HIPAA Regulatory Alert

HHS lacking in approach to health info privacy

The Department of Health and Human Services (HHS) may have given rise to — and oversees — HIPAA privacy regulations, but according to a report by the General Accounting Office (GAO), the agency's approach to ensuring the privacy of health information still needs some work.

A report released in September 2008 by the GAO is a follow-up to recommendations made by GAO in 2007 on the status of efforts by HHS to ensure the privacy of personal health information exchanged within a health information network. At the time of the 2007 report, the GAO recommended that HHS define and implement an overall privacy approach for protecting information that's exchanged or stored electronically.

The GAO reported in its follow-up that HHS has taken steps toward meeting the recommendations, including identifying goals, ensuring key privacy principles are addressed, and addressing challenges associated with nationwide exchange of health information.

Still, while the GAO report credits HHS with taking steps that "contribute to an overall privacy approach," it finds HHS has fallen short of implementation; in particular, the report finds that HHS's privacy approach doesn't include a defined process for assessing and prioritizing privacy initiatives, causing gaps in policies and guidance needed by stakeholders to ensure adequate privacy protection measures.

The recommendation of the GAO is that HHS needs to prioritize; it suggests that HHS ask the national coordinator for health IT to include in the HHS overall privacy approach a process for assessing and prioritizing its privacy-related initiatives.