HIPAA Regulary Alert

GAO report: "Much work remains" for HHS' efforts

HHS called into question about progress in ensuring safe electronic exchange of health information

The Government Accountability Office (GAO) says the Department of Health and Human Services (HHS) should define and implement an overall privacy approach identifying milestones for integrating the outcomes of its initiatives, ensuring that key privacy principles are fully addressed, and addressing challenges associated with the nationwide exchange of health information.

HHS disagreed with the recommendation, saying it has established a comprehensive privacy approach and setting milestones would hamper its efforts. GAO reiterated its opinion an overall approach for integrating HHS initiatives has not been fully defined and implemented.

Studies by the Institute of Medicine and other organizations have cautioned that fragmented, disorganized, and inaccessible clinical information adversely affects the quality of health care and compromises patient safety. Also, long-standing problems with medical errors and inefficiencies increase costs for U.S. health care delivery.

GAO says health information technology offers a promising solution to improve patient safety and reduce inefficiencies, with great potential to improve the quality of care, bolster the preparedness of the public health infrastructure, and save money on administrative costs.

"As the use of health IT and electronic information exchange networks expands," the GAO report said, "health information exchange organizations are faced with challenges to ensuring the protection of health information, including understanding and resolving legal and policy issues, ensuring that the minimum information necessary is disclosed only to those entities authorized to request the information, ensuring individuals' rights to request access and amendments to health information, and implementing adequate security measures.

These challenges are expected to become more prevalent as more information is exchanged and as electronic health information exchange expands to a nationwide basis. HHS' current initiatives are intended to address many of these challenges. However, without a clearly defined approach that establishes milestones for integrating its efforts and fully addresses key privacy principles and these challenges, it is likely that HHS' goal to safeguard personal health information as part of its national strategy for health IT will not be met."

GAO calls for more comprehensive effort

HHS officials who commented on a draft of the GAO report referred to the department's "comprehensive and integrated approach for ensuring the privacy and security of health information within nationwide health information exchange." GAO insisted, however, that an overall approach for integrating the department's various privacy-related initiatives has not been fully defined and implemented.

"We acknowledge in our report that HHS has established a specific objective to protect consumer privacy along with two specific strategies for meeting this objective," GAO said. "Our report also acknowledges the key efforts that HHS has initiated to address this objective, and HHS' comments describe these and additional state and federal efforts.

"HHS stated that the department has made significant progress in integrating these efforts. While progress has been made initiating these efforts, much work remains before they are completed and the outcomes of the various efforts are integrated. Thus, we recommended that HHS define and implement a comprehensive policy approach that includes milestones for integration, identifies the entity responsible for integrating the outcomes of its privacy-related initiatives, addresses key privacy principles, and ensures that challenges are addressed in order to meet the department's objective to protect the privacy of health information exchanged within a nationwide health information network."

HHS objects to GAO finding

In disagreeing with the GAO recommendation, HHS said scripted milestones would impede the agency's processes and preclude stakeholder dialogue on the direction of important policy matters. GAO said its analysts disagree and think that milestones are important for setting targets for implementation and informing stakeholders of HHS' plans and goals for protecting personal health information as part of its efforts to achieve nationwide implementation of health IT.

"Milestones are especially important considering the need for HHS to integrate and coordinate the many deliverables of its numerous ongoing and remaining activities," GAO said. "We agree that it is important for HHS to continue to actively involve both public and private sector health care stakeholders in its processes."

HHS did not comment on the need to identify an entity responsible for integrating the department's privacy-related initiatives, nor did it provide information on any effort to assign responsibility for that activity. HHS neither agreed nor disagreed that its approach should address privacy principles and challenges, but said the department plans to work toward addressing privacy principles in HIPAA and that the GAO report appropriately highlights efforts to address challenges encountered during electronic health information exchange.

70% of Americans concerned about security

The report was released at a Feb. 1 hearing of the Senate Committee on Homeland Security and Governmental Affairs Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia. Subcommittee chairman Daniel Akaka (D-HI), said he is deeply concerned about the level of privacy protections in the health IT network, noting a 2005 Harris Interactive survey showing that 70% of Americans were concerned that an electronic medical records system could lead to sensitive medical records being exposed due to weak electronic security.

Federal data breaches cited

"This fear is understandable," he declared. "Over the past few years, we have seen various data mining programs in the federal government that lacked key privacy protections. We also recall the loss of a VA laptop computer and the news of many other federal data breaches that put the personal information of millions of Americans at risk. These incidents reinforce the need to build into any system containing personal information privacy and security protections. Our personal health information must not be subject to these same failings. Privacy and security are critical elements in health IT and should never be an afterthought."

Akaka said that given the overwhelming evidence of the benefits associated with expanded use of health IT, as well as the fact that 70% of Americans are concerned about the privacy of their health information, he was surprised to learn that HHS objects to the GAO recommendations.

"It is clear that the health care industry faces challenges in protecting electronic health information given the varying state laws and policies, the entities not covered by HIPAA, and the need to implement adequate security measures" Akaka said. "But while more and more companies, providers, and carriers move forward with health IT, I fear that privacy suffers while HHS takes more time to decide how to implement privacy protection. HHS must address these issues in a more timely fashion in order to give the private sector guidance on how to move forward with health IT and protect the private health information of all Americans."

University of Louisville School of Medicine Institute for Bioethics, Health Policy, and Law Director Mark Rothstein, who also chairs the National Committee on Vital and Health Statistics subcommittee on privacy and confidentiality, told the committee HHS has made "very little meaningful progress" in developing and implementing measures to protect the privacy of health information in electronic health networks.

"Time is of the essence," Rothstein said. "HHS must begin to act immediately on the key privacy issues, and Congress needs to hold HHS accountable… I believe the [GAO] report accurately identifies the great challenges in adopting and integrating a comprehensive and effective strategy to protect public health privacy, confidentiality, and security as the nation moves to a system of interoperable electronic health record networks."

Rothstein testified that privacy concerns currently lag behind technical development of the Nationwide Health Information Network and the gap is widening as research and development progress while fundamental privacy issues remain largely unexamined and unresolved.

"I cannot emphasize enough how rapidly the field of health information technology is moving," Mr. Rothstein told the committee. "While HHS organizes more task forces and working groups, the private sector is racing ahead to implement a wide array of health information exchanges, medical record banks, regional health information organizations, and personal health record systems. "

He pointed out that several large employers are developing a personal health record system for their employees in hopes of improving employee health and lowering employer health plan costs. Private sector initiatives with personal health records and electronic health records usually are not subject to any federal or state regulation, he said, because they are not covered entities under HIPAA. Also, tens of thousands of other health care providers and health information providers are not covered entities under HIPAA, usually because they are not involved in the process of electronically submitting claims for health services.

Rothstein said he would respectfully recommend that Congress condition continued appropriations for development of the National Health Information Network on HHS demonstrating significant progress in addressing privacy issues. He also recommended that Congress play a greater oversight role on the issue.

As a starting point, he said, HHS should address the 26 recommendations made by the National Committee on Vital and Health Statistics in June 2006. "The first order of business is for HHS to develop a framework for privacy and confidentiality in the National Health Information Network," he said. "Then, the public can participate in the deliberations about the framework. He recommended that HHS

  • publish a public request for information about key aspects of the privacy framework;
  • hold public hearings around the country on privacy issues;
  • fund quantitative and qualitative research on public attitudes toward health information privacy;
  • integrate key privacy principles into the National Health Information Network architecture;
  • publish an advanced notice of proposed rulemaking dealing with privacy in the National Health Information Network;
  • submit a report to Congress identifying gaps in coverage of the HIPAA Privacy Rule and how to address them; and
  • initiate public education programs on electronic health records and privacy protections.

Rothstein tells HIPAA Regulatory Alert his comments on the GAO report were "more assertive than GAO reports tend to be." Although HHS responded to the report by saying everything is fine, he says, in the weeks following the report there seemed to be an increased interest in privacy at the department.

"Time will tell whether this new level of concern at HHS translates into timely, effective action," he says.

(View the GAO report at www.gao.gov/cgi-bin/getrpt?GAO-07-238.