Skip main navigation
Close Drawer MenuOpen Drawer Menu
APA Publishing Logo

The American Psychiatric Association (APA) has updated its Privacy Policy and Terms of Use, including with new information specifically addressed to individuals in the European Economic Area. As described in the Privacy Policy and Terms of Use, this website utilizes cookies, including for the purpose of offering an optimal online experience and services tailored to your preferences.

Please read the entire Privacy Policy and Terms of Use. By closing this message, browsing this website, continuing the navigation, or otherwise continuing to use the APA's websites, you confirm that you understand and accept the terms of the Privacy Policy and Terms of Use, including the utilization of cookies.

×
Back to table of contents
Professional NewsFull Access

Government Not Doing Enough to Ensure Medical-Record Privacy

Published Online:7 Nov 2008https://doi.org/10.1176/pn.43.21.0010a

The federal government needs to do more to ensure privacy and confidentiality in any national electronic health information network that is developed.

In particular, the Office of the National Coordinator for Health Information Technology needs to develop a process for assessing the myriad privacy concerns of different stakeholders and for determining how all of those concerns will be addressed in an overall strategy for ensuring privacy and confidentiality, according to a report by the Government Accountability Office (GAO) released in September.

The Department of Health and Human Services' (HHS) “privacy approach does not include a defined process for assessing and prioritizing the many privacy-related initiatives to ensure that key privacy principles and challenges will be fully and adequately addressed,” according to the report. “As a result, stakeholders may lack the overall policies and guidance needed to assist them in their efforts to ensure that privacy protection measures are consistently built into health information technology programs and applications. Moreover, the department may miss an opportunity to establish the high degree of public confidence and trust needed to help ensure the success of a nationwide health information network.”

In January 2007, the GAO issued a report on protecting the privacy of electronic health information that asked HHS to identify milestones and assign responsibility for integrating the outcomes of its privacy-related initiatives, ensure that key privacy principles are addressed, and address key challenges associated with the nationwide exchange of health information.

The new GAO report noted that HHS has undertaken some important steps. They include the following:

The Healthcare Information Technology Standards Panel defined standards for implementing security features in systems that process personal health information.

The panel is a body of the American National Standards Institute. According to the institute's Web site, “The mission of the Healthcare Information Technology Standards Panel is to serve as a cooperative partnership between the public and private sectors for the purpose of achieving a widely accepted and useful set of standards specifically to enable and support widespread interoperability among health care software applications, as they will interact in a local, regional, and national health information network for the United States.”

The Certification Commission for Healthcare Information Technology defined certification criteria that included privacy protections for both outpatient and inpatient electronic health records. The Certification Commission Healthcare Information Technology is a recognized certification body for electronic health records and their networks and an independent, voluntary, private-sector initiative.

Initiatives aimed at the state level have convened stakeholders to identify and propose solutions for addressing challenges faced by health information exchange organizations in protecting the privacy of electronic health information.

In addition, the secretary of HHS released a federal health information technology strategic plan in June that includes privacy and security objectives, along with strategies and target dates for achieving them.

But HHS needs to do more, the GAO said.

“In particular, the department has not defined a process for ensuring that all privacy principles and challenges will be fully and adequately addressed,” the GAO stated. “This process would include, for example, steps for ensuring that all stakeholders' contributions to defining privacy-related activities are appropriately considered and that individual inputs to the privacy framework will be effectively assessed and prioritized to achieve comprehensive coverage of all key privacy principles and challenges.

“Such a process is important given the large number and variety of activities being undertaken and the many stakeholders contributing to the health information technology initiatives. In particular, the contributing activities involve a wide variety of stakeholders, including federal, state, and private-sector entities.”

“HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains” is posted at<www.gao.gov/new.items/d081138.pdf>. Information about the Certification Commission for Healthcare Information Technology is posted at<www.cchit.org>.