more extensively address the notice principle. Consequently, without defined steps for thoroughly assessing the contributions of the activities, some principles and challenges may be addressed extensively, while others may receive inadequate attention, leading to gaps in the coverage of the principles and challenges. In discussing this matter with us, officials in the Office of the National Coordinator pointed to the various health IT initiatives as an approach that it is taking to manage privacy-related activities in a coordinated and integrated manner. For example, the officials stated that the purpose of the American Health Information Community's use cases is to provide guidance and establish requirements for privacy protections that are intended to be implemented throughout the department's health IT initiatives (including standards harmonization, electronic health records certification, and the nationwide health information network). Similarly, contracts for the nationwide health information network require participants to adopt approved health IT standards (defined by the Healthcare Information Technology Standards Panel) and, as mentioned earlier, to consider recommendations from the American Health Information Community and the National Committee on Vital and Health Statistics when conducting network trials, once these recommendations are accepted or adopted by the Secretary. While these are important activities for addressing privacy, they do not constitute a defined process for assessing and prioritizing the many privacy-related initiatives and the needs of stakeholders to ensure that privacy issues and challenges will be addressed fully and adequately. Without a process that accomplishes this, HHS faces the risk that privacy protection measures may not be consistently and effectively built into health IT programs, thus jeopardizing patient privacy as well as the public confidence and trust that are essential to the success of a future nationwide health information network. Conclusions: HHS and its Office of the National Coordinator for Health IT intend to address key privacy principles and challenges through integrating the privacy-related outcomes of the department's health IT initiatives. Although it has established milestones and assigned responsibility for integrating these outcomes and for the development of a confidentiality, privacy, and security framework, the department has not fully implemented our recommendation for an overall privacy approach that is essential to ensuring that privacy principles and challenges are fully and adequately addressed. Unless HHS's privacy approach includes a defined process for assessing and prioritizing the many privacy-related initiatives, the department may not be able to ensure that key privacy principles and challenges will be fully and adequately addressed. Further, stakeholders may lack the overall policies and guidance needed to assist them in their efforts to ensure that privacy protection measures are consistently built into health IT programs and applications. As a result, the department may miss an opportunity to establish the high degree of public confidence and trust needed to help ensure the success of a nationwide health information network. Recommendation for Executive Action: To ensure that key privacy principles and challenges are fully and adequately addressed, we recommend that the Secretary of Health and Human Services direct the National Coordinator for Health IT to include in the department's overall privacy approach a process for assessing and prioritizing its many privacy-related initiatives and the needs of stakeholders. Agency Comments and Our Evaluation: HHS's Assistant Secretary for Legislation provided written comments on a draft of this report. In the comments, the department generally agreed with the information discussed in our report; however, it neither agreed nor disagreed with our recommendation. HHS agreed that more work remains to be done in the department's efforts to protect the privacy of electronic personal health information and stated that it is actively pursuing a two-phased process for assessing and prioritizing privacy-related initiatives intended to build public trust and confidence in health IT, particularly in electronic health information exchange. According to HHS, the process will include work with stakeholders to ensure that real-world privacy challenges are understood. In addition, the department stated that the process will assess the results and recommendations from the various health IT initiatives and measure progress toward addressing privacy-related milestones established by the health IT strategic plan. As we recommended, effective implementation of such a process could help ensure that the department's overall privacy approach fully addresses key privacy principles and challenges. HHS also provided technical comments, which we have incorporated into the report as appropriate. The department's written comments are reproduced in appendix II. We are sending copies of this report to interested congressional committees and to the Secretary of HHS. Copies of this report will be made available at no charge on our Web site at [hyperlink, http://www.gao.gov]. If you have any questions on matters discussed in this report, please contact me at (202) 512-6304 or Linda Koontz at (202) 512-6240, or by e- mail at melvinv@gao.gov or koontzl@gao.gov. Contact points for our offices of Congressional Relations and Public Affairs may be found on the last page of this report. Other contacts and key contributors to this report are listed in appendix III. Sincerely yours, Signed by: Valerie C. Melvin: Director, Human Capital and Management Information Systems Issues: Signed by: Linda D. Koontz: Director, Information Management Issues: [End of section] Appendix I: Objective, Scope, and Methodology: Our objective was to provide an update on the department's efforts to define and implement an overall privacy approach, as we recommended in an earlier report.[Footnote 24] Specifically, we recommended that the Secretary of Health and Human Services define and implement an overall approach for protecting health information that would (1) identify milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, (2) ensure that key privacy principles in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are fully addressed, and (3) address key challenges associated with the nationwide exchange of health information. To determine the status of HHS's efforts to develop an overall privacy approach, we analyzed the department's federal health IT strategic plan and documents related to its planned confidentiality, privacy, and security framework. We also analyzed plans and documents that described activities of each of the health IT initiatives under the Office of the National Coordinator and identified those intended to (1) develop and implement mechanisms for addressing privacy principles and (2) develop recommendations for overcoming challenges to ensuring the privacy of patients' information. Specifically, we assessed descriptions of the intended outcomes of the office's health IT initiatives to determine the extent to which they related to these privacy principles and challenges identified by our prior work. To supplement our data collection and analysis, we conducted interviews with officials from the Office of the National Coordinator to discuss the department's approaches and future plans for addressing the protection of personal health information within a nationwide health information network. We conducted this performance audit at the Department of Health and Human Services in Washington, D.C., from April 2008 through September 2008, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Comments from the Department of Health and Human Services: Department Of Health & Human Services: Office Of The Secretary: Assistant Secretary for Legislation: Washington, DC 20201: September 11, 2008: Valerie C. Melvin: Director, Human Capital and Management Information Systems: U.S. Government Accountability Office: 441 G Street N.W. Washington, DC 20548: Dear Ms. Melvin: Enclosed are comments on the U.S. Government Accountability Office's (GAO) report entitled: "Health Information Technology: HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains" (GAO 08-1138). The Department appreciates the opportunity to review this report before its publication. Sincerely, Signed by: Jennifer R. Luong, for: Vincent J. Ventimiglia, Jr. Assistant Secretary for Legislation: Attachment: Comments Of The Department Of Health And Human Services (HHS) On The U.S. Government Accountability Office's (GAO) Draft Report Entitled: Health Information Technology - HHS Has Taken Important Steps To Address Privacy Principles And Challenges, Although More Work Remains (GAO 08-1138): General Comments: The Department of Health and Human Services (HHS) appreciates the opportunity to review the Government Accountability Office's (GAO) draft report entitled "Health Information Technology - HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains." In this update to the GAO's previous report on this subject, we appreciate the GAO's recognition that "HHS has taken important steps to address privacy principles and challenges" related to health information technology (health IT). We agree that more work remains. Progress is being made toward the President's goal that most Americans have secure electronic health records by 2014. HHS will continue to address privacy and security from both a technology and policy perspective as we advance a nationwide, interoperable health IT infrastructure that has sufficient flexibility to be able to incorporate privacy and security solutions as they are developed. The GAO correctly identifies many ongoing HHS initiatives that address privacy and security. It is important to note that the report lists representative examples of HHS initiatives in this area, and is not intended to provide a complete compilation of HHS's privacy and security activities. In June 2008, HHS published the ONC-Coordinated Federal Health IT Strategic Plan: 2008-2012 (the Strategic Plan), which includes several specific strategies to address privacy and security of personal health information in health IT initiatives. The key concept of coordination reflected in the Strategic Plan's title is an essential component of all our privacy and security strategies. While HHS is a leader in health care and health IT, we recognize that our mission cannot be accomplished without coordination and input from a wide range of stakeholders. To that end, HHS has joined with state and other Federal agencies, as well as the private sector, to engage a variety of stakeholders in our health IT initiatives. Some examples of HHS's privacy and security initiatives and activities include the Healthcare Information Technology Standards Panel, the Certification Commission for Healthcare Information Technology, the Health Information Security and Privacy Collaboration, the State Alliance for e-Health, the State- level Health Information Exchange Consensus Project, the Nationwide Health Information Network Trial Implementations, the American Health Information Community, and the National Committee on Vital and Health Statistics. Thousands of participants are engaged in these efforts. HHS is actively pursuing a two-stage process for assessing and prioritizing privacy and security-related initiatives to build public trust and confidence in health IT and in particular electronic health information exchange. This process reflects our role as coordinators and our belief that public-private dialogue is necessary to inform next steps and achieve trust. First, we work with stakeholders to understand concerns and real-world privacy and security challenges. Second, we address privacy principles and challenges by assessing results and recommendations from our initiatives, evaluating how each activity builds on or influences the others, and measuring progress toward the milestones established in the Strategic Plan. The process has and will continue to address key privacy principles and challenges, develop policies and guidance needed by stakeholders, and build a nationwide, interoperable health IT infrastructure that includes the privacy and security protections needed to ensure public confidence and trust. HHS initiatives will continue to assure that electronic health information is private and secure while concurrently improving individual and population health through the advancement and adoption of interoperable health IT. [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Valerie C. Melvin, (202) 512-6304 or melvinv@gao.gov Linda D. Koontz, (202) 512-6240 or koontzl@gao.gov: Acknowledgments: In addition to those named above, key contributors to this report were John A. de Ferrari, Assistant Director; Teresa F. Tucker, Assistant Director; Barbara Collier; Heather A. Collins; Susan S. Czachor; Amanda C. Gill; Nancy Glover; M. Saad Khan; Thomas E. Murphy; and Sylvia L. Shanks. [End of section] Footnotes: [1] Institute of Medicine, How the Public Views Privacy and Health Research (Washington, D.C.: November 2007). [2] The National Research Council is sponsored by the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The mission of the council is to improve government decision making and public policy, increase public education and understanding, and promote the acquisition and dissemination of knowledge in matters involving science, engineering, technology, and health. [3] Executive Order 13335, Incentives for the Use of Health Information Technology and Establishing the Position of the National Health Information Technology Coordinator (Washington, D.C.: Apr. 27, 2004). [4] Department of Health and Human Services, The Decade of Health Information Technology: Delivering Consumer-centric and Information- rich Health Care--Framework for Strategic Action (Washington, D.C.: July 21, 2004). [5] GAO, Health Information Technology: Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-238] (Washington, D.C.: Jan. 10, 2007). [6] The act provided for the Secretary of HHS to establish the first broadly applicable federal privacy and security protections designed to protect individually identifiable health information. Pub. L. No. 104- 191 (Aug. 21, 1996), sec. 262(a); 42 U.S.C. 1320d-2. Throughout this report, when we refer to key privacy principles in HIPAA, we are referring to the privacy principles promulgated under HIPAA's Administrative Simplification provisions. [7] The nation's public health system is made up of the federal, state, tribal, and local agencies that deliver health care services to and monitor the health of the population. Private health system participants include hospitals, physicians, pharmacies, nursing homes, and other organizations that deliver health care services to individual patients. [8] Health IT is the use of technology to electronically collect, store, retrieve, and transfer clinical, administrative, and financial health information. [9] Executive Order 13335, April 27, 2004. [10] Individually identifiable health information is the term used in the Health Insurance Portability and Accountability Act of 1996 to describe "personal health information" as defined in this report. [11] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-238. [12] GAO, Health Information Technology: Early Efforts Initiated, but Comprehensive Privacy Approach Needed for National Strategy, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-400T] (Washington, D.C.: Feb. 1, 2007); Health Information Technology: Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-988T] (Washington, D.C.: June 19, 2007); Health Information Technology: HHS Is Pursuing Efforts to Advance Nationwide Implementation, but Has Not Yet Completed a National Strategy, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO- 08-499T] (Washington, D.C.: Feb. 14, 2008). [13] The Secretary of HHS issued HIPAA's Privacy Rule in December 2000, and, after modification, in August 2002. The Privacy Rule governs the use and disclosure of individually identifiable health information that, with some exceptions, is held or transmitted in any form or medium by a covered entity. [14] The community is a federal advisory body set up to make recommendations on how to accelerate the development and adoption of health IT, including identifying health IT standards, advancing nationwide health information exchange, and protecting personal health information. [15] The personalized healthcare use case focuses on the exchange of genetic/genomic test information, personal and family health history, and the use of analytical tools in electronic health records to support clinical decision making. [16] Remote monitoring refers to the ability to monitor patient information--such as physiological, diagnostic, medication tracking, and activities of daily living measurements--using the patient's electronic or personal health record. [17] HHS's nationwide health information network initiative is managed by the Office of National Coordinator for Health IT. Building on the results of its earlier prototypes, HHS awarded contracts to nine health information exchange organizations and cooperative agreements to six additional organizations to develop trial implementations for testing real-time information exchange and interoperability (that is, the ability of two or more systems or components to exchange information and to use the information that has been exchanged). The Social Security Administration, the Departments of Defense and Veterans Affairs, and HHS's Indian Health Services are also participating in these trials. [18] "Harmonizing" is the process of identifying overlaps and gaps in relevant standards and developing recommendations to address these overlaps and gaps. [19] The National Committee on Vital and Health Statistics was established as a public advisory committee that is statutorily authorized to advise the Secretary of HHS on health data, statistics, and national health information policy, including the implementation of health IT standards. [20] A third state-level initiative, the State-Level Health Information Exchange Consensus Project (described earlier), issued a report in March 2008 that also discusses internal challenges facing state health IT organizations, such as organizational structure and resource sustainability. [21] HHS, Office of the National Coordinator for Health Information Technology, The ONC-Coordinated Federal Health IT Strategic Plan: 2008- 2012 (Washington, D.C.: June 3, 2008). [22] The two goals defined in the strategic plan are to (1) enable the transformation to higher quality, more efficient, patient-focused health care through electronic health information access and use by care providers and by patients and their designees; and (2) enable the appropriate, authorized, and timely access and use of electronic health information to benefit public health, biomedical research, quality improvement, and emergency preparedness. [23] The outcomes of these initiatives are also to be integrated into the development of the nationwide health information network. [24] GAO, Health Information Technology: Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-238] (Washington, D.C.: Jan. 10, 2007). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: