GAO Calls for Comprehensive Privacy Approach for National Strategy in HIT Implementation

On June 19^th the Government Accountability Office (GAO) released a report highlighting the progress, shortfalls and necessary steps that HHS must complete in order to ensure privacy and security measures and benchmarks in the creation of a nationwide health information network (NHIN).

The report followed closely with testimony given at the June 19^th House Subcommittee hearing on Information Policy, Census and National Archives, a subcommittee of the House Oversight and Government Reform Committee.  It recognizes the work that HHS and the Office of the National Coordinator for HIT (ONC) have completed since the inception of ONC following President Bush's Executive Order in April, 2004. 

The report describes the June 2006 recommendations by the National Committee on Vital and Health Statistics (NCVHS) on protecting the privacy of personal health information within the NHIN.  In addition to NCVHS, the report also refers to the Privacy and Security workgroup of the American Health Information Community (AHIC), calling both efforts important steps toward ensuring privacy and security in the NHIN, but said they are collectively not enough.

The GAO criticized the disparate activity of the federal government and cited the need to pull these actions together into a single unified and comprehensive plan for securing patient privacy in HIT.  The report refers to the NCVHS recommendations and the inclusion of privacy and security in AHIC as early stages of efforts but says they fall short of addressing key privacy principles (and) milestones.

HHS, in commenting on the GAO report, disagreed with the recommendations and referred to their comprehensive and integrated approach for ensuring the privacy and security of health information within nationwide health information exchange.

The report concludes by giving the Secretary of HHS three recommendations on how to implement an overall strategy to ensure privacy and confidentiality in the NHIN.  The recommendations include:

1. Identify milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, including the results of its four health IT contracts and recommendations from the NCVHS and AHIC advisory committees.
2. Ensure that key privacy principles in HIPAA are fully addressed.
3. Address key challenges associated with legal and policy issues, disclosure of personal health information, individuals rights to request access and amendments to health information and security measures for protecting health information within a nationwide exchange of health information.

To access the GAO report and testimony from the June 19^th hearing click here.

To read more or get involved in eHIs work on Privacy, Security and Confidentiality through our Blueprint for Change, click here.