Privacy and Security
Food and Drug Administration Faces Challenges in Establishing Protections for Its Postmarket Risk Analysis System Gao ID: GAO-09-355 June 1, 2009The Food and Drug Administration (FDA) is responsible for assessing the safety of certain medical products after approval (a process called postmarket risk surveillance). To this end, the Food and Drug Administration Amendments Act of 2007 required that FDA establish a postmarket risk identification and analysis system based on electronic health data. In May 2008, FDA began its Sentinel initiative, intended to fulfill this requirement. Additionally, the Act established a requirement for GAO to review FDA's planned system. GAO's specific objectives were to (1) describe the current status of FDA's implementation of the Sentinel system and (2) identify the key privacy and security challenges associated with FDA's plans for the Sentinel system. To do so, GAO analyzed available system documentation; reviewed key privacy and security laws, guidance, standards, and practices; and obtained and analyzed the views of privacy and security experts.
The Sentinel system is still in the early planning stages, with key decisions about development and milestones yet to be made. In planning for Sentinel, FDA has held outreach meetings with stakeholders, established a senior management team to solicit input from agency components; established a working group to share information with federal partners; and sought input from projects involving both public and private sector entities that are meant to refine research approaches and identify challenges and concerns. Although FDA has developed a preliminary design of the Sentinel process for making medical product safety-related queries, key decisions such as developing a governance model for oversight and enforcement of relevant policies, establishing an architecture, and setting privacy and security policies have not yet been made. Further, FDA has not yet developed a plan or set of milestones for when it expects to have these issues addressed. Because the Sentinel system will rely on sensitive electronic health data, FDA will likely be faced with several significant privacy and security challenges as it continues to develop the Sentinel system including (1) ensuring that appropriate legal mechanisms are established to protect privacy and implement security consistently across the Sentinel system; (2) defining a clear and specific purpose for the system and ensuring that partners use personal health information only for specified purposes; (3) ensuring public involvement and effectively informing the public of the program's planned uses of their personal health information; (4) ensuring that de-identified information--data stripped of fields that uniquely identify individuals--is not re-identified; (5) establishing adequate security controls to protect the personal health information associated with Sentinel; and (6) establishing sufficient oversight and enforcement mechanisms to ensure that privacy and security requirements are consistently implemented. FDA has yet to develop a plan or set milestones for addressing these challenges.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-09-355, Privacy and Security: Food and Drug Administration Faces Challenges in Establishing Protections for Its Postmarket Risk Analysis System
This is the accessible text file for GAO report number GAO-09-355
entitled 'Privacy And Security: Food and Drug Administration Faces
Challenges in Establishing Protections for Its Postmarket Risk Analysis
System' which was released on June 1, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
United States Government Accountability Office:
GAO:
June 2009:
Privacy And Security:
Food and Drug Administration Faces Challenges in Establishing
Protections for Its Postmarket Risk Analysis System:
GAO-09-355:
GAO Highlights:
Highlights of GAO-09-355, a report to congressional committees.
Why GAO Did This Study:
The Food and Drug Administration (FDA) is responsible for assessing the
safety of certain medical products after approval (a process called
postmarket risk surveillance). To this end, the Food and Drug
Administration Amendments Act of 2007 required that FDA establish a
postmarket risk identification and analysis system based on electronic
health data. In May 2008, FDA began its Sentinel initiative, intended
to fulfill this requirement. Additionally, the Act established a
requirement for GAO to review FDA‘s planned system. GAO‘s specific
objectives were to (1) describe the current status of FDA‘s
implementation of the Sentinel system and (2) identify the key privacy
and security challenges associated with FDA‘s plans for the Sentinel
system. To do so, GAO analyzed available system documentation; reviewed
key privacy and security laws, guidance, standards, and practices; and
obtained and analyzed the views of privacy and security experts.
What GAO Found:
The Sentinel system is still in the early planning stages, with key
decisions about development and milestones yet to be made. In planning
for Sentinel, FDA has held outreach meetings with stakeholders,
established a senior management team to solicit input from agency
components; established a working group to share information with
federal partners; and sought input from projects involving both public
and private sector entities that are meant to refine research
approaches and identify challenges and concerns. Although FDA has
developed a preliminary design of the Sentinel process for making
medical product safety-related queries (see below), key decisions such
as developing a governance model for oversight and enforcement of
relevant policies, establishing an architecture, and setting privacy
and security policies have not yet been made. Further, FDA has not yet
developed a plan or set of milestones for when it expects to have these
issues addressed.
Because the Sentinel system will rely on sensitive electronic health
data, FDA will likely be faced with several significant privacy and
security challenges as it continues to develop the Sentinel system
including:
* ensuring that appropriate legal mechanisms are established to protect
privacy and implement security consistently across the Sentinel system;
* defining a clear and specific purpose for the system and ensuring
that partners use personal health information only for specified
purposes;
* ensuring public involvement and effectively informing the public of
the program‘s planned uses of their personal health information;
* ensuring that de-identified information”data stripped of fields that
uniquely identify individuals”is not re-identified;
* establishing adequate security controls to protect the personal
health information associated with Sentinel; and;
* establishing sufficient oversight and enforcement mechanisms to
ensure that privacy and security requirements are consistently
implemented.
FDA has yet to develop a plan or set milestones for addressing these
challenges.
Figure: Overview of the Planned Sentinel Query Process:
[Refer to PDF for image: illustration]
FDA and other entities[A]:
* Query initiated to Sentinel coordinating center;
* Coordinating center returns summaries of results;
* Results summaries may potentially be shared with the public.
Sentinel coordinating center:
* Query sent to appropriate data sources:
- Healthcare insurances providers;
- Academic institutions;
- Federal and state government agencies;
- Healthcare providers;
* Results summaries returned to coordinating center.
Source: GAO based on FDA data.
[A] Pharmaceutical companies are potential partners in the system, but
may be limited in their capabilities. According to FDA officials,
partners in the pharmaceutical industry are not to have access to
personal health information but may be provided access to results
summaries.
[End of figure]
What GAO Recommends:
GAO recommends that the Commissioner of FDA develop a plan, including
milestones, for developing the Sentinel system and for addressing
privacy and security challenges. In written comments on this report,
FDA agreed with GAO‘s recommendation, but noted concerns with GAO‘s
representation of the program which FDA stated would lead readers to
believe that their protected health information was at risk.
View [hyperlink, http://www.gao.gov/products/GAO-09-355] or key
components. For more information, contact Gregory C. Wilshusen at (202)
512-6244 or wilshuseng@gao.gov.
[End of section]
Contents:
Letter:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Briefing to Congressional Committees:
Appendix II: Comments from the Food and Drug Administration:
Appendix III: GAO Contact and Staff Acknowledgments:
Abbreviations:
CMS: Centers for Medicaid & Medicare Services:
eHIe: Health Initiative:
FDA: Food and Drug Administration:
FDAAA: Food and Drug Administration Amendments Act of 2007:
FISMA: Federal Information Security Management Act of 2002:
HHS: Department of Health and Human Services:
HIPAA: Health Insurance Portability and Accountability Act of 1996:
HITECH: Health Information Technology for Economic and Clinical Health:
MMA: Medicare Prescription Drug, Improvement, and Modernization Act of
2003:
NIST: National Institute of Standards and Technology:
OECD: Organization for Economic Cooperation and Development:
OMB: Office of Management and Budget:
PIA: privacy impact assessment:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
June 1, 2009:
The Honorable Edward M. Kennedy:
Chairman:
The Honorable Michael B. Enzi:
Ranking Member:
Committee on Health, Education, Labor, and Pensions:
United States Senate:
The Honorable Henry A. Waxman:
Chairman:
The Honorable John D. Dingell:
Chair Emeritus:
The Honorable Joe L. Barton:
Ranking Member Committee on Energy and Commerce:
House of Representatives:
The U.S. Food and Drug Administration (FDA), a component of the
Department of Health and Human Services (HHS), has the responsibility
to approve medications and certain other medical products for public
use and then continue to assess the products' risks and benefits after
they have been made available to the public (a process called
postmarket risk surveillance). With increased attention to improving
the safety and quality of health care, there has been growing interest
in leveraging the large amounts of electronic health data being
collected on a regular basis to enhance surveillance of postmarket
risk.
However, increased analytical use of personal health information raises
concerns about the privacy and security of that information. According
to the National Research Council, medical information is often the most
privacy-sensitive information that individuals provide to others about
themselves and protecting the privacy of that information has long been
recognized as an essential element in the administration of health care
systems. Further, industry groups and professional associations have
called for stronger protections for personal health information.
The Food and Drug Administration Amendments Act of 2007 (FDAAA)
requires that FDA develop methods for the establishment of a postmarket
risk identification and analysis system of electronic health data. In
response, FDA announced the start of its Sentinel initiative in May
2008. The initiative includes planning for the development of an
integrated system to analyze electronic health data in order to
identify potential risks and assess the safety of medical products
after they have been made available to the public.
FDAAA mandated that no later than 18 months after the date of its
enactment we (1) evaluate the data privacy, confidentiality, and
security issues related to accessing, transmitting, and maintaining
data for the FDA Active Postmarket Risk Identification and Analysis
System and (2) make recommendations regarding the need for further
legislative actions to ensure the privacy, confidentiality, and
security of the system or otherwise address privacy, confidentiality,
and security issues to ensure the effective operation of the system.
As agreed with your offices, we fulfilled the FDAAA mandate through a
briefing provided on March 24, 2009. The specific objectives for our
study were to (1) describe the current status of FDA's implementation
of the Sentinel system and (2) identify the key privacy and security
challenges associated with FDA's plans for the Sentinel system. To
address the first objective, we:
* analyzed available documentation and plans for system design and
development;
* reviewed the statements of work in contracts to assess specific
aspects of future Sentinel system development, such as governance
structures and data sources;
* reviewed information on current demonstration projects to assess
their status and their potential contribution to future Sentinel
development; and:
* analyzed prior GAO reports to assess prior FDA activities related to
postmarket risk evaluation.
To address the second objective, we:
* obtained and analyzed the views of privacy and security experts from
the World Privacy Forum, the Health Law & Policy Institute, the Health
Privacy Project at the Center for Democracy and Technology, and the
SANS Institute;
* obtained and analyzed the views of a privacy and information policy
consultant;
* obtained and analyzed the views of FDA officials and representatives
from related projects;
* analyzed independent studies and previous GAO reports to corroborate
challenges identified by experts; and:
* analyzed provisions of key privacy and security laws, guidance,
standards, and practices with respect to FDA's plans for the Sentinel
system and challenges identified by privacy and security experts.
We conducted this performance audit at FDA in the Washington D.C.,
metropolitan area from May 2008 to May 2009 in accordance with
generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
This report summarizes the information we provided to your staff during
our March 24, 2009, briefing, with revisions to reflect information
obtained through agency comments. The full briefing, including our
objectives, scope, and methodology, can be found in appendix I. In
summary, our briefing made the following points:
The Sentinel system is still in the early planning stages, with key
decisions about development and milestones yet to be made. FDA has had
several outreach meetings with a variety of stakeholders, such as the
health care industry and patient and consumer advocacy groups, and has
established an FDA senior management team to provide input from various
agency components. FDA has also established a working group to share
information with federal partners, such as the Department of Veterans
Affairs and Department of Defense, and discuss issues related to
relevant efforts being carried out by federal agencies, and has sought
input from several projects involving both public and private sector
entities that are meant to refine research approaches and identify
challenges and concerns with launching a large-scale public-private
partnership for postmarket surveillance. Because the Sentinel system is
still in such an early stage of planning, FDA has yet to make key
decisions related to major aspects of program development such as
developing a governance model for oversight and enforcement of relevant
policies, and establishing an architecture. While FDA has asserted that
privacy risks will be reduced because Sentinel participants will not
routinely exchange personal health information, the agency has not yet
set policies to ensure the protection of privacy and security. Further,
FDA has not yet developed a plan or set milestones for when it expects
to have these issues addressed.
In ensuring that the design of the Sentinel system provides adequate
privacy and security protections, FDA will likely be faced with several
significant challenges. These challenges include:
* ensuring that appropriate legal mechanisms are established to protect
privacy and implement security consistently across all elements
associated with the Sentinel system;
* defining a clear and specific purpose for the system and ensuring
that partners with varying interests and business missions use personal
health information only for specified purposes;
* ensuring public involvement and effectively informing the public of
the program's planned uses of their personal health information and
privacy protections that will be applied to it;
* ensuring that de-identified information--data stripped of fields that
uniquely identify individuals--is not re-identified and that the use of
personal health information in individually identifiable form is
minimized and adequately protected;
* establishing adequate security controls to protect the personal
health information associated with Sentinel from unauthorized
disclosure, modification, and destruction; and:
* establishing sufficient oversight and enforcement mechanisms to
ensure that privacy and security requirements are consistently
implemented across Sentinel's wide range of partners.
FDA has yet to develop a plan or set milestones for addressing these
challenges. If these challenges are not adequately addressed, the
privacy and security of personal health information could be
compromised.
Recommendation for Executive Action:
We are not making recommendations for further legislative actions.
However, given the significant privacy and security challenges we have
identified, we recommend that the Commissioner of FDA develop a plan,
including milestones, for developing the Sentinel system and for
addressing the privacy and security challenges associated with:
* ensuring consistent application of protections to all Sentinel
partners,
* limiting use of personal health information to a clear and specific
purpose,
* involving the public in the development of the system and informing
the public of the program's planned uses of personal health information
and privacy protections,
* using de-identified data,
* establishing adequate security controls, and:
* overseeing and enforcing key privacy and security requirements.
Agency Comments and Our Evaluation:
In written comments on a draft of this report transmitted by the Acting
Assistant Secretary for Legislation at the Department of Health and
Human Services, the Acting Commissioner of Food and Drugs stated that
protecting the privacy and security of protected health information was
of paramount concern to FDA and agreed with our recommendation to
develop a plan with milestones for the Sentinel system, noting that
this recommendation was consistent with ongoing FDA efforts. The letter
is reprinted in appendix II.
In its comments, FDA also raised concerns that the report contained
inaccuracies that seriously misrepresent the program and would lead
readers to believe that their protected health information was at risk.
However, we believe the report accurately characterizes the potential
privacy and security risks with the Sentinel program and related
analysis. The program is still in its early stages, and while FDA has
stated its intention to establish controls for privacy and security, no
specific implementation plans have yet been developed. Moreover, FDA
officials acknowledged that the concerns raised in our report could be
relevant to secondary analysis precipitated by Sentinel. It will be
critical that these concerns are fully addressed as FDA moves forward
with the Sentinel initiative.
In explaining its position, the agency maintained that transactions
that it foresees occurring within the Sentinel program would not pose a
risk to protected health information. FDA noted that it envisions
developing Sentinel as a distributed network, wherein protected health
information would not be exchanged but would remain under the control
of its owners and be protected by the controls they already have in
place. As participants in Sentinel, these data owners would separately
perform analysis on their own data and share only summaries of their
results with other entities. We agree with FDA that its stated intent
for conducting basic analysis under Sentinel is designed to minimize
risk to privacy, and we believe that this approach, if implemented as
FDA envisions it, could reduce privacy concerns. However, we do not
believe it is appropriate to focus narrowly on just the transactions
that FDA classifies as being within Sentinel, because other related
transactions could pose greater risks. Specifically, FDA has
acknowledged that there may be a need for secondary analysis based on
results obtained through Sentinel, stating that this analysis would
occur outside of Sentinel. Such secondary analysis could involve the
sharing of protected health information, and many of the concerns
raised in our report apply in these circumstances. It will be critical
that these concerns are fully addressed as FDA moves forward with the
Sentinel initiative.
In its comments, FDA also noted that privacy and security are of
paramount concern to the agency, and that the agency had engaged with
individuals in the privacy and security field to examine privacy and
security issues. FDA stated that Sentinel would be subject to the
security requirements of the Federal Information Security Management
Act of 2002 (FISMA) and would implement policies and procedures to
ensure computer security. While FDA's stated commitment to
investigating privacy issues and implementing rigorous security
controls is important, until specific privacy and security safeguards
have been implemented, concerns remain. Further, at this early stage of
development, it is important to highlight areas in which potential
compromises could occur so that attention can be focused on them.
Identifying and assessing such concerns can help better ensure that
planning for the system incorporates a comprehensive set of effective
privacy and security controls.
Finally, FDA expressed concern that the figure that appears in the
Highlights and on page 24 could mislead readers, and it provided an
alternate figure with modified labels and alternate illustrations for
the elements of the system. We have made adjustments to the labels to
address concerns raised by FDA. However, in addition to wording
changes, FDA expressed concern that the illustrations in our figure
give the impression that Sentinel is a fully automated system that does
not include human participation and expertise. We believe the graphic-
-which portrays individuals, systems, and symbols for institutions--
accurately portrays the nature of the Sentinel system, which is
expected to include automated systems as well as human and
institutional involvement.
In addition, FDA provided technical comments, which we have
incorporated as appropriate.
We are sending copies of this report to interested congressional
committees and the Commissioner of FDA. In addition, the report will be
available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you or your staffs have any questions about this report, please
contact me at (202) 512-6244 or at wilshuseng@gao.gov. Contact points
for our Offices of Congressional Relations and Public Affairs may be
found on the last page of this report. Key contributors to this report
are listed in appendix III.
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
[End of section]
Appendix I: Briefing to Congressional Committees:
Privacy and Security: Food and Drug Administration Faces Challenges in
Establishing Protections for Its Postmarket Risk Analysis System:
Briefing to Congressional Committees:
March 24, 2009:
Contents:
* Introduction;
* Objectives, Scope, and Methodology;
* Results in Brief;
* Background;
* System Is in the Early Stages of Development;
* FDA Faces Privacy and Security Challenges;
* Conclusions;
* Recommendation for Executive Action;
* Agency Comments and Our Evaluation.
[End of section]
Introduction:
The Food and Drug Administration (FDA), a component of the Department
of Health and Human Services (HHS), has the responsibility to approve
medical products for public use and then continue to assess the
products‘ risks and benefits after they have been made available to the
public (a process called postmarket risk surveillance). With increased
attention to improving the safety and quality of health care, there has
been growing interest in leveraging the large amounts of electronic
health data being collected on a regular basis to enhance surveillance
of postmarket risk.
However, increased analytical use of personal health information
[Footnote 1] raises concerns about the privacy and security of that
information. According to the National Research Council, medical
information is often the most privacy-sensitive information that
patients provide to others about themselves, and protecting the privacy
of that information has long been recognized as an essential element in
the regulations of health care systems. Further, industry groups and
professional associations have called for stronger protections for
personal health information.
The Food and Drug Administration Amendments Act of 2007 (FDAAA)
[Footnote 2] requires that FDA develop methods for the establishment of
a postmarket risk identification and analysis system of electronic
health data. In response, FDA announced the start of its Sentinel
initiative in May 2008. The initiative includes planning for the
development of an integrated system to analyze electronic health data
in order to identify potential risks and assess the safety of medical
products after they have been made available to the public.
[End of section]
Objectives, Scope, and Methodology:
FDAAA mandates that no later than 18 months after the date of its
enactment we (1)evaluate the data privacy, confidentiality,[Footnote 3]
and security issues related to accessing, transmitting, and maintaining
data for the FDA Active Postmarket Risk Identification and Analysis
System and (2)make recommendations regarding the need for further
legislative actions to ensure the privacy, confidentiality, and
security of the system or otherwise address privacy, confidentiality,
and security issues to ensure the effective operation of the system.
As agreed with your offices, the objectives for this study were to (1)
describe the current status of FDA‘s implementation of the Sentinel
system and (2) identify the key privacy and security challenges
associated with FDA‘s plans for the Sentinel system.
To address the first objective, we:
* analyzed available documentation and plans for system design and
development;
* reviewed the statements of work in contracts to assess specific
aspects of future Sentinel system development, such as governance
structures and data sources;
* reviewed information on current demonstration projects to assess
their status and their potential contribution to future Sentinel
development; and;
* analyzed prior GAO reports to assess prior FDA activities related to
postmarket risk evaluation.
To address the second objective, we:
* obtained and analyzed the views of privacy and security experts on
key challenges from the World Privacy Forum, the Health Law & Policy
Institute,the Health Privacy Project at the Center for Democracy and
Technology, and the SANS Institute;
* obtained and analyzed the views from a privacy and information policy
consultant;
* obtained and analyzed the views of FDA officials and representatives
from related projects to identify key privacy and security challenges;
* analyzed independent studies and previous GAO reports to corroborate
challenges identified by experts; and;
* analyzed provisions of key privacy and security laws, guidance,
standards, and practices with respect to FDA‘s plans for the Sentinel
system and challenges identified by privacy and security experts.
We conducted this performance audit at the Food and Drug Administration
in the Washington, D.C., metropolitan area from May 2008 to February
2009, in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
[End of section]
Results in Brief:
The Sentinel system is still in the early planning stages, with key
decisions about development and milestones yet to be made. FDA has had
several outreach meetings with a variety of stakeholders, such as the
health care industry and patient and consumer advocacy groups, and has
established an FDA senior management team to provide input from various
agency components. FDA has also established a working group to share
information with federal partners, such as the Department of Veterans
Affairs and Department of Defense, and discuss issues related to
relevant efforts being carried out by federal agencies, and it has
sought input from several projects involving both public and private
sector entities that are meant to refine research approaches and
identify challenges and concerns with launching a large-scale public-
private partnership for postmarket surveillance. Because the Sentinel
system is still in such an early stage of planning, FDA has yet to make
key decisions related to major aspects of program development such as
developing a governance model for oversight and enforcement of relevant
policies, establishing an architecture, and setting privacy and
security policies. Further, FDA has not yet developed a plan or set
milestones for when it expects to have these issues addressed.
In designing and developing the Sentinel system, FDA will likely be
faced with several significant privacy and security challenges. These
challenges include:
* ensuring that appropriate legal mechanisms are established to protect
privacy and implement security consistently across all elements of the
Sentinel system;•defining a clear and specific purpose for the system
and ensuring that partners with varying interests and business missions
use personal health information only for specified purposes;
* ensuring public involvement and effectively informing the public of
the program‘s planned uses of their personal health information and
privacy protections that will be applied to it;
* ensuring that de-identified information”data stripped of fields that
uniquely identify individuals”is not re-identified and that the use of
personal health information in individually identifiable form is
minimized and adequately protected;
* establishing adequate security controls to protect the personal
health information included in Sentinel from unauthorized disclosure,
modification,and destruction; and;
* establishing sufficient oversight and enforcement mechanisms to
ensure that privacy and security requirements are consistently
implemented across Sentinel‘s wide range of partners.
FDA has yet to develop a plan or set milestones for addressing these
challenges. If these challenges are not adequately addressed, the
privacy and security of personal health information could be
compromised.
We are not making recommendations for further legislative actions.
However, given the potential risk to privacy and security, we recommend
that the Commissioner of FDA develop a plan, including milestones, for
developing the Sentinel system and for addressing the privacy and
security challenges associated with ensuring consistent application of
protections to all Sentinel partners, limiting use of personal health
information to a clear and specific purpose, involving the public in
the development of the system, using de-identified data, establishing
adequate security controls, and overseeing and enforcing key privacy
and security requirements.
In comments on a draft of this briefing provided via e-mail, FDA
generally agreed with our recommendation. FDA asserted that privacy and
security challenges raised by the use and transfer of personal health
information would be largely alleviated by current plans for the
Sentinel system”which call for all personal health information to
remain with the entities that have custody of it and only analytical
results to be shared”but acknowledged that secondary analysis involving
personal health information may be necessary and that the privacy
challenges we identified would be relevant to such analysis. FDA also
noted that its ongoing contracts will help to set achievable
milestones.
[End of section]
Background: Postmarket Risk Evaluation:
FDA approves medical products for marketing when the agency judges that
their known benefits outweigh known risks. After a product has been
placed on the market, FDA‘s practice is to continue to assess its risks
and benefits by conducting postmarket evaluation through review of
reports of adverse reactions (adverse events) and information from
studies of the product, including clinical trials and studies following
the use of the product in ongoing medical care (observational studies).
FDA currently relies predominantly on a ’passive“ form of evaluation to
obtain information on adverse events. That is, it is based on data from
mandatory reports of adverse drug events submitted by manufacturers, as
well as voluntarily submitted information about such events from health
care providers and the public. FDA‘s Adverse Event Reporting System,
which captures this information, is the primary means the agency uses
to collect information to monitor adverse events. In contrast, Sentinel
would present a more ’active“ system that would enable linking to
multiple electronic databases to be queried and analyzed to detect
early warning signals of adverse events.
According to FDA, active risk evaluation would result in:
* utilization of existing electronic databases run by different
entities, including private health plans, insurance plans, and
government agencies with health care data;
* the possibility of early discovery, or more complete understanding,
of adverse events through review of electronic health data, including
claims databases;
* the possibility of timelier and more accurate results, based on the
rapid review of data on millions of people; and;
* the ability to identify important medical product safety questions
and develop mechanisms to protect patients in a more timely and
efficient fashion.
The FDA includes five centers that are responsible for ensuring the
safety and effectiveness of different types of products. Three play an
important role in the postmarket risk evaluation of medical products:
* The Center for Biologics Evaluation and Research is responsible,among
other things, for ensuring the safety and effectiveness of biological
products such as vaccines, tissues, and blood products.
* The Center for Devices and Radiological Health is charged with, among
other things, ensuring the safety and effectiveness of medical devices.
[Footnote 4]
* The Center for Drug Evaluation and Research is responsible for, among
other things, ensuring the safety and effectiveness of all over-the-
counter and prescription drugs.
As concerns regarding the safety of medical products have increased,
calls for improving the ability to monitor the postmarket performance
of the products have also grown.
* In 2005, the Secretary of HHS requested that FDA work to improve the
agency‘s ability to track the performance of a medical product during
its entire life cycle, recommending, among other things, that the
agency explore creating a public-private collaboration and leveraging
existing large, electronic databases.
* In 2006, the Institute of Medicine of the National Academies[Footnote
5] made several recommendations to guide FDA in developing a ’more
structured way to determine the level of postmarket scrutiny and data
requirements, in other words, to match the evaluation of drugs with the
way that they will be used in the population.“
* In 2006, we issued a report identifying areas needing improvement in
FDA‘s decision-making and oversight process and, among other things,
recommended that FDA systematically track postmarket drug safety
issues.[Footnote 6]
In 2007, FDAAA mandated that the Secretary of HHS ’establish and
maintain procedures“ for an ’active postmarket risk identification and
analysis system.“ Specifically, the act required that the Secretary
develop a system that:
* provides standardized reporting of data on all serious adverse
events;
* provides active adverse event surveillance from federal health-
related electronic data, private sector health-related data, and other
data deemed necessary by the Secretary to identify adverse events and
potential drug safety signals;
* identifies adverse event trends and patterns from the health-related
data the system accesses;
* provides reports on a regular basis to the Secretary concerning
adverse event trends and patterns, rate of occurrence, and other
information the Secretary deems appropriate, which may include data on
comparative national adverse event trends; and;
* allows the program to export data in a form appropriate for further
aggregation, statistical analysis, and reporting.
The act sets the goal of having access to data from 25 million patients
by July 1, 2010, and 100 million patients by July 1, 2012.
Background: The Sentinel System:
Additionally, the act states that the Secretary shall, not later than 2
years after the date of the enactment, in collaboration with public,
academic, and private entities,
* develop methods to obtain access to disparate data sources and,
* develop validated methods for the establishment of a postmarket risk
identification and analysis system to link and analyze safety data from
multiple sources.
In response to the FDAAA call for an active postmarket risk evaluation
system, FDA announced in May 2008 the start of its Sentinel initiative,
which includes planning for development of a long-term national,
integrated, electronic system for monitoring medical product safety. In
addition, the planned system is intended to be a mechanism to obtain
access to disparate data sources and analyze health care data from
multiple sources (see figure 1).
FDA anticipates that users of the planned system would transmit
questions through a coordinating center (likely operated by a nonprofit
entity) to holders of health data, who would perform analysis of their
data and provide responses through the center. FDA currently envisions
that its partners would not transfer personal health information as
part of their initial responses to Sentinel questions, although
officials acknowledge that the results of the responses to queries of
this type would in some cases require follow-up involving access to
personal health information.
Figure 1: Overview of the Planned Sentinel Query Process:
[Refer to PDF for image: illustration]
FDA and other entities[A]:
* Query initiated to Sentinel coordinating center;
* Coordinating center returns summaries of results;
* Results summaries may potentially be shared with the public.
Sentinel coordinating center:
* Query sent to appropriate data sources:
- Healthcare insurances providers;
- Academic institutions;
- Federal and state government agencies;
- Healthcare providers;
* Results summaries returned to coordinating center.
Source: GAO based on FDA data.
[A] Pharmaceutical companies are potential partners in the system, but
may be limited in their capabilities. According to FDA officials,
partners in the pharmaceutical industry are not to have access to
personal health information but may be provided access to results
summaries.
[End of figure]
Background: Fair Information Practices:
FDAAA contains provisions requiring FDA to address privacy and security
within its postmarket analysis system. Widely accepted guidelines exist
for the protection of privacy and security of sensitive information
that have driven programmatic requirements for privacy and security.
The Fair Information Practices are a set of privacy protection
principles first proposed in 1973 by a U.S. government advisory
committee. These principles, with some variation, are used by
organizations to address privacy considerations in their business
practices and are also the basis of privacy laws and related policies
in many countries, including the United States, Germany, Sweden,
Australia, and New Zealand, as well as the European Union. The widely
adopted version developed by the Organization for Economic Cooperation
and Development (OECD) is shown in the table on the following page.
Table 1: Fair Information Practices:
Principle: Collection limitation;
Description: The collection of personal information should be limited,
should be obtained by lawful and fair means, and, where appropriate,
with the knowledge or consent of the individual.
Principle: Data quality;
Description: Personal information should be relevant to the purpose for
which it is collected, and should be accurate, complete, and current as
needed for that purpose.
Principle: Purpose specification;
Description: The purposes for the collection of personal information
should be disclosed before collection and upon any change to that
purpose, and its use should be limited to those purposes and compatible
purposes.
Principle: Use limitation;
Description: Personal information should not be disclosed or otherwise
used for other than a specified purpose without consent of the
individual or legal authority.
Principle: Security safeguards;
Description: Personal information should be protected with reasonable
security safeguards against risks such as loss or unauthorized access,
destruction, use, modification, or disclosure.
Principle: Openness;
Description: The public should be informed about privacy policies and
practices, and individuals should have ready means of learning about
the use of personal information.
Principle: Individual participation;
Description: Individuals should have the following rights: to know
about the collection of personal information, to access that
information, to request correction, and to challenge the denial of
those rights.
Principle: Accountability;
Description: Individuals controlling the collection or use of personal
information should be accountable for taking steps to ensure the
implementation of these principles.
Source: OECD.
[End of table]
Background: Relevant Laws and Guidance:
No single federal law governs all use or disclosure of personal
information. Instead, there are a number of separate statutes and
guidance that provide privacy and security protections for information
used for specific purposes or maintained by specific entities.
The Privacy and Security Rules promulgated under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) set privacy and
security requirements for personal health information maintained by
certain types of health care organizations, likely including a
significant portion of the personal health information held by
potential partners in the Sentinel system. The Privacy and Security
Rules were intended to protect the privacy and security of individually
identifiable health information held by an entity covered by the act.
* The HIPAA Privacy Rule requires covered entities to take such actions
as (1)making reasonable efforts to disclose or use only the minimum
personal health information necessary; (2) providing notice of privacy
practices; (3) assuring individuals the right to review and obtain a
copy of their protected health information and request corrections of
inaccurate or incomplete data; (4)safeguarding protected health
information from inappropriate use or disclosure; and (5) obtaining
written authorization or consent for most uses and disclosures of
personal health information other than for treatment, payment, and
health care operations, or as required by law.
* The HIPAA Security Rule sets standards for safeguards to protect the
confidentiality, integrity, and availability of protected health
information in electronic form, including administrative safeguards,
such as information access management; physical safeguards, such as
facility access controls; technical safeguards, such as transmission
security to protect electronic protected health information and control
access to it; and standards for contracts and other arrangements with
business partners.
The Privacy Act of 1974 serves as the major mechanism for controlling
the collection, use, and disclosure of personally identifiable
information within the federal government. The act requires federal
agencies to provide safeguards for all information contained in systems
of records (any grouping of records containing personal information
retrieved by individual identifier) that they maintain. The act also
requires agencies to publish notices about these systems of records,
which are intended to inform the public of how personal information is
collected, maintained, used, and disseminated.
The E-Government Act of 2002 requires agencies to conduct privacy
impact assessments and would likely have implications for FDA and
Sentinel‘s federal partners. Section 208 of the E-Government Act of
2002 strives to enhance protection of personal information in
government information systems by requiring that agencies conduct
privacy impact assessments (PIA). A PIA is an analysis of the risks and
effects of collecting, maintaining, and disseminating information in
identifiable form in an electronic information system.
The Federal Information Security Management Act of 2002 (FISMA)
[Footnote 7] is the primary law governing information security in the
federal government; it addresses the protection of personal information
in the context of securing federal agency information and systems.
FISMA requires that federal agency information security programs
include periodic assessments of risk; policies and procedures that are
based on risk assessments; and plans for providing adequate information
security for networks, facilities, information systems, or groups of
information systems. In addition, FISMA mandates security awareness
training; periodic testing and evaluation; a process for planning,
implementing, evaluating, and documenting remedial actions; procedures
for detecting, reporting, and responding to security incidents; and
plans and procedures for continuity of operations for information
systems that support the operations and assets of an agency.
A number of other laws and regulations also set requirements concerning
the privacy and security of personal health information.[Footnote 8]
For example, individual state laws may set constraints and other
requirements on the use of personal health information by certain
Sentinel partners. These laws include areas such as mental health and
HIV/AIDS treatment. For example, Massachusetts state law[Footnote 9]
prohibits the disclosure of HIV/AIDS test results or the identity of
the test subject to anyone other than the subject without written
authorization. Finally, the National Institute of Standards and
Technology (NIST) established technical guidance and standards used by
government, industry, and academia. Key publications relevant to
Sentinel include guidance for planning, establishing, and terminating
system interconnections;[Footnote 10] standards for categorizing
information and information systems;[Footnote 11] and minimum security
requirements for protecting the confidentiality, integrity, and
availability of federal information systems and the information
processed, stored, and transmitted by those systems.[Footnote 12]
[End of section]
Sentinel Is in the Early Stages of Development:
FDA is in the early stages of planning and developing Sentinel and has
yet to make decisions relating to governance, an architecture, data
sources, research methodologies, and a privacy and security framework.
In addition, FDA has not yet set milestones for development of the
system that will support the initiative.
Despite the project‘s being in such an early planning stage, FDA
officials expect to be able to meet milestones established in FDAAA.
FDAAA requires that the agency‘s postmarket risk assessment system will
have access to data from 25 million patients by July 1, 2010, and 100
million patients by July 1, 2012. FDA officials have indicated that the
involvement of federal partners with large databases of patient
records, such as the Centers for Medicaid & Medicare Services, the
Department of Defense, and the Department of Veterans Affairs, will
allow them to meet this milestone. Additionally, FDAAA requires FDA to
develop methods to obtain access to disparate data sources and to
establish a postmarket risk identification and analysis system to link
and analyze safety data from multiple sources no later than 2 years
after the date of the enactment. FDA officials plan to address this
requirement by gathering data from supporting projects and issuing
contracts to assess specific aspects of future Sentinel system
development, such as governance structures and data sources.
To establish a basic system concept and define preliminary
requirements, FDA has completed the following activities:
* Established a senior management team to solicit input from various
FDA components on the overall direction of the system. The team has met
on a monthly basis to review early progress, including the scope and
direction of the system and the results of stakeholder meetings.
* Held outreach meetings with key stakeholders in both the federal and
private sectors, including the health care industry, vendors, and
patient and consumer advocacy groups. Stakeholders have been asked to
provide input on issues such as approaches to data collection,
establishing appropriate governance and operational policies, and
determining funding sources.
* Created a federal partners working group to share information and
discuss issues related to ongoing efforts being carried out by federal
agencies that are complementary to Sentinel. This working group
includes representatives from the Centers for Disease Control and
Prevention, Centers for Medicare& Medicaid Services, National
Institutes of Health, Department of Defense, and Department of Veterans
Affairs.
To further define requirements and assess the feasibility of technology
options for the system, FDA has obtained input from several non-FDA
projects, including the following:
* The eHealth Initiative (eHI) Foundation‘s Connecting for Drug Safety
Collaboration Pilot is exploring opportunities to use electronic
clinical information to identify and assess safety signals associated
with marketed pharmaceuticals.
* The Centers for Medicaid &Medicare Services (CMS) Project, which is
designed to establish an environment to execute queries on Medicare
Part D[Footnote 13] data relating to medical product postmarket risk
and surveillance.
* The Observation Medical Outcomes Partnership, a public/private
partnership supported by the Foundation for the National Institutes of
Health, is initiating a project using data from commercial health
information brokers and healthcare providers to conduct a series of
experiments to assess the value, feasibility, and utility of analyzing
observational data to identify and evaluate the safety risks and
potential benefits of prescription drugs.
Beyond these early planning efforts, FDA has yet to make a variety of
key programmatic decisions that may affect privacy and security.
Specifically:
* A governing and operating structure has not yet been established to
oversee and enforce policies and procedures among the variety of public
and private sector entities that are expected to participate in the
system. FDA has contracted with eHI to examine approaches toward
potential governance models and to identify and prioritize principles,
attributes, and other considerations.
* An architecture has not yet been developed to enable efficient,
secure queries of distributed data sources; exchange of relevant
product safety information; communications among partners; and transfer
and storage of query results. To explore potential models for such an
architecture, FDA has contracted with Harvard Pilgrim Healthcare to
define and critically evaluate possible database models for use in
Sentinel, as well as issues related to policy, performance, privacy and
security, benefits to stakeholders, and data standards.
* Partners in the initiative have not yet been identified. As mandated
by FDAAA, the agency intends to develop the Sentinel initiative in
collaboration with public, academic, and private-sector entities. Some
of these entities will likely also be major sources of data for the
system. Neither collaborating partners nor other data sources have yet
been identified. To this end, FDA has awarded various contracts
including one to Booz Allen Hamilton to identify potential data sources
and describe types of electronic health care data. Potential
collaborators include federal agencies (such as CMS and the Department
of Defense), patient and consumer organizations, health care provider
groups, pharmaceutical companies, health plans, insurance companies,
and academic institutions.
* Key methodologies for conducting research on adverse drug events have
not yet been defined. According to FDA officials, the success of
Sentinel will depend largely on the sensitivity, specificity,
robustness, and flexibility of the analytical methods it uses. This
research is necessary to understand the strengths and limitations of
existing methods that might be employed in the system. FDA has
contracted with the Group Health Cooperative Center for Health Studies
to identify, describe, and evaluate current methods that Sentinel may
employ.
* Finally, a policy framework for the privacy and security of personal
health information has not yet been developed. FDA acknowledges the
importance of strong privacy and security safeguards, and it is
assessing how to implement appropriate protections. As part of its
efforts to obtain the views of patients, consumers, and health care
professionals regarding, among other things, privacy and security
concerns related to the use of personal health information, FDA
contracted with eHI to research and analyze existing or proposed
policies, rules, regulations, and other requirements related to the
protection of privacy and security and recommend strategies for
engaging the participation of patients, consumers, and health care
professionals.
FDA officials believe additional research and evaluation are needed in
these areas and have issued contracts to various entities to address
these needs. According to FDA, these contracts were awarded in early
fall 2008, and final reports are to be available starting in spring
2009.
FDA faces a number of key privacy and security challenges as it plans
for the development of the Sentinel system.
Consistent application of protections: One major challenge will be
ensuring that appropriate legal mechanisms are established to protect
privacy and security consistently across all elements of the system,
parts of which may be controlled by a variety of partner organizations.
The variety of partners creates a complex legal environment in which
existing privacy and security requirements may not apply to all
participants. If adequate agreements and enforcement mechanisms are not
established to ensure that a minimum set of standard requirements is
applied consistently, there may be potential gaps in privacy and
security protections.
Establishing privacy and security requirements that apply consistently
to all entities is key to ensuring that no particular entity with
inadequate protections compromises the overall privacy and security of
personal health information. In this regard, the National Committee on
Vital and Health Statistics[Footnote 14]”a key advisory committee”has
made recommendations in the past aimed at ensuring that HIPAA Privacy
Rule protections are applied consistently across all entities handling
personal health information.
Experts have raised concerns that FDA‘s potential delegation of day-to-
day operation of the Sentinel coordinating center to a nonfederal
entity may result in legal gaps in privacy and security protections,
because such an organization may not meet the definitions for a HIPAA-
covered entity and may not be covered by laws such as the Privacy Act
and FISMA. Because of what experts viewed as the potential
inapplicability of these legal requirements to the entity administering
this coordinating center, these experts expressed concern that an
appropriate agreement be established between FDA and this entity to
ensure that privacy and security requirements are in place.
Further, while FDAAA requires that all Sentinel partners ensure that
data are not used in a manner that would violate the HIPAA Privacy
Rule, there is no similar requirement that all partners abide by
security requirements. Without explicit provisions in individual
agreements between FDA and Sentinel partners, potential gaps could
occur inapplicable security protections. For example, although most
health plans or health providers would be covered entities under HIPAA
and would have to abide by the HIPAA Security Rule, a pharmaceutical
company or an academic institution might not be covered”in this case,
such an entity might not have to comply with HIPAA security
requirements if these were not stipulated in its agreement with FDA.
Similarly, concerns have also been raised regarding the enforcement of
data use agreements, which specify how personal health information will
be used and the safeguards that will be in place to protect its
confidentiality. Under the HIPAA Privacy Rule, such agreements are
unenforceable by HHS against partners that are not HIPAA-covered
entities, and covered entities are not liable for breaches of the data
use agreement by the recipients of partially de-identified data. Such
agreements are to be the basis for sharing partially de-identified data
among Sentinel partners for public health purposes. Again, explicit
provisions in individual agreements between FDA and Sentinel partners
could address this concern.
Because existing legal requirements for privacy and security are
unlikely to apply consistently across potential partners, and the
enforceability of the HIPAA Privacy Rule‘s provisions among partners
may be limited, FDA faces the challenge of ensuring that adequate
privacy and security controls for the protection of personal health
information are appropriately incorporated into cooperative agreements,
contracts, and memorandums of understanding so that these protections
are applied consistently by all partners throughout the system.
Limiting use to clear and specific purposes: A second challenge FDA
faces is defining clear and specific purposes for the use of personal
health information for Sentinel, and ensuring that uses are limited to
these purposes. Defining a clear and specific purpose may be difficult
because of the differing levels of privacy protection defined under
HIPAA for different types of uses. Furthermore, because of a wide range
of potential users with significantly different missions and the ready
availability of large databases of personal health information, FDA
faces the challenge of ensuring that uses of data are limited to
defined program purposes.
[End of section]
FDA Faces Privacy and Security Challenges: Limiting Use to Clear and
Specific Purposes:
Establishing a clear and specific purpose and limiting the use and
disclosure of personal data to that purpose are key to assuring
individuals that their personal information will not be used for
unauthorized purposes.
* The purpose specification principle states that the purpose for the
collection of personal information should be disclosed before the
collection is made and upon any change to that purpose.
* The use limitation principle provides that personal information
should not be disclosed or used for other than a specified purpose
without consent of the individual or legal authority.
* The HIPAA Privacy Rule also limits the uses and disclosures of an
individual‘s personal health information by covered entities.
Specifically, HIPAA requires covered entities to make reasonable
efforts to disclose or use only the minimum information necessary to
accomplish the intended purpose, with certain exceptions, such as for
treatment or as required by law.
Determining an appropriate set of specific purposes for Sentinel will
entail striking a balance between narrow and broad definitions. A
purpose that is too narrowly defined may unnecessarily limit the system‘
s usefulness and make it unattractive for private sector data sources
to participate. On the other hand, an overly permissive definition may
allow partners to use personal health information for inappropriate
purposes.
FDAAA directs FDA to collaborate with public, private, and academic
entities for the purpose of ’advanced analysis of drug safety data.“
Without additional guidance, this language could be interpreted to
encompass a wide range of uses. These allowable uses could fall into
different HIPAA categories, with varying requirements for protection.
It is not yet clear under which HIPAA purpose category Sentinel‘s
postmarket risk evaluation purpose will fall, but it is likely to be
included in one of the following categories defined by the HIPAA
Privacy Rule:
* Public health activities, which include use and disclosure by a
covered entity to public health authorities authorized by law to
collect or receive information necessary to prevent or control disease
and to entities subject to FDA regulation for adverse event reporting
and postmarket evaluation.
- Disclosure under this category would be permitted without need for
further authorization.
* Research, which refers to use and disclosure by a covered entity for
any ’systematic investigation“ that could develop or contribute to
generalizable knowledge.
- Use under this category would require that the covered entity satisfy
additional requirements. For example, to use or disclose personal
health information for research purposes without need for individual
authorization requires that the covered entity receive a waiver or that
the covered entity obtain a representation from the researcher that
states, among other things, that the use or disclosure of the personal
health information is only for preparing a research protocol and that
no personal health information will be removed from the covered entity.
Officials from eHI and privacy experts have stated that establishing
how Sentinel‘s uses appropriately fall into these purpose categories
will be difficult because distinctions between public health and
research are very subtle. However, as indicated, the decision could
have ramifications for the extent of legal requirements in place for
protecting personal health information. For example, there may be
ambiguities relating to authorization and individual consent, which are
treated differently depending on the category.
In addition, privacy experts have expressed concern that the variety of
public and private organizations and business missions involved in the
project could make it difficult to effectively limit the use of the
personal health information to postmarket risk evaluation. Sentinel, as
currently planned, is expected to encompass millions of health records;
access to this large amount of data could be very useful for analyses
or other uses that go beyond assessing postmarket drug safety. For
example, commercial users may seek to use the data for purposes such as
marketing campaigns or tracking patient medical product usage and
physicians‘ prescription patterns. Further, academic users may wish to
publish data they have used to support their research results. Uses
such as these may be inappropriate and could have the potential to
compromise patient privacy if not effectively controlled.
As we previously reported in our 2006 report on the use of commercial
data, consolidating large databases poses the risk that the use of data
goes beyond the original system scope and intended uses.[Footnote 15]
Sentinel could face this risk if the program seeks to bring together
disparate, large databases of personal health information to be
analyzed by multiple entities.
Similarly, in 2007, we raised concerns about the risks associated with
the availability of large amounts of aggregated data in our review of a
planned data-mining program at the Department of Homeland Security.
[Footnote 16] We stated that with the ability to facilitate a broad
range of potential queries and analyses and aggregate large quantities
of previously isolated pieces of information, the program could produce
aggregated, organized information that organizations could be tempted
to use for purposes beyond that originally specified when the
information was collected.
If adequate precautions are not taken to limit secondary uses of data,
there is increased risk that personal health information may be used
for purposes not intended for Sentinel.
Ensuring public confidence: A third challenge that FDA faces is to
build public trust through mechanisms that will ensure public
involvement and also appropriately inform the public of the program‘s
planned uses of their personal health information as well as the
privacy protections that will be applied to it.
Regarding public involvement, privacy experts acknowledge that it would
be extremely difficult or impractical to obtain individual consent for
Sentinel‘s planned use of personal health information, given the vast
number of records involved and the need for timely results. Further,
HIPAA specifically allows for the use of such information without
individual consent or authorization for purposes of promoting public
health.
This may lead to some instances of uses of personal health information
that individuals may find objectionable. FDA has acknowledged that risk
and is trying to ensure that the public‘s concerns are adequately
addressed through public meetings and the creation of a transparent,
inclusive process for the development of the system. Other mechanisms
for public involvement in the development of the system could include
adding privacy advocates and representatives of consumer organizations
to governing boards to ensure that matters of public concern are raised
and addressed.
With regard to informing the public of the program‘s planned uses of
personal health information, the fair information practices and the
HIPAA Privacy Rule generally require some mechanism for informing
individuals about how personal information is to be used and protected:
* The openness principle states that the public should be informed
about privacy policies and practices, and that individuals should have
ready means of learning about the use of personal information.
* The HIPAA Privacy Rule requires that most covered entities provide a
notice of their privacy practices. In addition to describing types of
uses and disclosures, the notice, among other things, must also state
the covered entity‘s duties to protect privacy and individuals‘ rights.
In addition to informing individuals of what steps an entity is taking
to protect the privacy of the personal information, privacy notices
also help to ensure an organization‘s accountability for its stated
policies.
According to experts, it may be difficult to develop a privacy notice
that is at a level of detail that appropriately informs all segments of
the public about the privacy protections in place for Sentinel, as well
as promotes a clear understanding of how their personal health
information is being used. They cited previous experience with privacy
notices”such as those required of financial institutions by the Gramm-
Leach Bliley Act”which have been difficult for consumers to read and
understand.
In prior work, we have highlighted the use of a layered approach to
creating privacy notices in order to improve comprehension. For
example, we stated that at one layer, the notice could provide a brief
description of the information required, the primary purpose for the
collection, and associated uses and sharing of such data. A second
layer could include additional details about the system or program‘s
uses and the circumstances under which data could be shared.[Footnote
17] Using a layered approach to privacy notices could enhance
effectiveness in communicating with individual patients.
The many sources and large number of records involved also suggest that
multiple channels of communication may be needed to ensure that as many
individuals as possible are informed.
For example, in addition to publishing a notice in the Federal Register
as required by the Privacy Act or a privacy impact assessment as
required by the E-Government Act, other communication methods may be
useful, including disseminating information through a central Web site,
developing a publication on Sentinel privacy measures, developing
notices for health care providers and other collaborating partners
and/or data sources to use when they collect personal health
information, and conducting outreach to consumer and public advocacy
groups.
Without ensuring transparency into Sentinel‘s privacy policies and
procedures, FDA may risk losing the public‘s confidence in its ability
to protect their personal health information.
Mitigating risks associated with de-identified data: A fourth challenge
FDA faces is ensuring that de-identified data”which it plans to use in
most cases when presenting the results of Sentinel analysis”is not used
to re-identify individuals, as may be possible in certain
circumstances. Further, in cases in which de-identified data may not be
sufficient to fulfill program goals, FDA faces the challenge of
ensuring that disclosure of personally identifiable health information
is limited, monitored, and controlled.
De-identification is the process of stripping data of fields that
uniquely identify individuals. According to the Privacy Rule,
information is de-identified when the data fields are insufficient to
identify an individual and when there is no reasonable basis to believe
that the data can be used to re-identify an individual. According to
the Privacy Rule, de-identification can be achieved by stripping out
fields that uniquely identify individuals, including:
* names,
* geographic subdivisions smaller than a state,
* Social Security numbers, and,
* dates of birth.
HIPAA also allows covered entities to use an expert opinion to
determine whether data have been de-identified. Under the Privacy Rule,
once data have been successfully de-identified using an approved
method, those data can be used and disclosed freely without being
subject to the privacy rule.
Various levels of de-identification are possible, and the risk of re-
identification varies accordingly (see figure 2). FDA officials have
stated that their plan is to provide analytical results using only
summary information known as aggregate output data, the least risky
type of de-identified data. Experts generally agree that there is
reduced risk of re-identification when this type of data is used.
However, ensuring that de-identified data are not re-identified when
disclosed to outside entities will pose challenges for FDA because
useful analysis may require that riskier levels of de-identified data
be used.
Figure 2: Levels of De-identified Data:
[Refer to PDF for image: illustration]
Level of data: Aggregate data from multiple records;
Data: Number of persons; year; Drug used; Reaction;
Risk level: lowest.
Level of data: Individual record, de-identified;
Data: Gender; Age; Year; Drug Used; Reaction;
Risk level: second lowest.
Level of data: Individual record, partially de-identified;
Data: Zip code; Gender; Age; Year; Drug Used; Reaction;
Risk level: Second highest.
Level of data: Individual record, full set of personally identifiable
information;
Data: Social Security number; Name; Zip code; Gender; Age; Year; Drug
Used; Reaction;
Risk level: Highest.
Source: GAO analysis of industry and FDA data.
[End of figure]
However, the eHI project has found that aggregate data are often not
useful as a research tool and that ’limited data sets,“ which include
some identifying information, are often needed instead. Such data sets
pose increased privacy risks because it may be possible to combine data
fields in these limited data sets with other publicly available data to
re-identify individuals. For example, according to published research
by an expert in the field, 87 percent of individuals are uniquely
identifiable given their gender, ZIP code, and date of birth.[Footnote
18]
Because of the significant risk of re-identification, the use of
certain methods of de-identifying data, such as limited data sets, may
require additional controls to mitigate risks. Actions to reduce the
risk of re-identification could include:
* using the least identifiable form of data to respond to queries,
* ensuring that contractual requirements prohibit recipients from re-
identifying individuals and ensuring that individuals are not contacted
or their personal health information otherwise disclosed, and,
* establishing enhanced security controls to protect the data from
inadvertent disclosure, given the risk of re-identification.
According to FDA officials, while de-identified data may provide all
necessary information for a majority of information queries, there are
instances in which users may require access to personally identifiable
health information to fully process query requests. For example, users
may require personal health information to:
* independently verify and validate certain results or perform targeted
follow-up on a particular query or;
* track individuals across de-identified output or aggregate results
from various data sources in order to minimize double counting and
produce more accurate query results.
Providing partners access to personally identifiable health information
introduces significant privacy and security risks that would likely
require increased protection measures and oversight. Such measures
could include:
* monitoring and strictly limiting disclosure of personally
identifiable health information to where there is a justified need and;
* establishing stringent procedures for protecting the privacy and
security of sensitive personally identifiable health information when
such disclosure occurs between partners.
If these challenges are not addressed, individuals‘ sensitive health
information could be inappropriately disclosed, and individuals‘
privacy could be compromised.
Establishing comprehensive security controls: FDA faces the challenge
of determining the appropriate security controls that Sentinel will
need to protect personal health information from loss or unauthorized
disclosure to the extent that it is transferred between Sentinel
partners. In doing so, FDA will need to establish a uniform set of
security controls for all of its partners to ensure that potential
weaknesses in controls at partner systems do not place personal health
information in Sentinel at unnecessary risk of unauthorized disclosure,
use, modification, or destruction. Such controls will need to
demonstrate that the security of personal health information is
protected both at rest and in transmission among Sentinel and its
partners.
Safeguarding personal health information is critical because its loss
or unauthorized disclosure can lead to serious adverse consequences for
individuals. The confidentiality of personal health information could
be threatened not only by the risk of improper access to stored
information, but also by the risk of interception during electronic
transmission of the information.
Through its planned distributed network of public and private partners,
Sentinel queries may involve the exchange of electronic health
information among partners in the public and private sector when
secondary analysis is required. Although FDA does not anticipate that
electronic health information will be routinely exchanged among
partners, the large number of potential partners could provide many
potential access points through which sensitive information could be
compromised. Given this risk, FDAAA mandates that personal health
information not be revealed in disclosing the results of analysis of
drug safety signals and trends or responding to inquiries regarding
drug safety signals and trends.
A basic objective for any organization is to protect the resources that
support its critical operations from unauthorized access. Organizations
accomplish this objective by designing and implementing access controls
that are intended to prevent, limit, and detect unauthorized access to
computing resources, programs, and information. Inadequate access
controls diminish the reliability of computerized information and
increase the risk of unauthorized disclosure, modification, and
destruction of sensitive information and the disruption of service.
Such controls include protecting the physical boundary around a set of
information resources, assigning unique user accounts to specific users
to distinguish one user from another, and employing cryptography such
as encryption to prevent unauthorized access to computing resources,
programs, and information.
Information security risks to the system could originate from within
the system itself as well as from its partners. Within the system,
inadequate security controls could lead to loss or disclosure of
sensitive information. For example, if the system fails to ensure that
controls adequately protect external and internal boundaries, that
users are identified and authenticated, and that appropriate levels of
encryption are consistently applied to protect sensitive data, there
may be increased risk that individuals could gain unauthorized access
to personal health information.
Security risks could arise among Sentinel partners if their systems do
not contain adequate security controls and personal health information
is inadvertently disclosed, either from partner systems or while that
information is being transmitted from one system to another.
* As previously reported,[Footnote 19] the aggregate effect of
inadequate access controls and weaknesses in other system controls
places information and information systems supporting a larger system
(such as Sentinel) at increased risk of unauthorized disclosure, use,
modification, or destruction, possibly without detection. These
weaknesses increase the risk that unauthorized individuals could read,
copy, delete, add, and modify sensitive information”including
personally identifiable information”on supporting systems.
* Additionally, according to NIST,[Footnote 20] interconnecting
information technology systems can expose the participating
organizations to risk. If the interconnection is not properly designed,
security failures could compromise the connected systems and the data
that they store, process, or transmit. Similarly, if one of the
connected systems is compromised, the interconnection could be used as
a conduit to compromise the other system and its data.
If appropriate security controls are not implemented and maintained
within the system and among Sentinel partners, there is increased risk
of unauthorized disclosure, use, modification, or destruction of
personal health information.
Establishing oversight and enforcement: Finally, concerns about the
wide range of expected Sentinel partners as well as the authority that
a nonprofit entity would have over these entities highlight the
challenge that FDA will face in creating and implementing an effective
oversight and enforcement mechanism to ensure, among other things, the
privacy and security of personal health information maintained by
Sentinel.
Oversight and enforcement are key mechanisms for ensuring that security
and privacy controls are consistently implemented and effective at
mitigating risks. For example, federal agencies are subject to
oversight, as required by FISMA.[Footnote 21] FISMA states that
continuous monitoring of security controls is a key part of managing
enterprise risk and maintaining an accurate understanding of security
risks. Additional oversight is applied through reporting requirements
to the Office of Management and Budget (OMB) and the Congress. In
setting annual reporting requirements, OMB has directed agencies to
provide details regarding their privacy protections for personally
identifiable information as well as information security measures. An
effective oversight and enforcement program is also consistent with the
accountability principle, which states that individuals controlling the
collection or use of personal information should be accountable for
taking steps to ensure the implementation of the fair information
practices.
The wide range of partners expected in Sentinel creates an oversight
and enforcement challenge for FDA. FDA has previously used a variety of
mechanisms, including cooperative agreements and memorandums of
understanding, to establish collaborative relationships with various
members of the public and private sector. Similarly, Sentinel will
likely require a range of contractual arrangements with its many
partners.
An official with the Observation Medical Outcomes Partnership”one of
the projects that is informing Sentinel‘s planned development”said that
different contractual arrangements were needed depending on the type of
data in use and the partner performing the analysis. Additionally, FDA
has indicated that some organizations may choose to provide data to
Sentinel via secondary contracts with Sentinel partners rather than
belonging to the partnership themselves; such relationships would
require different contractual arrangements. Further, some partners may
restrict access to the data sets they own, requiring the ability to
choose whether to respond to individual queries.
Factors such as these could complicate FDA‘s ability to establish a
comprehensive oversight and enforcement mechanism. Agreements will
likely need to include provisions requiring strict adherence to
established security and privacy standards. However, beyond stating
such requirements consistently, it may not be possible for FDA to
establish the same enforcement and oversight mechanisms for all of its
partners.
In addition, it is unclear what authority the nonprofit entity that is
expected to operate the coordinating center will have over Sentinel
partners, as FDA has not yet determined which nonprofit entity, if any,
will be responsible for this function.One possible entity under
consideration by FDA is the Reagan-Udall Foundation, established by
FDAAA to advance the mission of the FDA and enhance product safety,
among other things.
* Under FDAAA, the Reagan-Udall Foundation is authorized to award
grants to or enter into contracts, memorandums of understanding, or
cooperative agreements with a wide range of entities, including public-
private partnerships, academic institutions, and industry, to advance
its goals and priorities.
* FDAAA requires the foundation to establish a Board of Directors whose
duties include establishing policies for the execution of memorandums
of understanding and cooperative agreements between the foundation and
other entities.
Experts have raised concerns with designating Reagan-Udall to implement
key Sentinel functions because most of the funds for the foundation‘s
operations are expected to originate from private industry. Under these
circumstances, it may be difficult to ensure that security and privacy
requirements are strictly enforced. Thus far, budget provisions have
directed FDA to withhold funds from Reagan-Udall.
If adequate oversight and enforcement mechanisms are not in place,
privacy and security requirements may not be appropriately implemented
by all partners, potentially placing personal health information at
increased risk.
While FDA officials acknowledge that they face privacy and security
challenges and have taken steps to begin exploring these issues, they
have not yet established a plan or milestones for fully addressing them
and incorporating the results into the development of Sentinel.
[End of section]
Conclusions:
The Sentinel system is still in the early stages of development. FDA
has made progress in laying the groundwork for establishing the system,
but many critical decisions remain to be made, including decisions
about how the project is to be managed, who its many partners will be,
and what privacy and security controls will be implemented. FDA has not
yet established a plan or milestones for development of the system or
for making these critical decisions.
Although personal health information is not expected to be exchanged as
part of most routine Sentinel operations, FDA will face a number of
privacy and security challenges in developing the system, including (1)
applying protections consistently, (2)limiting use of personal health
information to a clear and specific purpose, (3) ensuring appropriate
public involvement, (4) mitigating risks associated with de-identified
data, (5) establishing comprehensive security controls, and (6)
establishing oversight and enforcement mechanisms. FDA has yet to
develop a plan, including milestones, to address these challenges.
Until challenges are addressed, concerns are likely to remain that the
Sentinel initiative may not be fully addressing risks to the privacy
and security of personal health information.
[End of section]
Recommendation for Executive Action:
We are not making recommendations for further legislative actions.
However, given the privacy and security challenges we have identified,
we recommend that the Commissioner of FDA develop a plan, including
milestones, for developing the Sentinel system and for addressing the
privacy and security challenges associated with:
* ensuring consistent application of protections to all Sentinel
partners,
* limiting use of personal health information to a clear and specific
purpose,
* involving the public in the development of the system and informing
the public of the program‘s planned uses of personal health information
and privacy protections,
* using de-identified data,
* establishing adequate security controls, and,
* overseeing and enforcing key privacy and security requirements.
[End of section]
Agency Comments and Our Evaluation:
In comments on a draft of this briefing provided via e-mail by the GAO
Coordinator of the HHS Office of the Assistant Secretary for
Legislation, FDA generally agreed that there are many privacy and
security challenges related to the Sentinel initiative and that
attention will need to be paid to computer security with respect to the
transmission of queries and summaries of results. However, FDA asserted
that privacy and security challenges raised by the use and transfer of
personal health information would be largely alleviated by current
plans for the Sentinel system, which call for all personal health
information to remain with the entities that have custody of it and
only analytical results to be shared. FDA acknowledged that secondary
analysis involving personal health information maybe necessary and that
the privacy challenges we identified would be relevant to such
analysis, but stated that this analysis would likely take place outside
the bounds of the Sentinel system.
Regardless of whether secondary analysis using personal health
information is within the bounds of the Sentinel system, such analysis
remains a key element in an overall assessment of the data privacy,
confidentiality, and security issues related to accessing,
transmitting, and maintaining data for FDA‘s postmarket risk
identification and analysis system. Any analysis involving the transfer
of personal health information could introduce significant privacy and
security risks, and would thus require privacy and security protections
and oversight commensurate to this increased risk. Thus the privacy and
security challenges we have identified remain of critical importance as
planning for the Sentinel system moves forward.
FDA generally agreed with the recommendation made in this briefing,
with the exception of the challenge associated with using de-identified
data. Regarding this challenge, FDA asserted that activities involving
the disclosure of personal health information would be outside the
scope of the Sentinel system. However, as previously discussed, the use
and disclosure of personal health information through secondary
analysis is also an important consideration, and in this regard the
challenge associated with using de-identified data will need to be
addressed to ensure that risks to the privacy and security of personal
health information are fully addressed.
FDA also provided technical comments, which we incorporated into the
briefing as appropriate.
[End of appendix]
Appendix II: Comments from the Food and Drug Administration:
Department Of Health & Human Services:
Office Of The Secretary:
Assistant Secretary For Legislation:
Washington, DC 20201:
May 19, 2009:
Gregory C. Wilshusen:
Director:
information Security Issues:
U.S. Government Accountability Office:
441 G Street N.W.
Washington, DC 20548:
Dear Mr. Wilshusen:
Enclosed are comments on the U.S. Government Accountability Office's
(GAO) report entitled: Privacy and Security: Food and Drug
Administration Faces Challenges in Establishing Protections for its
Postmarket Risk Analysis System (GAO-09-355).
The Department appreciates the opportunity to review this report before
its publication.
Sincerely,
Signed by:
Barbara Pisaro Clark:
Acting Assistant Secretary for Legislation:
Attachment:
[End of letter]
Department Of Health & Human Services:
Food and Drug Administration:
Silver Spring, MD 20993:
Date: May 15, 2009:
To: Acting Assistant Secretary for Legislation:
FROM: Acting Commissioner of Food and Drugs:
Subject: FDA's General Comments to GAO's Draft Report Entitled, Privacy
and Security--Food and Drug Administration Faces Challenges in
Establishing Protections for as Postmarket Risk Analysis System (GAO-09-
355).
FDA is providing the attached general comments to the U.S. Government
Accountability Offices draft report entitled, Privacy and Security--
Food and Drug Administration Faces Challenges in Establishing
Protection Postmarket Risk Analysis System (GAO-09-355).
FDA appreciates the opportunity to review and comment on this draft
report before it is published.
Signed by:
[Illegible], for:
Joshua M. Sharfstein, M.D.
Principal Deputy Commissioner:
Acting Commissioner of Food and Drugs:
Attachment:
[End of letter]
FDA's General Comments to the U.S. Government Accountability Office's
Draft Report, Privacy and Security - Food and Drug Administration Faces
Challenges in Establishing Protections for its Postmarket Risk Analysis
System (GAO-09-355):
The Food and Drug Administration (FDA) appreciates the opportunity to
review and comment on the Government Accountability Office's (GAO)
draft report, and we agree with GAO's overall recommendation to develop
a plan (with multiple milestones), which is completely consistent with
ongoing FDA efforts. However, we are very concerned that the report
contains inaccuracies that seriously misrepresent the program and will
lead readers of the report, especially patients and consumers, to
believe that their protected health information[Footnote 22] is at
risk. These inaccuracies most likely result from a fundamental
misunderstanding of how phase I Sentinel will he implemented. We would
like to provide you with some key clarifications.
Phase 1[Footnote 23] of Sentinel:
As explained in the Sentinel report and in most every summary of the
initiative or discussion of Sentinel, we have emphasized that FDA is
working towards establishing a distributed network. This means that no
protected health information will be transferred to the agency. In
fact, no protected health information will be transferred at all. All
health information will remain under the control of current data
owners, behind existing firewalls, protected by privacy and security
safeguards. Participating data owners will continue to manage their
data protected in their secure environment. Those data owners who wish
to participate in Sentinel will perform data searches and analyses of
their own data upon request and submit only summaries of their findings
as part of Sentinel. To reiterate, data from individual data holders
will not he centralized or aggregated in any way into a common
database.
Privacy and Security:
Protecting the privacy and security of protected health information, as
well as the security of all information FDA receives, is of paramount
concern to FDA and part of FDA's ongoing responsibilities as it
fulfills its mission to protect public health. We work every day to
protect the security of the data we receive. Thus, from the beginning
of this program. we have sought to engage thought leaders in the
privacy and security field at every juncture. One of the first
contracts we let under the initiative involved the identification and
analysis of potential privacy issues that might need to he addressed.
(This report is complete and has been posted on FDA's Sentinel Web
site.)
We understand that there may well be a need for further studies of
signals obtained through Sentinel. However, the Agency's expects that
such studies would take place outside of Sentinel in precisely the same
manner that we investigate public health concerns today. For example,
an analysis might be carried out pursuant to a contract between FDA and
an individual data holder. In such a case, privacy challenges such as
those identified in the GAO report could become relevant within the
framework of this specific contractual agreement, but would not involve
Sentinel. If protected health information were to be transmitted by a
participating data holder for analysis at any point, including during a
follow-up analysis, controls and measures consistent with the Health
Insurance Portability and Accountability Act (HIPAA) or with the
Privacy Act would he put into place and tested to ensure the security
of protected health information. In fact, all systems that process,
publish, transmit, or store FDA information or information on behalf of
FDA must be protected in accordance with the Federal Information
Security Management Act (FISMA). Because Sentinel is being sponsored by
FDA and is being established in response to the FDA Amendments Act of
2007. Sentinel must be assessed as part of the FDA Certification and
Accreditation (C&A) process as required by FISMA. The C&A process,
milestones, and project plan will he provided by the FDA Security
Office and executed by the FDA Security Office contractors once the
environment is ready. The C&A will he completed prior to moving
Sentinel into production.
Computer Security:
The draft report mentions computer security issues within the context
of the privacy concerns on which the report focuses. Because Sentinel
will be a distributed network and protected health information will not
be transmitted as part of Sentinel, there is not a risk of security
breaches resulting in disclosure of protected health information. FDA
recognizes, however, that attention will need to be paid to computer
security with respect to the transmission of queries and results
summaries, and FDA will require implementation of policies and
procedures to ensure computer security at each stage of the process.
This and other issues need to be carefully explored in the governance
structure: we expect to post an analysis of issues related to
governance for public comment in several weeks.
Graphic Figure:
To communicate the intended structure of Sentinel, the draft report
uses a figure, titled Overview of the Planned Sentinel Query Process,
both on the Highlights page and as slide 17 of the GAO presentation to
Congress. Because FDA is concerned that the figure that was used may
mislead some readers about important aspects of the proposed system, we
have attached a new version of the figure to explain what is intended:
the attached figure explains the Sentinel query process as planned by
FDA. The following points clarify specific concerns we have about the
earlier figure included in the draft GAO report.
* FDA and other partners-This would be more accurate if it read "FDA
and other entities" and was depicted by an image of a person looking at
graphs and data. The current display gives the impression that this is
a fully automated system that does not include human participation and
expertise. As policies and procedures are developed for Sentinel, they
will include descriptions of who will be able to access this resource
and under what circumstances. Other entities besides FDA and "partners"
may have access.
* Partner initiates query-This would be more accurate if it read "Query
initiated." As noted above. once established, policies and procedures
will determine who has access to initiate queries.
*Sentinel Coordinating Center-The drawing of a "server" does not
adequately portray the responsibilities of the coordinating center.
Coordinating center personnel will perform a number of key roles
including determining appropriate methodologies and data sources for
obtaining meaningful responses to a query. The coordinating center will
not be just an IT architecture to administer queries and receive
results.
* Academic institutions and Federal and state government agencies-
Without further qualification. this is potentially confusing. Only
those academic institutions and federal and state government agencies
with automated healthcare data will be recipients of queries.
* Results returned to coordinating center-This would be clearer if it
read "Result summaries returned to Sentinel Coordinating Center."
Results summaries will not include protected health information.
* Coordinating center returns results-This would he clearer if it read
"Sentinel Coordinating Center returns summary results." Results
summaries will not include protected health information.
* Results may potentially be shared with the public. This would he more
accurate if it read "Result summaries will be used to help inform
health care decisions" and was, as in FDA's figure, depicted by an
image of people silting around a table discussing documents. The
summary results received in response to Sentinel queries will be
considered with other available data to provide information about
medical products to help inform their proper use.
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Gregory C. Wilshusen (202) 512-6244, or wilshuseng@gao.gov:
Staff Acknowledgments:
In addition to the individual named above, John de Ferrari, Assistant
Director; Idris Adjerid; Monica Anatalio; Susan Czachor; Season
Dietrich; Neil Doherty; Nancy Glover; and Rebecca Eyler made key
contributions to this report.
[End of section]
Footnotes:
[1] Personal health information in this briefing refers to information
relating to the health or health care of an individual and that
identifies, or can be used to identify, the individual.
[2] Pub. L. No. 110-85, § 905,121 Stat. 823, 944 (Sept. 27, 2007).
[3] As confidentiality is a key aspect of information security, it was
included under our review of security issues.
[4] These do not include medical devices used for collecting,
processing, testing, manufacturing, and administration of licensed
blood, blood components, and cellular products, which are governed by
the Center for Biologics Evaluation and Research.
[5] The Institute of Medicine was created by the National Academy of
Sciences in 1970 to provide advice to the federal government on issues
relating to medical care, research, and education.
[6] GAO, Drug Safety: Improvement Needed in FDA‘s Postmarket Decision-
making and Oversight Process, [hyperlink,
http://www.gao.gov/products/GAO-06-402] (Washington, D.C.: Mar. 31,
2006).
[7] FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347
(Dec. 17, 2002).
[8] The recently enacted Health Information Technology for Economic and
Clinical Health (HITECH) Act contains provisions relating to the
promotion and testing of health information technology, and privacy and
security protections for health information technology. HITECH Act
Title XIII, American Recovery and Reinvestment Act of 2009, Pub. L. No.
111-5 (Feb.17, 2009).
[9] Mass. Gen. Laws ch. 111, § 70F.
[10] NIST, Security Guide for Interconnecting Information Technology
Systems, Special Publication 800-47 (Washington D.C., August 2002).
[11] NIST, Standards for Security Categorization of Federal Information
and Information Systems, Federal Information Processing Standard (FIPS)
199 (Washington D.C., February 2004).
[12] NIST, Minimum Security Requirements for Federal Information and
Information Systems, FIPS 200 (Washington D.C., March 2006).
[13] The Medicare Prescription Drug, Improvement, and Modernization Act
of 2003 (MMA) established an outpatient drug benefit, known as Medicare
Part D, that provides prescription drug coverage for beneficiaries who
opt to enroll in the program. Congress designed Medicare Part D to be a
market-driven program that promotes competition among private health
plans.
[14] The National Committee on Vital and Health Statistics was
established in 1949 as a public advisory committee that is statutorily
authorized to advise the Secretary of HHS on health data, statistics,
and national health information policy, including the implementation of
health information technology standards.
[15] GAO, Personal Information: Agency and Reseller Adherence to Key
Privacy Principles, [hyperlink, http://www.gao.gov/products/GAO-06-421]
(Washington, D.C.: Apr. 4, 2006).
[16] GAO, Data Mining: Early Attention to Privacy in Developing a Key
DHS Program Could Reduce Risks, [hyperlink,
http://www.gao.gov/products/GAO-07-293] (Washington, D.C.: Feb. 28,
2007).
[17] GAO, Privacy: Alternatives Exist for Enhancing Protection for
Personally Identifiable Information, [hyperlink,
http://www.gao.gov/products/GAO-08-536] (Washington, D.C.: May 19,
2008).
[18] L. Sweeney, ’k-Anonymity: A Model for Protecting Privacy,“
International Journal on Uncertainty, Fuzziness and Knowledge-based
Systems, vol. 10, no. 5 (2002).
[19] GAO, Information Security: Homeland Security Needs to Immediately
Address Significant Weaknesses in Systems Supporting the US-VISIT
Program, [hyperlink, http://www.gao.gov/products/GAO-07-870
(Washington, D.C.: July 13, 2007).
[20] NIST, Security Guide for Interconnecting Information Technology
Systems, Special Publication 800-47 (Washington, D.C.: August 2002).
[21] FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347
(Dec. 17, 2002).
[22] The Privacy Rule protects all "individually identifiable health
information" held or transmitted by a covered entity or its business
associate, in any form or media, whether electronic, paper, or oral.
The Privacy Rule calls this information "protected health information
(PHI). See [hyperlink,
http://www.hhs.gov./ocr/privacy/hipaa/understanding/summary/privacysumma
ry.pdf]
[23] We refer to the initial roll out of Sentinel as phase 1,
recognizing that as the availability of electronic health records
increases, coupled with advances in data standards development,
Sentinel will necessarily evolve.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
