The federal government needs to do more to ensure privacy and
confidentiality in any national electronic health information network that is
In particular, the Office of the National Coordinator for Health
Information Technology needs to develop a process for assessing the myriad
privacy concerns of different stakeholders and for determining how all of
those concerns will be addressed in an overall strategy for ensuring privacy
and confidentiality, according to a report by the Government Accountability
Office (GAO) released in September.
The Department of Health and Human Services' (HHS) "privacy approach
does not include a defined process for assessing and prioritizing the many
privacy-related initiatives to ensure that key privacy principles and
challenges will be fully and adequately addressed," according to the
report. "As a result, stakeholders may lack the overall policies and
guidance needed to assist them in their efforts to ensure that privacy
protection measures are consistently built into health information technology
programs and applications. Moreover, the department may miss an opportunity to
establish the high degree of public confidence and trust needed to help ensure
the success of a nationwide health information network."
In January 2007, the GAO issued a report on protecting the privacy of
electronic health information that asked HHS to identify milestones and assign
responsibility for integrating the outcomes of its privacy-related
initiatives, ensure that key privacy principles are addressed, and address key
challenges associated with the nationwide exchange of health information.
The new GAO report noted that HHS has undertaken some important steps. They
include the following:
In addition, the secretary of HHS released a federal health information
technology strategic plan in June that includes privacy and security
objectives, along with strategies and target dates for achieving them.
But HHS needs to do more, the GAO said.
"In particular, the department has not defined a process for ensuring
that all privacy principles and challenges will be fully and adequately
addressed," the GAO stated. "This process would include, for
example, steps for ensuring that all stakeholders' contributions to defining
privacy-related activities are appropriately considered and that individual
inputs to the privacy framework will be effectively assessed and prioritized
to achieve comprehensive coverage of all key privacy principles and
"Such a process is important given the large number and variety of
activities being undertaken and the many stakeholders contributing to the
health information technology initiatives. In particular, the contributing
activities involve a wide variety of stakeholders, including federal, state,
and private-sector entities."
"HHS Has Taken Important Steps to Address Privacy Principles
and Challenges, Although More Work Remains" is posted at<www.gao.gov/new.items/d081138.pdf>.
Information about the Certification Commission for Healthcare Information
Technology is posted at<www.cchit.org>.▪