This is the accessible text file for GAO report number GAO-07-238 
entitled 'Health Information Technology: Early Efforts Initiated but 
Comprehensive Privacy Approach Needed for National Strategy' which was 
released on February 1, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

January 2007: 

Health Information Technology: 

Early Efforts Initiated but Comprehensive Privacy Approach Needed for 
National Strategy: 

GAO-07-238: 

GAO Highlights: 

Highlights of GAO-07-238, a report to congressional requesters 

Why GAO Did This Study: 

The expanding implementation of health information technology (IT) and 
electronic health information exchange networks raises concerns 
regarding the extent to which the privacy of individuals’ electronic 
health information is protected. In April 2004, President Bush called 
for the Department of Health and Human Services (HHS) to develop and 
implement a strategic plan to guide the nationwide implementation of 
health IT. The plan is to recommend methods to ensure the privacy of 
electronic health information. GAO was asked to describe HHS’s efforts 
to ensure privacy as part of its national strategy and to identify 
challenges associated with protecting electronic personal health 
information. To do this, GAO assessed relevant HHS privacy-related 
initiatives and analyzed information from health information 
organizations. 

What GAO Found: 

HHS and its Office of the National Coordinator for Health IT have 
initiated actions to identify solutions for protecting personal health 
information through several contracts and with two health information 
advisory committees. For example, in late 2005, HHS awarded several 
health IT contracts that include requirements for addressing the 
privacy of personal health information exchanged within a nationwide 
health information exchange network. Its privacy and security solutions 
contractor is to assess the organization-level privacy- and security-
related policies, practices, laws, and regulations that affect 
interoperable health information exchange. Additionally, in June 2006, 
the National Committee on Vital and Health Statistics made 
recommendations to the Secretary of HHS on protecting the privacy of 
personal health information within a nationwide health information 
network, and in August 2006, the American Health Information Community 
convened a work group to address privacy and security policy issues for 
nationwide health information exchange. While these activities are 
intended to address aspects of key principles for protecting the 
privacy of health information, HHS is in the early stages of its 
efforts and has therefore not yet defined an overall approach for 
integrating its various privacy-related initiatives and addressing key 
privacy principles, nor has it defined milestones for integrating the 
results of these activities. 

GAO identified key challenges associated with protecting electronic 
personal health information in four areas (see table). 

Table: Challenges to Exchanging Electronic Health Information: 

Area: Understanding and resolving legal and policy issues; 
* Resolving uncertainties regarding varying the extent of federal 
privacy protection required of various organizations; 
* Understanding and resolving data-sharing issues introduced by varying 
state privacy laws and organization-level practices; 
* Reaching agreement on organizations' differing interpretations and 
applications of HIPAA privacy and security rules; 
* Determining liability and enforcing sanctions in cases of breach of 
confidentiality. 

Area: Ensuring appropriate disclosure; 
* Determining the minimum data 
necessary that can be disclosed in order for requesters to accomplish 
their intended purposes; 
* Obtaining individuals' authorization and consent for use and 
disclosure of personal health information; 
* Determining the best way to allow individuals to participate in and 
consent to electronic health information exchange; 
* Educating consumers so that they understand the extent to which their 
consent to use and disclose health information applies. 

Area: Ensuring individuals' rights to request access and amendments to 
health information to ensure it is correct; 
* Ensuring that individuals understand that they have rights to request 
access and amendments to their own health information to ensure that it 
is correct; 
* Ensuring that individuals' amendments are properly made and tracked 
across multiple locations. 

Area: Implementing adequate security measures for protecting health 
information; 
* Determining and implementing adequate techniques for authenticating 
requesters of health information; 
* Implementing proper access controls and maintaining adequate audit 
trails for monitoring access to health data; 
* Protecting data stored on portable devices and transmitted between 
business partners. 

Source: GAO analysis of information provided by state-level health 
information exchange organizations, federal health care providers, and 
health IT professional associations. 

[End of table] 

What GAO Recommends: 

GAO recommends that HHS define and implement an overall privacy 
approach that identifies milestones for integrating the outcomes of its 
initiatives, ensures that key privacy principles are fully addressed, 
and addresses challenges associated with the nationwide exchange of 
health information. In its comments, HHS disagreed and stated that it 
has established a comprehensive privacy approach. However, GAO believes 
that an overall approach for integrating HHS’s initiatives has not been 
fully defined and implemented. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-238. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Linda D. Koontz, (202) 
512-6240 or koontzl@gao.gov. 

[End of Section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Federal Government's Role in Health Care: 

HHS Has Initiated Actions to Identify Solutions for Protecting Personal 
Health Information but Has Not Defined an Overall Approach for 
Addressing Privacy: 

The Health Care Industry Faces Challenges in Protecting Electronic 
Health Information: 

Conclusions: 

Recommendation for Executive Action: 

Agency Comments and Our Evaluation: 

Appendixes: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Major Federal Health Care Programs: 

Appendix III: HHS Health IT Contracts: 

Appendix IV: The Office of the National Coordinator for Health IT's 
Goals, Objectives, and Strategies: 

Appendix V: Descriptions of Federal Laws for Protecting Personal Health 
Information: 

Appendix VI: Comments from the Department of Health and Human Services: 

Appendix VII: Comments from the Department of Veterans Affairs: 

Appendix VIII: GAO Contacts and Acknowledgments: 

Tables Tables: 

Table 1: Key Privacy Principles in HIPAA's Privacy Rule: 

Table 2: Key HIPAA Privacy Principles and HHS's Initiatives Intended to 
Address Aspects of the Principles: 

Table 3: Challenges to Exchanging Electronic Health Information: 

Table 4: Federal Programs: 

Table 5: HHS Health IT Contracts: 

Table 6: Goals, Objectives, and Strategies of the Office of the 
National Coordinator: 

Table 7: Selected Federal Laws that Protect Personal Health 
Information: 

Abbreviations: 

AHIC: American Health Information Community: 

DOD: Department of Defense: 

Health IT: health information technology: 

HIPAA: Health Insurance Portability and Accountability Act of 1996: 

HHS: Health and Human Services: 

NCVHS: National Committee on Vital and Health Statistics: 

NHIN: Nationwide Health Information Network: 

VA: Department of Veterans Affairs: 

January 10, 2007: 

The Honorable Daniel K. Akaka: 
Chairman: 
Subcommittee on Oversight of Government Management, the Federal 
Workforce, and the District of Columbia: 
Committee on Homeland Security and Governmental Affairs: 
U.S. Senate: 

The Honorable Edward M. Kennedy: 
Chairman: 
Committee on Health, Education, Labor and Pensions: 
U.S. Senate: 

The expanding implementation of health information technology (health 
IT)[Footnote 1] and electronic health care information exchange 
networks raises concerns regarding the extent to which individuals' 
privacy is protected. Inappropriate disclosure of personal health 
information[Footnote 2] could result in information being revealed that 
individuals wish to keep confidential. Recent incidents in which 
unauthorized persons accessed data and where employees' laptops 
containing personal information were stolen highlight the vulnerability 
of electronic personal information and the reservations the public has 
about sharing personal health information electronically. 

Key privacy principles for protecting personal information have been in 
existence for years and provide a foundation for privacy laws, 
practices, and policies. Those privacy principles are reflected in the 
provisions of the Health Insurance Portability and Accountability Act 
of 1996 (HIPAA), which define the circumstances under which an 
individual's health information may be used or disclosed. In addition, 
HIPAA's security provisions require entities that hold or transmit 
personal health information to maintain reasonable safeguards to 
protect it against unauthorized use or disclosure and ensure its 
integrity and confidentiality. In April 2004, President Bush issued an 
executive order that called for the development and implementation of a 
strategic plan to guide the nationwide implementation of interoperable 
health IT in both the public and private sectors.[Footnote 3] The plan 
is to address privacy and security issues related to interoperable 
health IT and recommend methods to ensure appropriate authorization, 
authentication, and encryption of data for transmission over the 
Internet. The order established the position of the National 
Coordinator for Health Information Technology within the Department of 
Health and Human Services (HHS) as the government official responsible 
for developing and implementing a strategic plan for health IT. 

You asked us to describe HHS's efforts to help ensure the privacy of 
health information. Specifically, our objectives were to: 

* describe the steps HHS is taking to ensure privacy protection as part 
of the national health IT strategy and: 

* identify challenges associated with meeting requirements for 
protecting personal health information within a nationwide health 
information network. 

To address our first objective, we focused our analytical work on HHS 
because it is responsible for development and implementation of a 
national health information technology strategy that is to include the 
protection of personal health information. We evaluated information 
from and held discussions with officials from HHS components and 
advisory committees that play major roles in supporting HHS's efforts 
to ensure the protection of electronic health information exchanged 
within a nationwide health information network. 

To address the second objective, we reviewed and analyzed information 
obtained from documentation provided by and discussions held with 
officials from federal agencies that provide health care services--the 
Centers for Medicare and Medicaid Services, the Departments of Defense 
and Veterans Affairs, and the Indian Health Service--and 
representatives from selected state-level health information exchange 
organizations. We selected organizations that are currently exchanging 
electronic health information to obtain examples of challenges they 
face in protecting health information as they implement electronic 
health information exchange systems. We analyzed the information they 
provided to identify key challenges faced throughout the health care 
industry as the implementation of electronic health information 
exchange expands. Further details about our objectives, scope, and 
methodology are provided in appendix I. We performed our work from 
December 2005 through November 2006 in accordance with generally 
accepted government auditing standards. 

Results in Brief: 

HHS and its Office of the National Coordinator for Health IT have 
initiated actions to study the protection of personal health 
information through the work of several contracts, the National 
Committee on Vital and Health Statistics,[Footnote 4] and the American 
Health Information Community.[Footnote 5] For example: 

* In late 2005, HHS awarded several health IT contracts that include 
requirements for addressing the privacy of personal health information 
exchanged within an electronic nationwide health information network. 

* In summer 2006, HHS's contractor for privacy and security solutions 
selected 33 states and Puerto Rico as locations in which to perform 
assessments of organization-level privacy-and security-related 
policies, practices, laws, and regulations that affect interoperable 
health information exchange and to propose privacy and security 
protections that permit interoperability. 

* In June 2006, the National Committee on Vital and Health Statistics 
provided a report to the Secretary of HHS that made recommendations on 
protecting the privacy of personal health information within a 
nationwide health information network. 

* In August 2006, the American Health Information Community also 
convened a work group to address privacy and security policy issues for 
nationwide health information exchange. 

HHS and its Office of the National Coordinator for Health IT intend to 
use the results of these activities to identify technology and policy 
solutions for protecting personal health information as part of their 
continuing efforts to complete a national strategy to guide the 
nationwide implementation of health IT. While these activities are 
intended to address aspects of key principles for protecting health 
information, HHS is in the early stages of its efforts and has 
therefore not yet defined an overall approach for integrating its 
various privacy-related initiatives and addressing key privacy 
principles. In addition, milestones for integrating the results of 
these activities do not yet exist. Until HHS defines an integration 
approach and milestones for completing these steps, its overall 
approach for ensuring the privacy and protection of personal health 
information exchanged throughout a nationwide network will remain 
unclear. 

Key challenges associated with protecting personal health information 
are understanding and resolving legal and policy issues, such as those 
related to variations in states' privacy laws; ensuring that only the 
minimum amount of information necessary is disclosed to only those 
entities authorized to receive the information; ensuring individuals' 
rights to request access and amendments to their own health 
information; and implementing adequate security measures for protecting 
health information. 

We are recommending that the Secretary of HHS define and implement an 
overall approach for protecting health information as part of the 
strategic plan called for by the President. This approach should (1) 
identify milestones for integrating the outcomes of HHS's privacy- 
related initiatives, (2) ensure that key privacy principles are fully 
addressed, and (3) address key challenges associated with the 
nationwide exchange of health information. 

We received written comments on a draft of this report from HHS's 
Assistant Secretary for Legislation. The Assistant Secretary disagreed 
with our recommendation. Throughout the comments, the Assistant 
Secretary referred to the department's comprehensive and integrated 
approach for ensuring the privacy and security of health information 
within nationwide health information exchange. However, an overall 
approach for integrating the department's various privacy-related 
initiatives has not been fully defined and implemented. We acknowledge 
in our report that HHS has established a strategic objective to protect 
consumer privacy along with two specific strategies for meeting this 
objective. Our report also acknowledges the key efforts that HHS has 
initiated to address this objective, and HHS's comments describe these 
and additional state and federal efforts. HHS stated that the 
department has made significant progress in integrating these efforts. 
While progress has been made initiating these efforts, much work 
remains before they are completed and the outcomes of the various 
efforts are integrated. Thus, we recommended that HHS define and 
implement a comprehensive privacy approach that includes milestones for 
integration, identifies the entity responsible for integrating the 
outcomes of its privacy-related initiatives, addresses key privacy 
principles, and ensures that challenges are addressed in order to meet 
the department's objective to protect the privacy of health information 
exchanged within a nationwide health information network. 

HHS specifically disagreed with the need to identify milestones and 
stated that tightly scripted milestones would impede HHS's processes 
and preclude stakeholder dialogue on the direction of important policy 
matters. We disagree and believe that milestones are important for 
setting targets for implementation and informing stakeholders of HHS's 
plans and goals for protecting personal health information as part of 
its efforts to achieve nationwide implementation of health IT. 
Milestones are especially important considering the need for HHS to 
integrate and coordinate the many deliverables of its numerous ongoing 
and remaining activities. We agree that it is important for HHS to 
continue to actively involve both public and private sector health care 
stakeholders in its processes. HHS did not comment on the need to 
identify an entity responsible for the integration of the department's 
privacy-related initiatives, nor did it provide information regarding 
any effort to assign responsibility for this important activity. HHS 
neither agreed nor disagreed that its approach should address privacy 
principles and challenges, but stated that the department plans to 
continue to work toward addressing privacy principles in HIPAA and that 
our report appropriately highlights efforts to address challenges 
encountered during electronic health information exchange. 

In his written comments, The Secretary of Veterans Affairs (VA) 
concurred with our findings, conclusions, and recommendations to the 
Secretary of HHS and commended our efforts to highlight methods for 
ensuring the privacy of electronic health information. Both agencies 
provided technical comments, which we have incorporated into the report 
as appropriate. 

Written comments from HHS and VA are reproduced in appendixes VI and 
VII. The Department of Defense (DOD) chose not to comment on a draft of 
this report. 

Background: 

Studies published by the Institute of Medicine and other organizations 
have indicated that fragmented, disorganized, and inaccessible clinical 
information adversely affects the quality of health care and 
compromises patient safety. In addition, long-standing problems with 
medical errors and inefficiencies increase costs for health care 
delivery in the United States. With health care spending in 2004 
reaching almost $1.9 trillion, or 16 percent, of the gross domestic 
product, concerns about the costs of health care continue. As we 
reported last year, many policy makers, industry experts, and medical 
practitioners contend that the U.S. health care system is in a 
crisis.[Footnote 6] 

Health IT provides a promising solution to help improve patient safety 
and reduce inefficiencies. The expanded use of health IT has great 
potential to improve the quality of care, bolster the preparedness of 
our public health infrastructure, and save money on administrative 
costs. As we reported in 2003, technologies such as electronic health 
records and bar coding of certain human drug and biological product 
labels have been shown to save money and reduce medical 
errors.[Footnote 7] Health care organizations reported that IT 
contributed other benefits, such as shorter hospital stays, faster 
communication of test results, improved management of chronic diseases, 
and improved accuracy in capturing charges associated with diagnostic 
and procedure codes. Over the past several years, a growing number of 
communities have established health information exchange organizations 
that allow multiple health care providers, such as physicians, clinical 
laboratories, and emergency rooms to share patients' electronic health 
information. Most of these organizations are in either the planning or 
early implementation phases of establishing electronic health 
information exchange. 

Federal Government's Role in Health Care: 

According to the Institute of Medicine, the federal government has a 
central role in shaping nearly all aspects of the health care industry 
as a regulator, purchaser, health care provider, and sponsor of 
research, education, and training. Seven major federal health care 
programs, such as the Centers for Medicare and Medicaid Services (CMS), 
DOD's TRICARE, VA's Veterans Health Administration, and HHS's Indian 
Health Service, provide or fund health care services to approximately 
115 million Americans. According to HHS, federal agencies fund more 
than a third of the nation's total health care costs. Given the level 
of the federal government's participation in providing health care, it 
has been urged to take a leadership role in driving change to improve 
the quality and effectiveness of medical care in the United States, 
including expanded adoption of IT. The programs and number of citizens 
who receive health care services from the federal government and the 
cost of these services are summarized in appendix II. 

In April 2004, President Bush called for the widespread adoption of 
interoperable electronic health records within 10 years and issued an 
executive order that established the position of the National 
Coordinator for Health Information Technology within HHS as the 
government official responsible for the development and execution of a 
strategic plan to guide the nationwide implementation of interoperable 
health IT in both the public and private sectors.[Footnote 8] In July 
2004, HHS released The Decade of Health Information Technology: 
Delivering Consumer-centric and Information-rich Health Care-- 
Framework for Strategic Action.[Footnote 9] This framework described 
goals for achieving nationwide interoperability of health IT and 
actions to be taken by both the public and private sectors in 
implementing a strategy. HHS's Office of the National Coordinator for 
Health IT updated the framework's goals in June 2006 and included an 
objective for protecting consumer privacy. It identified two specific 
strategies for meeting this objective--(1) support the development and 
implementation of appropriate privacy and security policies, practices, 
and standards for electronic health information exchange and (2) 
develop and support policies to protect against discrimination based on 
personal health information such as denial of medical insurance or 
employment. 

Need for a National Strategy and Adoption of Interoperable Health IT: 

In July 2004, we testified on the benefits that effective 
implementation of IT can bring to the health care industry and the need 
for HHS to provide continued leadership, clear direction, and 
mechanisms to monitor progress in order to bring about measurable 
improvements.[Footnote 10] Since then, we have reported or testified on 
several occasions on HHS's efforts to define its national strategy for 
health IT. We recommended that HHS develop the detailed plans and 
milestones needed to ensure that its goals are met, and HHS agreed with 
our recommendation.[Footnote 11] 

In our report and testimonies, we have described a number of actions 
that HHS, through the Office of the National Coordinator for Health IT, 
has taken toward accelerating the use of IT to transform the health 
care industry,[Footnote 12] including the development of the framework 
for strategic action. We described the formation of a public-private 
advisory body--the American Health Information Community--to advise HHS 
on achieving interoperability for health information exchange and four 
breakthrough areas[Footnote 13] the community identified--consumer 
empowerment, chronic care, biosurveillance, and electronic health 
records. Additionally, we reported that, in late 2005, HHS's Office of 
the National Coordinator for Health IT awarded $42 million in contracts 
to address a range of issues important for developing a robust health 
IT infrastructure. In October 2006, HHS's Office of the National 
Coordinator for Health IT awarded an additional contract to form a 
state-level electronic health alliance and address challenges to health 
information exchange, including privacy and security issues. HHS 
intends to use the results of the contracts and recommendations from 
the National Committee on Vital and Health Statistics and the American 
Health Information Community proceedings to define the future direction 
of a national strategy. The contracts are described in appendix III. 

We have also described the Office of the National Coordinator's 
continuing efforts to work with other federal agencies to revise and 
refine the goals and strategies identified in its initial framework. 
The current draft framework--The Office of the National Coordinator: 
Goals, Objectives, and Strategies--identifies objectives for 
accomplishing each of four goals, along with 32 high-level strategies 
for meeting the objectives. It includes a specific objective for 
safeguarding consumer privacy and protecting against risks along with 
two strategies for meeting this objective: (1) support the development 
and implementation of appropriate privacy and security policies, 
practices, and standards for electronic health information exchange and 
(2) develop and support policies to protect against discrimination 
based on personal health information, such as denial of medical 
insurance or employment. According to officials with the Office of the 
National Coordinator, the framework will continue to evolve as the 
office works with other federal agencies to further refine its goals, 
objectives, and strategies, which are described in appendix IV. While 
HHS continues to refine the goals and strategies of its framework for a 
national health IT strategy, it has not yet defined the detailed plans 
and milestones needed to ensure that its goals are met, as we 
previously recommended. 

Legal Privacy Protections for Personal Health Information: 

As the use of electronic health information exchange increases, so does 
the need to protect personal health information from inappropriate 
disclosure. The capacity of health information exchange organizations 
to store and manage a large amount of electronic health information 
increases the risk that a breach in security could expose the personal 
health information of numerous individuals. According to results of a 
study conducted for AARP[Footnote 14] in February 2006, Americans are 
concerned about the risks introduced by the use of electronic health 
information systems but also support the creation of a nationwide 
health information network. A 2005 Harris survey showed that 70 percent 
of Americans are concerned that an electronic medical record system 
could lead to sensitive medical information being exposed because of 
weak security, and 69 percent are concerned that such a system would 
lead to more personal health information being shared without patients' 
knowledge.[Footnote 15] While information technology can provide the 
means to protect the privacy of electronically stored and exchanged 
health information, the increased risk of inappropriate access and 
disclosure raises the level of importance for adequate privacy 
protections and security mechanisms to be implemented in health 
information exchange systems. 

Early Federal Laws Enacted to Protect the Privacy of Health 
Information: 

A number of federal statutes were enacted between 1970 and the early 
1990s to protect individual privacy. For the most part, the inclusion 
of medical records in these laws was incidental to a more general 
purpose of protecting individual privacy in certain specified contexts. 
For example, the Privacy Act of 1974 was enacted to regulate the 
collection, maintenance, use, and dissemination of personal information 
by federal government agencies. It prohibits disclosure of records held 
by a federal agency or its contractors in a system of records[Footnote 
16] without the consent or request of the individual to whom the 
information pertains unless the disclosure is permitted by the Privacy 
Act or its regulations. The Privacy Act specifically includes medical 
history in its definition of a record. Likewise, the Social Security 
Act requires the Secretary of HHS to protect beneficiaries' records and 
information transmitted to or obtained by or from HHS or the Social 
Security Administration. Descriptions of these and other federal laws 
that protect health information are provided in appendix V. 

Health Insurance Portability and Accountability Act of 1996: 

Federal health care reform initiatives of the early-to mid-1990s were, 
in part, inspired by public concern about the privacy of personal 
medical information as the use of health IT increased. Congress, 
recognizing that benefits and efficiencies could be gained by the use 
of information technology in health care, also recognized the need for 
comprehensive federal medical privacy protections and consequently 
passed the Health Insurance Portability and Accountability Act of 1996. 
This law provided for the Secretary of HHS to establish the first 
broadly applicable federal privacy and security protections designed to 
protect individual health care information. HIPAA provides for the 
protection of certain health information held by covered entities, 
defined under regulations implementing HIPAA as health plans that 
provide or pay for the medical care of individuals, health care 
providers that electronically transmit health information in connection 
with any of the specific transactions regulated by the statute, and 
health care clearinghouses that receive health information from other 
entities and process or facilitate the processing of that information 
into standard or nonstandard format for those entities.[Footnote 17] 

HIPAA requires the Secretary of HHS to promulgate regulatory standards 
to protect the privacy of certain personal health information.[Footnote 
18] "Health information" is defined by the statute as any information 
in any medium that is created or received by a health care provider, 
health plan, public health authority, employer, life insurer, school or 
university, or health care clearinghouse and relates to the past, 
present, or future physical or mental health condition of an 
individual, provision of health care of an individual, or payment for 
the provision of health care of an individual. HIPAA also requires the 
Secretary of HHS to adopt security standards for covered entities that 
maintain or transmit health information to maintain reasonable and 
appropriate safeguards. The law requires that covered entities take 
certain measures to ensure the confidentiality and integrity of the 
information and to protect it against reasonably anticipated 
unauthorized use or disclosure and threats or hazards to its security. 

HIPAA provides authority to the Secretary to enforce these standards. 
The Secretary has delegated administration and enforcement of privacy 
standards to the department's Office for Civil Rights and enforcement 
of the security standards to the department's Centers for Medicare and 
Medicaid Services. 

Finally, most, if not all, states have statutes that in varying degrees 
protect the privacy of personal health information. HIPAA recognizes 
this and specifically provides that regulations implementing HIPAA do 
not preempt contrary provisions of state law if the state laws impose 
more stringent requirements, standards, or specifications than the 
federal privacy rule. In this way, HIPAA and its implementing rules 
establish a baseline of mandatory minimum privacy protections and 
define basic principles for protecting personal health information. 

The Secretary of HHS first issued HIPAA's Privacy Rule in December 
2000, following public notice and comment, but later modified the rule 
in August 2002. The Privacy Rule governs the use and disclosure of 
protected health information, which is generally defined as 
individually identifiable health information that is held or 
transmitted in any form or medium by a covered entity. The Privacy Rule 
regulates covered entities' use and disclosure of protected health 
information. In general, a covered entity may not use or disclose an 
individual's protected health information without the individual's 
authorization. However, uses and disclosures without an individual's 
authorization are permitted in specified situations, such as for 
treatment, payment, and health care operations and public health 
purposes. In addition, the Privacy Rule requires that a covered entity 
make reasonable efforts to use, disclose, or request only the minimum 
necessary protected health information to accomplish the intended 
purpose, with certain exceptions such as for disclosures for treatment 
and uses and disclosures required by law. 

Most covered entities must provide notice of their privacy practices. 
Such notice is required to contain specific elements that are set out 
in the regulations. Those elements include (1) a description of the 
uses and disclosures of protected health information the covered entity 
may make; (2) a statement of the covered entity's duty with regard to 
the information, including protecting the individual's privacy; (3) the 
individual's rights with respect to the information, including, for 
example, the right to complain to HHS if he or she believes the 
information has been handled in violation of the law; and (4) a contact 
from whom individuals may obtain further information about the covered 
entity's privacy policies. 

A covered entity is also required to account for certain disclosures of 
an individual's protected health information and to provide such an 
accounting to those individuals on request. In general, a covered 
entity must account for disclosures of protected health information 
made for purposes other than for treatment, payment, and health care 
operations, such as for public health or law enforcement purposes. 

HIPAA's Privacy Rule reflects basic privacy principles for ensuring the 
protection of personal health information. Table 1 summarizes these 
principles. 

Table 1: Key Privacy Principles in HIPAA's Privacy Rule: 

HIPAA Privacy Rule principle: Uses and disclosures; 
Provides limits to the circumstances in which an individual's protected 
health information may be used or disclosed by covered entities and 
provides for accounting of certain disclosures; requires covered 
entities to make reasonable efforts to disclose or use only the minimum 
necessary information to accomplish the intended purpose for the uses, 
disclosures, or requests, with certain exceptions such as for treatment 
or as required by law. 

HIPAA Privacy Rule principle: Notice; 
Requires most covered entities to provide a notice of their privacy 
practices including how personal health information may be used and 
disclosed. 

HIPAA Privacy Rule principle: Access; 
Establishes individuals' right to review and obtain a copy of their 
protected health information held in a designated record set.[A]. 

HIPAA Privacy Rule principle: Security[B]; 
Requires covered entities to safeguard protected health information 
from inappropriate use or disclosure. 

HIPAA Privacy Rule principle: Amendments; 
Gives individuals the right to request from covered entities changes to 
inaccurate or incomplete protected health information held in a 
designated record set.[A]. 

HIPAA Privacy Rule principle: Administrative requirements; 
Requires covered entities to analyze their own needs and implement 
solutions appropriate for their own environment based on a basic set of 
requirements for which they are accountable. 

HIPAA Privacy Rule principle: Authorization; 
Requires covered entities to obtain the individual's written 
authorization or consent for uses and disclosures of personal health 
information with certain exceptions, such as for treatment, payment, 
and health care operations, or as required by law. Covered entities may 
choose to obtain the individual's consent to use or disclose protected 
health information to carry out treatment, payment, or health care 
operations but are not required to do so. 

Source: GAO analysis of HIPAA Privacy Rule. 

[A] According to the HIPAA Privacy Rule, a designated record set is a 
group of records maintained by or for a covered entity that are (1) the 
medical records and billing records about individuals maintained by or 
for a covered health care provider; (2) the enrollment, payment, claims 
adjudication, and case or medical management record systems maintained 
by or for a health plan; or (3) used, in whole or in part, by or for 
the covered entity to make decisions about individuals. 

[B] The HIPAA Security Rule further defines safeguards that covered 
entities must implement to provide assurance that health information is 
protected from inappropriate uses and disclosure. 

[End of table] 

Subsequent to the issuance of the Privacy Rule, the Secretary issued 
the HIPAA Security Rule in February 2003 to safeguard electronic 
protected health information and help ensure that covered entities have 
proper security controls in place to provide assurance that the 
information is protected from unwarranted or unintentional disclosure. 
The Security Rule includes administrative, physical, and technical 
safeguards and specific implementation instructions, some of which are 
required and, therefore, must be implemented by covered entities. Other 
implementation specifications are "addressable" and under certain 
conditions permit covered entities to use reasonable and appropriate 
alternative steps. Covered entities are required to develop policies 
and procedures for both required and addressable specifications. 

The privacy and security rules require covered entities to include 
provisions in contracts with business associates that mandate that 
business associates implement appropriate privacy and security 
protections. A business associate is any person or entity that performs 
on behalf of a covered entity any function or activity involving the 
use or disclosure of protected health information. The rules require 
covered entities to obtain through formal agreement satisfactory 
assurances that their business associates will appropriately safeguard 
protected health information. The Security Rule also contains specific 
requirements for business associate contracts and requires that covered 
entities maintain compliance policies and procedures in written form. 
However, covered entities are generally not liable for privacy 
violations of their business associates, and the Secretary of HHS does 
not have direct enforcement authority over business associates. 

HHS Has Initiated Actions to Identify Solutions for Protecting Personal 
Health Information but Has Not Defined an Overall Approach for 
Addressing Privacy: 

HHS and its Office of the National Coordinator for Health IT have 
initiated actions to identify solutions for protecting health 
information. Specifically, HHS awarded several health IT contracts that 
include requirements for developing solutions that comply with federal 
privacy and security requirements, consulted with the National 
Committee on Vital and Health Statistics (NCVHS) to develop 
recommendations regarding privacy and confidentiality in the Nationwide 
Health Information Network, and formed the American Health Information 
Community (AHIC) Confidentiality, Privacy, and Security Workgroup to 
frame privacy and security policy issues and identify viable options or 
processes to address these issues. The Office of the National 
Coordinator for Health IT intends to use the results of these 
activities to identify technology and policy solutions for protecting 
personal health information as part of its continuing efforts to 
complete a national strategy to guide the nationwide implementation of 
health IT. However, HHS is in the early stages of identifying solutions 
for protecting personal health information and has not yet defined an 
overall approach for integrating its various privacy-related 
initiatives and for addressing key privacy principles. 

HHS's Contracts Are to Address Privacy and Security Policy and 
Standards for Nationwide Health Information Exchange: 

HHS awarded four major health IT contracts in 2005 intended to advance 
the nationwide exchange of health information--Privacy and Security 
Solutions for Interoperable Health Information Exchange, Standards 
Harmonization Process for Health IT, Nationwide Health Information 
Network Prototypes, and Compliance Certification Process for Health IT. 
These contracts include requirements for developing solutions that 
comply with federal privacy requirements and identify techniques and 
standards for securing health information. 

HHS's contract for privacy and security solutions is intended to 
provide a nationwide synthesis of information to inform privacy and 
security policymaking at federal, state, and local levels. In summer 
2006, the privacy and security solutions contractor selected 33 states 
and Puerto Rico as locations in which to perform assessments of 
organization-level privacy-and security-related policies and practices 
that affect interoperable electronic health information exchange and 
their bases, including laws and regulations. The contractor is 
supporting states and territories as they (1) assess variations in 
organization-level business policies and state laws that affect health 
information exchange, (2) identify and propose solutions while 
preserving the privacy and security requirements of applicable federal 
and state laws, and (3) develop detailed plans to implement solutions. 
The contractor is to develop a nationwide report that synthesizes and 
summarizes the variations identified, the proposed solutions, and the 
steps that states and territories are taking to implement their 
solutions. It is also to deliver an interim report to address policies 
and practices followed in nine domains of interest: (1) user and entity 
authentication, (2) authorization and access controls, (3) patient and 
provider identification to match identities, (4) information 
transmission security or exchange protocols (encryption, etc.), (5) 
information protections to prevent improper modification of records, 
(6) information audits that record and monitor the activity of health 
information systems, (7) administrative or physical security safeguards 
required to implement a comprehensive security platform for health IT, 
(8) state law restrictions about information types and classes and the 
solutions by which electronic personal health information can be viewed 
and exchanged, and (9) information use and disclosure policies that 
arise as health care entities share clinical health information 
electronically. These domains of interest address privacy principles 
for use and disclosure and security. 

The standards harmonization contract is intended to identify, among 
other things, security mechanisms that affect consumers' ability to 
establish and manage permissions and access rights, along with consent 
for authorized and secure exchange, viewing, and querying of their 
medical information between designated caregivers and other health 
professionals. In May 2006, the contractor for HHS's standards 
harmonization contract selected initial standards that are intended to 
provide security mechanisms. The initial security standards were made 
available for stakeholder and public comment in August and September, 
and the contractor's panel voted on final standards that were presented 
to AHIC in October 2006. AHIC accepted the panel's report and forwarded 
it to the Secretary for approval. 

HHS's Nationwide Health Information Network contract requires four 
selected contractors to develop proposals for a nationwide health 
information architecture and prototypes of a nationwide health 
information network. The prototypes are to address privacy and security 
solutions, such as user authentication and access control, for 
interoperable health information exchange. In June 2006, HHS held its 
first nationwide health information network forum, at which more than 
1,000 functional requirements were proposed, including nearly 180 
security requirements for ensuring the privacy and confidentiality of 
health information exchanged within a nationwide network. The proposed 
functional requirements were analyzed and refined by NCVHS, and on 
October 30, 2006, the committee approved a draft of minimum functional 
requirements for the Nationwide Health Information Network, and sent it 
to HHS for approval. In January 2007, the four contractors are to 
deliver and demonstrate functional prototypes that are deployed within 
and across three or more health care markets and operated with live 
health care data using the same technology for information exchange in 
all three markets. 

HHS's Compliance Certification Process for Health IT contract is 
intended to identify certification criteria for electronic health 
records, including security criteria. In May 2006, the Certification 
Commission for Health IT, which was awarded the contract, finalized 
initial certification criteria for ambulatory electronic health 
records[Footnote 19] including 32 security criteria that address 
components of the security principle, such as controls for limiting 
access to personal health information, methods for authenticating users 
before granting access to information, and requirements for auditing 
access to patients' health records. To date, 35 electronic health 
records products have been certified based on these criteria. The 
commission is currently defining its next phase of certification 
criteria for inpatient electronic health records. 

The National Committee on Vital and Health Statistics Made 
Recommendations for Addressing Privacy and Security within a Nationwide 
Health Information Network: 

In June 2006, NCVHS, a key national health information advisory 
committee, presented to the Secretary of HHS a report recommending 
actions regarding privacy and confidentiality in the Nationwide Health 
Information Network. The recommendations cover topics that are, 
according to the committee, central to challenges for protecting health 
information privacy in a national health information exchange 
environment. The recommendations address aspects of key privacy 
principles including (1) the role of individuals in making decisions 
about the use of their personal health information, (2) policies for 
controlling disclosures across a nationwide health information network, 
(3) regulatory issues such as jurisdiction and enforcement, (4) use of 
information by non-health care entities, and (5) establishing and 
maintaining the public trust that is needed to ensure the success of a 
nationwide health information network. The recommendations are being 
evaluated by the AHIC work groups, the Certification Commission for 
Health IT, Health Information Technology Standards Panel, and other HHS 
partners. 

In October 2006, the committee recommended to the Secretary of HHS that 
HIPAA privacy rules be extended to include other forms of health 
information not managed by covered entities. It also called on HHS to 
create policies and procedures to accurately match patients with their 
health records and to require functionality that allows patient or 
physician privacy preferences to follow records regardless of location. 
The committee intends to continue to update and refine its 
recommendations as the architecture and requirements of the network 
advance. 

The American Health Information Community's Confidentiality, Privacy, 
and Security Workgroup Is to Develop Recommendations to Establish a 
Privacy Policy Framework: 

AHIC, a committee that provides input and recommendations to HHS on 
nationwide health IT, formed the Confidentiality, Privacy, and Security 
Workgroup in July 2006 to frame the privacy and security policy issues 
relevant to all breakthrough areas and to solicit broad public input to 
identify viable options or processes to address these issues.[Footnote 
20] The recommendations to be developed by this work group are intended 
to establish an initial policy framework and address issues including 
methods of patient identification, methods of authentication, 
mechanisms to ensure data integrity, methods for controlling access to 
personal health information, policies for breaches of personal health 
information confidentiality, guidelines and processes to determine 
appropriate secondary uses of data, and a scope of work for a long-term 
independent advisory body on privacy and security policies. 

The work group has defined two initial work areas--identity 
proofing[Footnote 21] and user authentication[Footnote 22]--as initial 
steps necessary to protect confidentiality and security. These two work 
areas address the security privacy principle. According to the cochairs 
of the work group, the members are developing work plans for completing 
tasks, including the definition of privacy and security policies for 
all of AHIC's breakthrough areas. The work group intends to address 
other key principles, including, but not limited to, maintaining data 
integrity and control of access. It plans to address policies for 
breaches of confidentiality and guidelines and processes for 
determining appropriate secondary uses of health information, an aspect 
of the use and disclosure privacy principle. 

HHS's Collective Initiatives Are Intended to Address Aspects of Key 
Privacy Principles, but an Overall Approach for Addressing Privacy Has 
Not Been Defined: 

HHS has taken steps intended to address aspects of key privacy 
principles through its contracts and with advice and recommendations 
from its two key health IT advisory committees. Table 2 describes HHS's 
current privacy-related initiatives and the key HIPAA privacy 
principles that they are intended to address. 

Table 2: Key HIPAA Privacy Principles and HHS's Initiatives Intended to 
Address Aspects of the Principles: 

Principle: Uses and disclosures: provides limits to the circumstances 
in which an individual's protected heath information may be used or 
disclosed by covered entities and provides for accounting of certain 
disclosures; requires covered entities to make reasonable efforts to 
disclose or use only the minimum necessary information to accomplish 
the intended purpose for the uses, disclosures, or requests, with 
certain exceptions such as for treatment or as required by law; 
HHS's initiative: 
* HHS's privacy and security solutions contractor is to provide a 
nationwide summary of statewide assessments of organization- level 
privacy-and security-related policies and practices that affect 
interoperable electronic health information exchange, along with 
proposed solutions and implementation plans. It is also to provide 
examples of potential areas for additional guidance under HIPAA; 
* Initial work of the AHIC privacy subgroup is to include work on 
guidelines and processes to determine appropriate secondary uses of 
data; 
* NCVHS recommended that individuals be given the right to decide 
whether they want to have personally identifiable electronic health 
records accessible via the Nationwide Health Information Network 
(NHIN), that disclosures be made based on role-based and contextual 
access criteria, and that HHS support efforts to convene a diversity of 
interested parties to design, define, and develop role-based and 
contextual access criteria appropriate for the network. 

Principle: Notice: requires most covered entities to provide a notice 
of their privacy practices including how personal health information 
may be used and disclosed; 
HHS's initiative: 
* HHS's privacy and security solutions contractor is to provide a 
nationwide summary of statewide assessments of organization-level 
privacy-and security- related policies and practices that affect 
interoperable electronic health information exchange, along with 
proposed solutions and implementation plans. It is also to provide 
examples of potential areas for additional guidance under HIPAA; 
* NCVHS recommended that HHS require that individuals be provided with 
information and education to ensure that they realize the implications 
of their decisions as to whether to participate in the NHIN. 

Principle: Access: establishes individuals' rights to review and obtain 
a copy of their protected health information held in a designated 
record set; 
HHS's initiative: 
* HHS's privacy and security solutions contractor is to provide a 
nationwide summary of statewide assessments of organization-level 
privacy-and security-related policies and practices that affect 
interoperable electronic health information exchange, along with 
proposed solutions and implementation plans. It is also to provide 
examples of potential areas for additional guidance under HIPAA. 

Principle: Security: requires covered entities to safeguard protected 
health information from inappropriate use or disclosure; 
HHS's initiative: 
* HHS's NHIN contractors proposed functional requirements including 
nearly 180 security requirements for the NHIN prototypes; 
* HHS's standards harmonization contractor selected 30 information 
exchange standards, including 13 related to consumer empowerment; 
* The electronic health record certification contractor defined 32 
security criteria for certifying ambulatory electronic health record 
products; 
* HHS's privacy and security solutions contractor is to provide a 
nationwide summary of statewide assessments of organization- level 
privacy-and security-related policies and practices that affect 
interoperable electronic health information exchange, along with 
proposed solutions and implementation plans. It is also to provide 
examples of potential areas for additional guidance under HIPAA. It is 
also to address nine domains of information security; 
* NCVHS recommended that HHS support the research and technology needed 
to develop contextual access criteria appropriate for application to 
electronic health records and inclusion in the architecture of the 
NHIN; 
* The AHIC Confidentiality, Privacy, and Security Workgroup defined two 
initial work areas--identity proofing and user authentication--as the 
initial steps necessary to protect confidentiality and security. 

Principle: Amendments: gives individuals the right to request from 
covered entities changes to inaccurate or incomplete protected health 
information held in a designated record set; 
HHS's initiative: 
* HHS's privacy and security solutions contractor is to provide a 
nationwide summary of statewide assessments of organization-level 
privacy-and security-related policies and practices that affect 
interoperable electronic health information exchange, along with 
proposed solutions and implementation plans. It is also to provide 
examples of potential areas for additional guidance under HIPAA. 

Principle: Administrative requirements: requires covered entities to 
analyze their own needs and implement solutions appropriate for their 
own environment based on a basic set of requirements for which they are 
accountable; 
HHS's initiative: 
* HHS's privacy and security solutions contractor is to provide a 
nationwide summary of statewide assessments of organization-level 
privacy-and security-related policies and practices that affect 
interoperable electronic health information exchange, along with 
proposed solutions and implementation plans. It is also to provide 
examples of potential areas for additional guidance under HIPAA; 
* Initial work of the AHIC privacy subgroup is to include work on 
policies for breaches of personal health information confidentiality; 
* NCVHS recommended that HHS develop a set of strong enforcement 
measures that produces high levels of compliance with the rules 
applicable to the NHIN on the part of custodians of personal health 
information, but does not impose an excessive level of complexity or 
cost; ensure policies requiring a high level of compliance are built 
into the NHIN architecture; ensure appropriate penalties be imposed for 
violations committed by any individual or entity; ensure that 
individuals whose privacy is breached are entitled to reasonable 
compensation; and, if necessary, amend the HIPAA Privacy Rule to 
increase the responsibility of covered entities to control the 
practices of business associates. 

Principle: Authorization: requires covered entities to obtain the 
individual's written authorization or consent for uses and disclosures 
of personal health information with certain exceptions, such as for 
treatment, payment, and health care operations, or as required by law. 
Covered entities may choose to obtain the individual's consent to use 
or disclose protected health information to carry out treatment, 
payment, or health care operations but are not required to do so; 
HHS's initiative: 
* HHS's privacy and security solutions contractor is to provide a 
nationwide summary of statewide assessments of organization-level 
privacy-and security-related policies and practices that affect 
interoperable electronic health information exchange, along with 
proposed solutions and implementation plans. It is also to provide 
examples of potential areas for additional guidance under HIPAA; 
* NCVHS recommended that individuals have the right to decide whether 
they want to have their personally identifiable electronic health 
records accessible via NHIN and that HHS should monitor the development 
of approaches for allowing individuals to opt in or opt out of 
participation; 
* Initial work of the AHIC privacy subgroup will also include work on 
guidelines and processes to determine appropriate secondary uses of 
data. 

Source: GAO analysis of HHS data. 

[End of table] 

HHS has taken steps to identify solutions for protecting personal 
health information through its various privacy-related initiatives. For 
example, during the past 2 years HHS has defined initial criteria and 
procedures for certifying electronic health records, resulting in the 
certification of 35 IT vendor products. However, the other contracts 
have not yet produced final results. For example, the privacy and 
security solutions contractor has not yet reported its assessment of 
state and organizational policy variations. Additionally, HHS has not 
accepted or agreed to implement the recommendations made in June 2006 
by the NCVHS, and the AHIC Privacy, Security, and Confidentiality 
Workgroup is in very early stages of efforts that are intended to 
result in privacy policies for nationwide health information exchange. 

HHS is in the early phases of identifying solutions for safeguarding 
personal health information exchanged through a nationwide health 
information network and has therefore not yet defined an approach for 
integrating its various efforts or for fully addressing key privacy 
principles. For example, milestones for integrating the results of its 
various privacy-related initiatives and resolving differences and 
inconsistencies have not been defined, nor has it been determined which 
entity participating in HHS's privacy-related activities is responsible 
for integrating these various initiatives and the extent to which their 
results will address key privacy principles. Until HHS defines an 
integration approach and milestones for completing these steps, its 
overall approach for ensuring the privacy and protection of personal 
health information exchanged throughout a nationwide network will 
remain unclear. 

The Health Care Industry Faces Challenges in Protecting Electronic 
Health Information: 

The increased use of information technology to exchange electronic 
health information introduces challenges to protecting individuals' 
personal health information. Key challenges are understanding and 
resolving legal and policy issues, particularly those resulting from 
varying state laws and policies; ensuring appropriate disclosures of 
the minimum amount of health information needed; ensuring individuals' 
rights to request access to and amendments of health information to 
ensure it is correct; and implementing adequate security measures for 
protecting health information. Table 3 summarizes these challenges. 

Table 3: Challenges to Exchanging Electronic Health Information: 

Area: Understanding and resolving legal and policy issues; 
* Resolving uncertainties regarding varying the extent of federal 
privacy protection required of various organizations; 
* Understanding and resolving data-sharing issues introduced by varying 
state privacy laws and organization-level practices; 
* Reaching agreement on organizations' differing interpretations and 
applications of HIPAA privacy and security rules; 
* Determining liability and enforcing sanctions in cases of breach of 
confidentiality. 

Area: Ensuring appropriate disclosure; 
* Determining the minimum data necessary that can be disclosed in order 
for requesters to accomplish their intended purposes; 
* Obtaining individuals' authorization and consent for use and 
disclosure of personal health information; 
* Determining the best way to allow individuals to participate in and 
consent to electronic health information exchange; 
* Educating consumers so that they understand the extent to which their 
consent to use and disclose health information applies. 

Area: Ensuring individuals' rights to request access and amendments to 
health information to ensure it is correct; 
* Ensuring that individuals understand that they have rights to request 
access and amendments to their own health information to ensure that it 
is correct; 
* Ensuring that individuals' amendments are properly made and tracked 
across multiple locations. 

Area: Implementing adequate security measures for protecting health 
information; 
* Determining and implementing adequate techniques for authenticating 
requesters of health information; 
* Implementing proper access controls and maintaining adequate audit 
trails for monitoring access to health data; 
* Protecting data stored on portable devices and transmitted between 
business partners. 

Source: GAO analysis of information provided by state-level health 
information exchange organizations, federal health care providers, and 
health IT professional associations. 

[End of table] 

Understanding and Resolving Varying Legal and Policy Issues: 

Health information exchange organizations bring together multiple and 
diverse health care providers, including physicians, pharmacies, 
hospitals, and clinics that may be subject to varying legal and policy 
requirements for protecting health information. As health information 
exchange expands across state lines, organizations are challenged with 
understanding and resolving data-sharing issues introduced by varying 
state privacy laws. Differing interpretations and applications of the 
privacy protection requirements of HIPAA and other privacy laws further 
complicate the ability of health information organizations to exchange 
data and to determine liability and enforce sanctions in cases of 
breach of confidentiality. 

Differing legal requirements for protecting health information 
introduce challenges to the ability to share health information among 
multiple stakeholders that may not be covered to the same extent by 
HIPAA's privacy and security rules. Providers that are members of 
health information organizations are typically covered by the privacy 
and security requirements of HIPAA, but the information exchange 
organizations that provide the technology and infrastructure to conduct 
information exchange generally are not covered entities. Rather, they 
are usually thought of as business associates that are contractually 
bound through agreements with covered entities to provide protections 
to the health information that they manage but are not directly covered 
by the HIPAA privacy and security rules. An official with one health 
information exchange organization stated that he found it hard to 
determine if his organization was a covered entity or a business 
associate. In some cases, according to an official with a health 
information privacy professional association, health information 
exchange organizations may not even be business associates as defined 
by HIPAA. The differences between or uncertainty regarding the extent 
of federal privacy protection required of various organizations may 
affect providers' willingness to exchange patients' health information 
if they do not believe it will be protected to the same extent they 
protect it themselves. In June 2006, NCVHS recommended that, if 
necessary, HHS amend the HIPAA Privacy Rule to increase the 
responsibility of covered entities to control the practices of business 
associates. 

The need to reconcile differences in varying state laws' privacy 
protection requirements introduces another widely acknowledged 
challenge to ensuring the privacy protection of health information 
exchanged on a nationwide basis. As health information exchange 
officials in states with strong privacy protections consider exchanging 
health information with organizations in other states, they will need 
to determine the extent to which they could share health information 
with organizations in states that have less stringent or no state-level 
laws and policies. For example, an official with one health information 
exchange organization described its state's privacy laws as being much 
more stringent than federal requirements, while a health information 
exchange official in another state told us that HIPAA's privacy 
requirements are the only laws that apply to the information exchanged 
by its organization. In this case, according to the official with the 
first organization, it would share more health information with 
providers in its own state than it would with providers in the other 
state because the other state's less stringent privacy protection laws 
would not provide a sufficient level of protection. HHS recognized that 
sharing health information among entities in states with varying laws 
introduces challenges and intends to identify variations in state laws 
that affect privacy and security practices through the privacy and 
security solutions contract that it awarded in 2005. 

Organizations also described another challenge associated with 
understanding and resolving legal and policy requirements for 
protecting electronic health information exchanged among multiple and 
diverse organizations. Differing interpretations and applications of 
the HIPAA privacy and security rules by providers and health 
information exchange organizations can result in disagreement about the 
data that can be exchanged and with whom the data can be shared. An 
official with one health information exchange described differing 
applications of HIPAA's security requirements that affect the way 
systems are administered and hinder the exchange of health information. 
For example, to protect individuals' information from inappropriate 
disclosure, the organization requires that the systems' list of users 
be forwarded to managers so that they can review roles and access 
rights at least annually. HIPAA's requirements do not specify 
protections at this level of granularity, so other organizations may 
not require this level of activity. This can create disagreements 
between organizations about the data that can be exchanged and with 
whom data can be shared if one organization does not administer access 
rights as strictly as another. 

Health information exchange organizations described difficulties with 
determining liability and enforcing sanctions in cases of 
confidentiality breaches. As the number of health information exchange 
organizations increases and information is shared on a widespread 
basis, determination of liability for improper disclosure of 
information will become more important but also more difficult. For 
example, the Markle Foundation described problems with tracing the 
source of a privacy violation and determining the responsible 
entity.[Footnote 23] Without such information, it becomes very 
difficult, if not impossible, to enforce sanctions for violations and 
breaches of confidentiality. 

Ensuring Appropriate Disclosure: 

Several organizations described issues associated with ensuring 
appropriate disclosure, such as determining the minimum data necessary 
that can be disclosed in order for requesters to accomplish the 
intended purposes for the use of the health information. For example, 
dieticians and health claims processors do not need access to complete 
health records, whereas treating physicians generally do. According to 
VA officials, the agency's ability to ensure appropriate disclosure is 
further complicated by the fact that the Veterans' Benefits Act 
prevents disclosure of certain information, such as information related 
to HIV infection, sickle cell anemia, and substance abuse, which must 
be removed from individuals' health records before the requested 
information is disclosed. Additionally, VA's current manual process for 
determining the legal authority for disclosures and the minimum amount 
of information authorized to be disclosed is difficult to automate 
because of the complexity of various privacy laws and regulations. 

Organizations also described issues with obtaining individuals' 
authorization and consent for uses and disclosures of personal health 
information. For example, health information exchange organizations may 
provide individuals with the ability to either opt in or opt out of 
electronic health information exchange. The opt-in approach requires 
that health care providers obtain the explicit permission of 
individuals before allowing their information to be shared with other 
providers. Without this permission, an individual's personal health 
information would not be accessible. The opt-out approach presumes that 
an individual's personal health information is available to authorized 
persons, but any individual may elect to not participate. Another 
approach taken by health information organizations simply notifies 
individuals that their information will be exchanged with providers 
throughout the organization's network. 

Several organizations described difficulties with determining the best 
way to allow individuals to participate in and consent to electronic 
health information exchange. While the opt-in approach increases 
individual autonomy, it is more administratively burdensome than the 
opt-out approach and may result in fewer individuals participating in 
health information exchange. The opt-out approach is easier, less 
costly, and may result in greater participation in health information 
exchange, but does not provide the autonomy that the opt-in approach 
does. The notification approach is the simplest to administer but 
provides individuals no choice regarding participation in the 
organization's data exchange. In June 2006, NCVHS recommended to the 
Secretary of HHS that the department monitor the development of opt-in 
and opt-out approaches; consider local, regional, and provider 
variations of consent options; collect evidence on the health, 
economic, social, and other implications of opt-in and opt-out 
approaches; and continue an open, transparent, and public process to 
evaluate whether a national policy on opting in or opting out is 
appropriate. 

Organizations also described the need to effectively educate consumers 
so that they understand the extent to which their consent or 
authorization to use and disclose health information applies. For 
example, one organization stated that a request made to limit use and 
disclosure at one facility in a network may not apply to other 
facilities within the same network, but consumers may assume the 
limitations do apply to all facilities and not take steps to limit 
disclosure in those other facilities. 

Ensuring Individuals' Rights to Request Access and Amendments to Health 
Information: 

As the exchange of personal health information expands to include 
multiple providers and as individuals' health records include 
increasing amounts of information from many sources, keeping track of 
the origin of specific data and ensuring that incorrect information is 
corrected and removed from future health information exchange could 
become increasingly difficult. Several organizations described 
challenges with ensuring that individuals have access to and the 
ability to amend their own health information and with ensuring that 
amendments are made and tracked throughout their information exchange 
organizations. 

Officials with HHS's Indian Health Service described a challenge with 
ensuring that individuals' amendments to their own health information 
are properly made and tracked. Additionally, as individuals amend their 
health information, HIPAA requires that covered entities make 
reasonable efforts to notify or alert and send the corrected 
information to certain providers and other persons that previously 
received the individuals' information. Meeting this requirement was 
described as a challenge by officials with VA, and it is expected to 
become more prevalent as the numbers of organizations exchanging health 
information increases. 

Officials with DOD described difficulties with ensuring that 
individuals' amendments to health information are distributed across 
multiple facilities within its network of medical facilities. The 
department is addressing this problem through the implementation of 
electronic health records and information management tools that track 
requests for amendments and their status. Additionally, an official 
with a professional association described the need to educate consumers 
to ensure that they understand their rights to request access to and 
amendments of their own health information to ensure that it is 
correct. 

Implementing Adequate Security Measures for Protecting Health 
Information: 

Organizations described the adequate implementation of security 
measures as another challenge that must be overcome to protect health 
information. For example, health information exchange organizations 
described difficulties with determining and implementing adequate 
techniques for authenticating requesters of health information, such as 
the use of passwords and security tokens. User authentication will 
become more difficult as health information exchange expands across 
multiple organizations that employ different techniques. The AHIC 
Confidentiality, Privacy, and Security Workgroup recognized this 
difficulty and identified user authentication as one of its initial 
work areas for protecting confidentiality and security. 

Implementing proper access controls, particularly role-based access 
controls, was also cited as a challenge to determining the information 
to which requesters may have access. Several organizations stated that 
maintaining adequate audit trails for monitoring access to health 
information is difficult but is necessary to ensure that information is 
adequately protected. 

Organizations described problems introduced by the need to protect 
health information stored on portable devices and data transmitted 
between business partners. The use of laptops and other portable media 
by health information exchange employees presents a challenge to 
organizations since the data stored on these media should be encrypted 
to be secure. The VA is also faced with limitations related to the need 
to encrypt electronic health information shared with its business 
partners. According to VA officials, the agency and its business 
partners' solutions must be compatible in order to share the encrypted 
data, and VA's deployment of encryption solutions is limited. 
Encryption of data can be challenging, as organizations often must 
implement hardware and complex software technology to achieve adequate 
protection. 

Conclusions: 

As the use of health IT and the exchange of electronic health 
information increases, concerns about the protection of personal health 
information exchanged electronically within a nationwide health 
information network have also increased. HHS and its Office of the 
National Coordinator for Health IT have initiated activities that, 
collectively, are intended to address aspects of key privacy 
principles. While progress has been made through the various 
initiatives, HHS has not yet defined an approach and milestones for 
integrating its efforts, resolving differences and inconsistencies 
between them, and fully addressing key privacy principles. 

As the use of health IT and electronic information exchange networks 
expands, health information exchange organizations are faced with 
challenges to ensuring the protection of health information, including 
understanding and resolving legal and policy issues, ensuring that the 
minimum information necessary is disclosed only to those entities 
authorized to request the information, ensuring individuals' rights to 
request access and amendments to health information, and implementing 
adequate security measures. These challenges are expected to become 
more prevalent as more information is exchanged and as electronic 
health information exchange expands to a nationwide basis. HHS's 
current initiatives are intended to address many of these challenges. 
However, without a clearly defined approach that establishes milestones 
for integrating its efforts and fully addresses key privacy principles 
and these challenges, it is likely that HHS's goal to safeguard 
personal health information as part of its national strategy for health 
IT will not be met. 

Recommendation for Executive Action: 

We recommend that the Secretary of Health and Human Services define and 
implement an overall approach for protecting health information as part 
of the strategic plan called for by the President. This approach should 
(1) identify milestones and the entity responsible for integrating the 
outcomes of its privacy-related initiatives, including the results of 
its four health IT contracts and recommendations from the NCVHS and 
AHIC advisory committees; (2) ensure that key privacy principles in 
HIPAA are fully addressed; and (3) address key challenges associated 
with legal and policy issues, disclosure of personal health 
information, individuals' rights to request access and amendments to 
health information, and security measures for protecting health 
information within a nationwide exchange of health information. 

Agency Comments and Our Evaluation: 

We received written comments on a draft of this report from HHS's 
Assistant Secretary for Legislation. The Assistant Secretary disagreed 
with our recommendation. Throughout the comments, the Assistant 
Secretary referred to the department's comprehensive and integrated 
approach for ensuring the privacy and security of health information 
within nationwide health information exchange. However, an overall 
approach for integrating the department's various privacy-related 
initiatives has not been fully defined and implemented. We acknowledge 
in our report that HHS has established a strategic objective to protect 
consumer privacy along with two specific strategies for meeting this 
objective: (1) support the development and implementation of 
appropriate privacy and security policies, practices, and standards for 
electronic health information exchange, and (2) develop and support 
policies to protect against discrimination from health information. Our 
report also acknowledges the key efforts that HHS has initiated to 
address this objective, and HHS's comments describe these and 
additional state and federal efforts. HHS stated that the department 
has made significant progress in integrating these efforts. While 
progress has been made initiating these efforts, much work remains 
before they are completed and the outcomes of the various efforts are 
integrated. Thus, we recommended that HHS define and implement a 
comprehensive privacy approach that includes milestones for 
integration, identifies the entity responsible for integrating the 
outcomes of its privacy-related initiatives, addresses key privacy 
principles, and ensures that challenges are addressed in order to meet 
the department's objective to protect the privacy of health information 
exchanged within a nationwide health information network. 

HHS specifically disagreed with the need to identify milestones and 
stated that tightly scripted milestones would impede HHS's processes 
and preclude stakeholder dialogue on the direction of important policy 
matters. We disagree and believe that milestones are important for 
setting targets for implementation and informing stakeholders of HHS's 
plans and goals for protecting personal health information as part of 
its efforts to achieve nationwide implementation of health IT. 
Milestones are especially important considering the need for HHS to 
integrate and coordinate the many deliverables of its numerous ongoing 
and remaining activities. We agree that it is important for HHS to 
continue to actively involve both public and private sector health care 
stakeholders in its processes. HHS did not comment on the need to 
identify an entity responsible for the integration of the department's 
privacy-related initiatives, nor did it provide information regarding 
any effort to assign responsibility for this important activity. HHS 
neither agreed nor disagreed that its approach should address privacy 
principles and challenges, but stated that the department plans to 
continue to work toward addressing privacy principles in HIPAA and that 
our report appropriately highlights efforts to address challenges 
encountered during electronic health information exchange. HHS stated 
that the department is committed to ensuring that health information is 
protected as part of its efforts to achieve nationwide health 
information exchange. 

HHS also disagreed with our conclusion that without a clearly defined 
privacy approach, it is likely that HHS's objective to protect personal 
health information will not be met. We believe that an overall approach 
is needed to integrate the various efforts, provide assurance that 
HHS's initiatives continue to address key privacy principles (as we 
illustrate in table 2 of the report), and to ensure that key challenges 
faced by health information exchange stakeholders are effectively 
addressed. HHS also provided technical comments that we have 
incorporated into the report as appropriate. HHS's written comments are 
reproduced in appendix VI. 

In written comments, the Secretary of VA concurred with our findings, 
conclusions, and recommendation to the Secretary of HHS and commended 
our efforts to highlight methods for ensuring the privacy of electronic 
health information. VA also provided technical comments that we have 
incorporated into the report as appropriate. VA's written comments are 
reproduced in appendix VII. 

DOD chose not to comment on a draft of this report. 

As agreed with your offices, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
from the date on the report. At that time, we will send copies of the 
report to other Chairmen and Ranking Minority Members of other Senate 
and House committees and subcommittees that have authorization and 
oversight responsibilities for health information technology. We will 
also send copies of the report to the Secretaries of Defense, Health 
and Human Services, and Veterans Affairs. Copies of this report will 
also be made available at no charge on our Web site at [Hyperlink, 
http://www.gao.gov]. 

If you have any questions on matters discussed in this report, please 
contact me at (202) 512-6240 or David Powner at (202) 512-9286, or by e-
mail at koontzl@gao.gov or pownerd@gao.gov. Contact points for our 
offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. Other contacts and key contributors to 
this report are listed in appendix VIII. 

Signed by: 

Linda D. Koontz: 
Director, Information Management Issues: 

Signed by: 

David A. Powner: 
Director, Information Technology Management Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were to: 

* describe the steps the Department of Health and Human Services (HHS) 
is taking to ensure privacy protection as part of the national health 
information technology (IT) strategy and: 

* identify challenges associated with meeting requirements for 
protecting personal health information within a nationwide health 
information network. 

To address our first objective, we analyzed information that we 
collected from agency documentation and through discussions with 
officials with HHS components and advisory committees that play major 
roles in supporting HHS's efforts to develop and implement a national 
strategy for health IT, including activities intended to ensure the 
protection of electronic health information exchanged within a 
nationwide health information network. Specifically, we reviewed and 
assessed privacy-related plans and documentation describing HHS's 
efforts to ensure privacy protection from HHS's Office of the National 
Coordinator for Health IT, Office for Civil Rights, Centers for 
Medicare and Medicaid Services and its Office for E-Health Standards 
and Services, and the Office of the Assistant Secretary for Planning 
and Evaluation. We also held discussions with and collected information 
from the American Health Information Community and the National 
Committee on Vital and Health Statistics, the Secretary's two primary 
advisory committees for health IT. 

We reviewed information from the Office of the National Coordinator for 
Health IT on the description and status of its plans to address health 
information privacy as part of its national health IT strategy. We 
identified recommendations that the American Health Information 
Community and the National Committee for Vital and Health Statistics 
made to the Secretary of Health and Human Services regarding protecting 
the privacy of electronic health information. We also reviewed 
documentation about the scope and status of privacy-related work 
currently planned or being conducted under several of the Office of the 
National Coordinator's health IT contracts that support its efforts to 
develop and implement a national health IT strategy. We reviewed 
procedures for enforcing privacy and security laws related to the 
protection of health information (i.e., the Health Information 
Portability and Accountability Act [HIPAA] privacy and security rules) 
from the Office for Civil Rights and the Office of E-Health Standards 
and Services. We also reviewed involvement by HHS's Agency for 
Healthcare Research and Quality, the National Institutes of Health, the 
Health Resources and Services Administration, the Substance Abuse and 
Mental Health Services Administration, and the Centers for Disease 
Control and Prevention in initiatives to ensure privacy protection 
related to the electronic exchange of health information within a 
nationwide health information network. 

We mapped the HHS privacy-related activities we identified to key 
privacy principles in the HIPAA Privacy Rule. We identified HHS 
activities that addressed specific aspects of these principles to 
describe the extent to which HHS's privacy-related initiatives are 
intended to address key privacy principles. 

To address the second objective, we analyzed documentation from and 
held discussions with officials from the federal agencies that provide 
health care services--the Departments of Defense and Veterans Affairs 
and the Indian Health Service--and representatives from selected state- 
level health information exchange organizations. We selected these 
organizations by conducting literature research and consulting with HHS 
and recognized health IT professional associations to identify existing 
health information exchange organizations. We initially identified more 
than 40 organizations and then conducted screening interviews to narrow 
the universe to 7 state-level health information exchange organizations 
that were actively exchanging health information electronically. To 
ensure that we identified challenges introduced by both federal privacy 
protection requirements and requirements that are more stringent than 
existing federal protections, we included states that do not have state 
laws that supersede federal requirements and states with privacy laws 
that are more stringent than federal laws. We selected state-level 
health information organizations from California, Florida, Indiana, 
Louisiana, Massachusetts, North Carolina, and Utah. We also included a 
telehealth network from Nebraska and a community health center network 
from Florida to ensure that we identified any privacy-related 
challenges unique to their health care IT environments. During 
interviews, we asked the health information exchange organizations to 
provide examples of challenges associated with protecting the privacy 
of health information that they encountered with the implementation of 
electronic health information exchange networks, along with challenges 
that they anticipated would be introduced by the nationwide health 
information exchange being proposed by HHS. We also held discussions 
with HHS officials with the Agency for Healthcare Research and Quality, 
the National Institutes of Health, the Health Resources and Services 
Administration, the Substance Abuse and Mental Health Services 
Administration, and the Centers for Disease Control and Prevention to 
collect examples of challenges those organizations and their 
stakeholders face in attempting to address federal privacy and security 
requirements. 

To gain further insight into the challenges organizations face in 
protecting privacy while exchanging electronic health information, we 
contacted representatives from nationally recognized health IT 
professional organizations. We held discussions with officials from the 
American Health Information Management Association, the American 
Medical Informatics Association, the eHealth Initiative, the Healthcare 
Information and Management Systems Society, the Markle Foundation, and 
the Public Health Informatics Institute to discuss challenges these 
organizations faced that are associated with protecting electronic 
health information. We also gathered relevant information about the 
challenges in protecting privacy within health information exchange 
from officials with the Health Privacy Project, the Vanderbilt Center 
for Better Health, Kaiser Permanente, and NHII Advisors, a health 
information consulting firm. 

We reviewed and analyzed the information provided by the health 
information exchange organizations, federal health care providers, and 
professional associations to identify key challenges associated with 
the electronic exchange of personal health information throughout the 
health care industry. To characterize the challenges that we 
identified, we analyzed the specific examples of challenges and 
categorized them into four broad areas of challenges--understanding and 
resolving legal and policy issues, ensuring appropriate disclosures of 
health information, ensuring individuals' rights to access and amend 
health information, and implementing adequate security measures for 
protecting health information. 

We conducted our work from December 2005 through November 2006 in the 
Washington, D.C., area in accordance with generally accepted government 
auditing standards. 

[End of section] 

Appendix II: Major Federal Health Care Programs: 

The following table includes the major federal programs that provide 
health care services for U.S. citizens, the number of beneficiaries for 
each program, and the cost of each program for 2004. 

Table 4: Federal Programs: 

Federal agency: HHS; 
Program: Medicare; 
Beneficiaries: 42 million elderly and disabled beneficiaries; 
Expenditure (dollars in billions): $301.5. 

Federal agency: HHS; 
Program: Medicaid; 
Beneficiaries: 57.6 million low-income persons; 
Expenditure (dollars in billions): 297.5; 
(joint federal and state). 

Federal agency: HHS; 
Program: State Children's Health Insurance Program; 
Beneficiaries: 6.8 million children; 
Expenditure (dollars in billions): 6.6; 
(joint federal and state). 

Federal agency: HHS; 
Program: Indian Health Service; 
Beneficiaries: 1.8 million Native Americans and Alaska Natives; 
Expenditure (dollars in billions): 3.7. 

Federal agency: Veterans Affairs (VA); 
Program: Veterans Health Administration; 
Beneficiaries: 5.2 million veterans; 
Expenditure (dollars in billions): 26.8. 

Federal agency: Department of Defense (DOD); 
Program: TRICARE Program; 
Beneficiaries: 8.3 million active-duty military personnel and their 
families and military retirees; 
Expenditure (dollars in billions): 30.4. 

Federal agency: Office of Personnel Management (OPM); 
Program: Federal Employees Health Benefit Program; 
Beneficiaries: 8 million federal employees, retirees, and dependents; 
Expenditure (dollars in billions): 27. 

Source: HHS, VA, DOD, and OPM budget documents. 

[End of table] 

[End of section] 

Appendix III: HHS Health IT Contracts: 

The following table describes key health IT contracts awarded by the 
HHS Office of the National Coordinator for Health IT. 

Table 5: HHS Health IT Contracts: 

Contract: American Health Information Community Program Support; 
Date awarded: September 2005; 
Initial duration: 1 year; 
Initial cost (in millions): $0.8; 
Extended duration: First option year; 
Additional cost (in millions): 2.2; 
Duration: 2 years; 
Total cost (in millions): $3.0; 
Description: To provide assistance to the National Coordinator in 
convening and managing the meetings and activities of the health care 
community to ensure that the health IT plan is seamlessly coordinated. 

Contract: Standards Harmonization Process for Health IT; 
Date awarded: September 2005; 
Initial duration: 1 year; 
Initial cost (in millions): 3.2; 
Extended duration: Phase II 1 year; 
Additional cost (in millions): 3.9; 
Duration: 2 years; 
Total cost (in millions): 7.1; 
Description: To develop and test a process for identifying, assessing, 
endorsing, and maintaining a set of standards required for 
interoperable health information exchange. 

Contract: Compliance Certification Process for Health IT; 
Date awarded: September 2005; 
Initial duration: 1 year; 
Initial cost (in millions): 2.8; 
Extended duration: Phase II 1 year; 
Additional cost (in millions): 2.9; 
Duration: 2 years; 
Total cost (in millions): 5.7; 
Description: To develop and evaluate a compliance certification process 
for health IT, including the infrastructure components through which 
these systems interoperate. 

Contract: Privacy and Security Solutions for Interoperable Health 
Information Exchange[A]; 
Date awarded: September 2005; 
Initial duration: 1½ years; 
Initial cost (in millions): 17.2 (Increased by $6 million in August 
2006 to include additional studies); 
Extended duration: n/a; 
Additional cost (in millions): n/a; 
Duration: 1½ years; 
Total cost (in millions): 17.2; 
Description: To assess and develop plans to address variations in 
organization-level business policies and state laws that affect privacy 
and security practices that may pose challenges to an interoperable 
health information exchange. 

Contract: Nationwide Health Information Network Prototypes; 
Date awarded: November 2005; 
Initial duration: 1 year; 
Initial cost (in millions): 18.6 (4 contracts); 
Extended duration: Base year extended by 3 months; 
Additional cost (in millions): 4.4; 
Duration: 1¼ years; 
Total cost (in millions): 23.0; 
Description: To develop and evaluate prototypes for a nationwide health 
information network architecture to maximize the use of existing 
resources such as the Internet to achieve widespread interoperability 
among software applications, particularly electronic health records. 
These contracts are also intended to spur technical innovation for 
nationwide electronic sharing of health information in patient care and 
public health settings. 

Contract: Measuring the Adoption of Electronic Health Records; 
Date awarded: September 2005; 
Initial duration: 2 years; 
Initial cost (in millions): 1.8; 
Extended duration: n/a; 
Additional cost (in millions): n/a; 
Duration: 2 years; 
Total cost (in millions): 1.8; 
Description: To develop a methodology to better characterize and 
measure the state of electronic health records adoption and determine 
the effectiveness of policies aimed at accelerating adoption of 
electronic health records and interoperability. 

Contract: Gulf Coast Electronic Digital Health Recovery; 
Date awarded: September 2005; 
Initial duration: 1 year; 
Initial cost (in millions): 3.7; 
Extended duration: n/a; 
Additional cost (in millions): n/ a; 
Duration: 1 year; 
Total cost (in millions): 3.7; 
Description: To plan and promote the widespread use of electronic 
health records and digital health information recovery in the Gulf 
Coast regions affected by hurricanes last year. 

Contract: State Alliance for e-Health; 
Date awarded: October 2006; 
Initial duration: 1 year; 
Initial cost (in millions): 1.9; 
Extended duration: n/a; 
Additional cost (in millions): n/a; 
Duration: 1 year; 
Total cost (in millions): 1.9; 
Description: To form a high-level steering committee that includes 
governors and state executives to identify and resolve issues that may 
present barriers to the formation of health information networks, 
including privacy, security, licenses and other legal issues, and 
health information exchanges. 

Source: HHS Office of the National Coordinator for Health Information 
Technology. 

[A] Jointly managed by the Agency for Healthcare Research and Quality 
and the Office of the National Coordinator. 

[End of table] 

[End of section] 

Appendix IV: The Office of the National Coordinator for Health IT's 
Goals, Objectives, and Strategies: 

The following table describes the Office of the National Coordinators' 
current goals, objectives, and strategies and indicates which 
strategies are initiated, which are under active discussion, and which 
require future consideration. 

Table 6: Goals, Objectives, and Strategies of the Office of the 
National Coordinator: 

Goal: Goal 1: Inform health care professionals; 
Objective: High-value electronic health records; 
High-level strategy: Simplify health information access and 
communication among clinicians[A]. 

Goal: Goal 1: Inform health care professionals; 
Objective: High-value electronic health records; 
High-level strategy: Increase incentives for clinicians to use 
electronic health records[C]. 

Goal: Goal 1: Inform health care professionals; 
Objective: Low-cost and low-risk electronic health records; 
High-level strategy: Foster economic collaboration for electronic 
health records adoption[B]. 

Goal: Goal 1: Inform health care professionals; 
Objective: Low-cost and low-risk electronic health records; 
High-level strategy: Lower total cost of electronic health records 
purchase and implementation[B]. 

Goal: Goal 1: Inform health care professionals; 
Objective: Low-cost and low-risk electronic health records; 
High-level strategy: Lower risk of electronic health records 
adoption[A]. 

Goal: Goal 1: Inform health care professionals; 
Objective: Current clinical knowledge; 
High-level strategy: Increase investment in sources of evidence-based 
knowledge[C]. 

Goal: Goal 1: Inform health care professionals; 
Objective: Current clinical knowledge; 
High-level strategy: Increase investment in tools that can access and 
integrate evidence-based knowledge in the clinical setting[C]. 

Goal: Goal 1: Inform health care professionals; 
Objective: Current clinical knowledge; 
High-level strategy: Establish mechanisms that will allow clinicians to 
empirically access information and other patient characteristics that 
can better inform their clinical decisions[C]. 

Goal: Goal 1: Inform health care professionals; 
Objective: Equitable adoption of electronic health records; 
High-level strategy: Ensure low-cost electronic health records for 
clinicians in underserved areas[C]. 

Goal: Goal 1: Inform health care professionals; 
Objective: Equitable adoption of electronic health records; 
High-level strategy: Support adoption and implementation by 
disadvantaged providers[C]. 

Goal: Goal 2: Interconnect health care; 
Objective: Widespread adoption of standards; 
High-level strategy: Establish well-defined health information 
standards[A]. 

Goal: Goal 2: Interconnect health care; 
Objective: Widespread adoption of standards; 
High-level strategy: Ensure federal agency compliance with health 
information standards[A]. 

Goal: Goal 2: Interconnect health care; 
Objective: Widespread adoption of standards; 
High-level strategy: Exercise federal leadership in health information 
standards adoption[A]. 

Goal: Goal 2: Interconnect health care; 
Objective: Sustainable electronic health information exchange; 
High- level strategy: Stimulate private investment to develop the 
capability for efficient sharing of health information[B]. 

Goal: Goal 2: Interconnect health care; 
Objective: Sustainable electronic health information exchange; 
High-level strategy: Use government payers and purchasers to foster 
interoperable electronic health information exchange[C]. 

Goal: Goal 2: Interconnect health care; 
Objective: Sustainable electronic health information exchange; 
High-level strategy: Adapt federal agency health data collection and 
delivery to NHIN solutions[C]. 

Goal: Goal 2: Interconnect health care; 
Objective: Sustainable electronic health information exchange; 
High-level strategy: Support state and local governments and 
organizations to foster electronic health information exchange[B]. 

Goal: Goal 2: Interconnect health care; 
Objective: Consumer privacy and risk protections; 
High-level strategy: Support the development and implementation of 
appropriate privacy and security policies, practices, and standards for 
electronic health information exchange[A]. 

Goal: Goal 2: Interconnect health care; 
Objective: Consumer privacy and risk protections; High-level strategy: 
Develop and support policies to protect against discrimination from 
health information[C]. 

Goal: Goal 3: Personalize health management; 
Objective: Consumer use of personal health information; 
High-level strategy: Establish value of personal health records, 
including consumer trust[B]. 

Goal: Goal 3: Personalize health management; 
Objective: Consumer use of personal health information; 
High-level strategy: Expand access to personal health management 
information and tools[A]. 

Goal: Goal 3: Personalize health management; 
Objective: Remote monitoring and communications; 
High-level strategy: Promote adoption of remote monitoring technology 
for communication between providers and patients[A]. 

Goal: Goal 3: Personalize health management; 
Objective: Care based on culture and traits; 
High-level strategy: Promote consumer understanding and provider use of 
personal genomics for prevention and treatment of hereditary 
conditions[C]. 

Goal: Goal 3: Personalize health management; 
Objective: Care based on culture and traits;
High-level strategy: Promote multicultural information support[C]. 

Goal: Goal 4: Improve population health; 
Objective: Automated public health and safety monitoring and 
management; 
High-level strategy: Enable simultaneous flow of clinical care data to 
and among local, state, and federal biosurveillance programs[A]. 

Goal: Goal 4: Improve population health; 
Objective: Automated public health and safety monitoring and 
management; 
High-level strategy: Ensure that the nationwide health information 
network supports population health reporting and management[C]. 

Goal: Goal 4: Improve population health; 
Objective: Efficient collection of quality information; 
High-level strategy: Develop patient-centric quality measures based on 
clinically relevant information available from interoperable 
longitudinal electronic health records[B]. 

Goal: Goal 4: Improve population health; 
Objective: Efficient collection of quality information; 
High-level strategy: Ensure adoption of uniform performance measures by 
health care stakeholders[C]. 

Goal: Goal 4: Improve population health; 
Objective: Efficient collection of quality information; 
High-level strategy: Establish standardized approach to centralized 
electronic data capture and reporting of performance information[C]. 

Goal: Goal 4: Improve population health; 
Objective: Transformation of clinical research; 
High-level strategy: No strategies identified. 

Goal: Goal 4: Improve population health; 
Objective: Health information support in disasters and crises; 
High- level strategy: Foster the availability of field electronic 
health records to clinicians responding to disasters[A]. 

Goal: Goal 4: Improve population health; 
Objective: Health information support in disasters and crises; 
High-level strategy: Improve coordination of health information flow 
during disasters and crises[C]. 

Goal: Goal 4: Improve population health; 
Objective: Health information support in disasters and crises; 
High-level strategy: Support management of health emergencies[C]. 

Source: HHS Office of the National Coordinator for Health IT. 

[A] Strategy has been initiated. 

[B] Strategy is under active consideration. 

[C] Strategy requires future discussion. 

[End of table] 

[End of section] 

Appendix V: Descriptions of Federal Laws for Protecting Personal Health 
Information: 

There are several federal statutes that protect personal health 
information. HIPAA provides the most extensive and specific protection. 
However, other federal statutes, although not always focused 
specifically on health information, nonetheless have the effect of 
protecting personal health information in specific situations. This 
table presents an outline of selected federal laws that protect 
personal health information. 

Table 7: Selected Federal Laws that Protect Personal Health 
Information: 

Law: HIPAA. 

Law: HIPAA administrative simplification provisions and regulations; 
Protected information: Certain individually identifiable health 
information transmitted by or maintained in electronic or any other 
form or medium by a covered entity; 
Protection provided: Disclosure of health information prohibited except 
as permitted by the Privacy Rule. The Security Rule requires that the 
security, integrity, and confidentiality of health information must be 
ensured; 
Applicability: Covered entities, which are defined as health plans, 
health care clearinghouses, and health care providers who transmit 
health information electronically in connection with authorized 
transactions. 

Privacy protections applicable to federal government agencies: 

Law: Privacy Act of 1974; 
Protected information: Agency-controlled information about an 
individual that is retrieved by the individual's name or other personal 
identifier; 
Protection provided: Prohibits use and disclosure of personal records 
without consent of individual, or as otherwise permitted under the law; 
requires protection of personal records, disclosure of which could 
cause harm, embarrassment, unfairness, or inconvenience to the 
individual; 
Applicability: Executive agencies that hold information in a system of 
records (the law provides certain exceptions). 

Law: Freedom of Information Act of 1966; 
Protected information: Federal agency records; 
Protection provided: Act exempts from public release individually 
identifiable medical information, disclosure of which would constitute 
a clearly unwarranted invasion of personal privacy; 
Applicability: Executive federal agencies. 

Law: Social Security Act; 
Protected information: Individually identifiable records and 
information held by an agency regarding program beneficiaries' records 
and information that is transmitted to, or obtained by or from HHS, 
Social Security Administration (SSA), and their contractors incident to 
carrying out agency duties; 
Protection provided: Prohibits unauthorized disclosure of individually 
identifiable records and makes unauthorized disclosure a crime; 
Applicability: HHS, SSA, and their contractors. 

Law: Veterans Omnibus Health Care Act of 1976; 
Protected information: Confidential medical records of treatment 
relating to the treatment of drug abuse, alcoholism or alcohol abuse, 
infection with the human immunodeficiency virus, or sickle cell anemia; 
Protection provided: Personally identifiable patient information 
provided or obtained in connection with treatment, education, 
evaluation, or research of certain conditions or diseases must be kept 
confidential, except with patient's written consent, or within VA, 
Department of Justice, or DOD;  
Applicability: VA. 

Provisions protecting health information in limited situations: 

Law: Medicare Prescription Drug, Improvement, and Modernization Act of 
2003; 
Protected information: Program beneficiaries' prescription drug, 
medication, and medical history information; 
Protection provided: Prescription drug plan sponsors must comply with 
HIPAA Privacy Rule and Security Rule requirements; 
Applicability: Prescription drug plan pharmacies and sponsors of 
prescription drug plans. 

Law: Clinical Laboratory Improvement Amendments of 1988; 
Protected information: Medical information of patients and clinical 
study subjects; 
Protection provided: Certain clinical laboratories are required to 
ensure confidentiality of test results or reports and may disclose such 
information only to authorized persons as defined by state or federal 
law; 
Applicability: Certain clinical laboratories conducting patient tests. 

Law: Public Health Service Act Health Omnibus Programs Extension of 
1988; 
Protected information: Personal identifying information of individual 
subjects of biomedical, behavioral, clinical, or other research; 
Protection provided: The Secretary of HHS may issue a certificate of 
confidentiality to researchers engaged in biomedical, behavioral, 
clinical, or other research to protect any identifying research 
information from disclosure, including "compulsory legal demands"; 
Applicability: Research programs. 

Law: Public Health Service Act Federal Confidentiality Requirements for 
Substance Abuse Patient Records; 
Protected information: Patient alcohol and drug abuse treatment 
records; 
Protected provided: Personally identifiable patient records maintained 
in connection with performance of drug abuse or substance abuse 
treatment must be kept confidential, absent patient consent or court 
order; 
Applicability: Federally assisted alcohol or substance abuse programs 
or activities. 

Law: Family Educational Rights and Privacy Act; 
Protection of Pupil Rights Amendment (covered education records are 
excluded under HIPAA's privacy and security regulations); 
Protected information: Personally identifiable information in students' 
educational records; examination, testing, or treatment for mental or 
psychological conditions; 
Protection provided: Prohibits disclosure of protected information 
other than as needed within educational institution or by local or 
state educational agency, absent consent of parent, or student that has 
reached 18 years of age; 
Applicability: Educational institution or agency that receives federal 
funds under the Department of Education programs; 
educational institutions that conduct non- Department of Education-
funded surveys. 

Law: Americans with Disabilities Act; 
Protected information: Medical information or condition and health 
records of employees or applicants; 
Protection provided: Covered entities must treat employees' and 
applicants' medical information as confidential medical records, with 
certain limitations as specified in the law; 
Applicability: Employers of 15 or more employees, employment agencies, 
labor organizations, and joint labor management committees. 

Law: Financial Modernization (Gramm-Leach-Bliley) Act of 1999; 
Protected information: Nonpublic personal information, which is defined 
as any nonpublic personal financial information provided by a consumer 
to a financial institution; 
Protection provided: Prohibits disclosure of consumers' nonpublic 
personal information to nonaffiliated third parties without clients' 
consent; (Consumers must be afforded the opportunity to decline the 
institution's sharing their information with nonaffiliated third 
parties.); 
Applicability: Financial institutions, including certain health 
insurers. 

Source: GAO analysis of federal privacy laws: 

[End of table] 

[End of section] 

Appendix VI Comments from the Department of Health and Human Services: 

Office of the Assistant Secretary for Legislation: 
Department Of Health Human Services: 
Washington, D.C. 20201. 

Dec 29 2006: 

Ms. Linda D. Koontz: 
Director, Information Management Issues: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Ms. Koontz: 

Enclosed are the Department's comments on the U.S. Government 
Accountability Office's (GAO) draft report entitled, "Health 
Information Technology: Early Efforts Initiated but Comprehensive 
Privacy Approach Needed for National Strategy" (GAO-07-238). 

The Department has provided several technical comments directly to your 
staff. 

The Department appreciates the opportunity to comment on this draft 
report before its publication. 

Sincerely, 

Signed by: 

Vincent J. Ventimiglia: 
Assistant Secretary for Legislation: 

Comments From The Department Of Health And Human Services (HHS) On The 
U.S. Government Accountability Office's (GAO) Draft Report: Health 
Information Technology: Early Efforts Initiated But Comprehensive 
Privacy Approach Needed For National Strategy (GAO-07-238): 

General Comments: 

The Department of Health and Human Services (HHS) appreciates the 
opportunity to review the draft Government Accountability Office's 
(GAO) report entitled "HEALTH INFORMATION TECHNOLOGY - Early Efforts 
Initiated but Comprehensive Privacy Approach Needed for National 
Strategy." 

HHS has established and is pursuing a deliberative, comprehensive, and 
integrated approach to ensure the privacy and security of health 
information within a nationwide health information technology (health 
IT) infrastructure. Although the GAO concludes otherwise, HHS continues 
to implement a "framework for strategic action," which it initially 
articulated in July 2004 and which continues to be a foundational guide 
for nationwide health IT adoption; and we fully believe that 
safeguarding personal health information is essential to our national 
strategy for health IT. The GAO draft report identifies numerous HHS 
projects, initiatives, and public-private collaborations underway that 
aggressively pursue the development of milestones for a nationwide 
health IT infrastructure premised on the privacy and security of health 
information; and while GAO concludes to the contrary, we believe the 
efforts highlighted in this report reflect HHS's comprehensive strategy 
to ensure that essential privacy and security protections are 
appropriately being integrated from the ground up into Federal 
solutions for interoperable health IT. In fact, the report's three 
recommendations well describe the activities HHS is currently engaged 
in to ensure the privacy and security of health information within a 
nationwide health IT infrastructure. Therefore, HHS does not concur 
with the GAO's conclusion that, ".HHS's goal to safeguard personal 
health information as part of its national strategy for health IT will 
not be met. (pg. 32)". 

GAO's first recommendation calls on HHS to identify milestones and an 
entity responsible for the integration of outcomes related to our 
privacy-related initiatives. HHS believes that the tightly scripted 
milestones GAO recommends would impede our processes and preclude 
necessary public-private dialogue and input into the approach and 
direction on these important policy matters. Second, GAO recommends 
that HHS's approach "ensure that key privacy principles defined by 
HIPAA are fully addressed." The HIPAA Privacy Rule establishes a 
Federal floor of protections for health information held by most health 
care providers, health plans, and health care clearinghouses, while 
allowing States and organizations to provide greater protections as 
they see fit. This Rule and the HIPAA Security Rule establish the 
foundation principles of, and form the context in which, HHS continues 
to implement a comprehensive strategy for health IT privacy and 
security policy. Lastly, GAO recommends that our approach "address key 
challenges associated with legal and policy issues, disclosure of 
personal health information, patients' right to access and amend health 
information, and security measures for protecting health information 
within a nationwide exchange of health information." The GAO report 
fittingly highlights the myriad complex collaborative efforts HHS is 
involved in to address the key challenges stated above. HHS is 
committed to ensuring that health information exchanged in nationwide 
network is protected. 

HHS's strategy recognizes the importance of collaboration with both the 
public and private sectors, including representation from consumers of 
healthcare services. Many of our activities rely on public input, 
recommendations from Federal advisory committees, and deliverables from 
contracts with a wide variety of healthcare and IT sector 
collaborators, among other sources. Nationwide health IT adoption can 
only be accomplished through a coordinated effort of many stakeholders, 
within both state and Federal governments and the private sector. HHS 
has taken great care to engage representatives of all these sectors in 
our many health IT initiatives - an effort that involves many processes 
and the work of thousands of participants. Forging ahead with solutions 
that have not been informed by input from consumer groups and others in 
the private sector would deny these key stakeholders an opportunity to 
voice both their concerns and recommendations for solutions in this 
complex and sensitive policy area. Thus, creating tightly scripted 
milestones that do not provide an opportunity to be informed by such 
public-private dialogue would preclude the input necessary to inform 
the government's next steps. These processes are part of a 
comprehensive strategy for addressing complex technical and healthcare 
delivery issues; they advance the national health IT agenda, with all 
of its potential for improving healthcare and the health of the 
population; and effectively secure health information and the privacy 
of our citizens. 

Overall, HHS's broad engagement in a full spectrum of contractual and 
other collaborative efforts reflect: a well-structured, comprehensive 
and dynamic strategy that addresses key privacy and security 
principles. These activities indicate that HHS is very much on track to 
define solutions that will provide solid protection of health 
information while concurrently improving the quality of care through 
advancing the adoption of interoperable health IT. 

HHS has invested significant resources and efforts on the nationwide 
strategy for protecting health information. Our national health IT 
agenda approaches privacy and security through a number of activities 
that both inform current work and prepare for future needs. As 
identified in this report, HHS already has a comprehensive portfolio of 
laws and activities to protect health information and define future 
needs for privacy and security protections as we move toward the 
President's vision for an interoperable health information technology 
infrastructure. HHS intends to draw upon these efforts to integrate 
privacy and security protections into meeting this vision. Our 
comprehensive strategy involves leveraging existing foundations, 
creating new public-private processes, partnering with states, health 
care organizations, and consumers to address state and business level 
protections, and considering privacy and security policies and 
implementation at a nationwide level. This multi-pronged, coordinated 
approach is designed to address each key element and constituent that 
will be required to enable a secure and consumer-focused nationwide 
transition to electronic health information exchange at all levels 
nationally. HHS efforts in each of these areas include: 

Existing Foundations: 

HHS has promulgated several rules that establish Federal 
confidentiality, privacy, and security protections for health 
information, including the HIPAA Privacy and Security Rules, and the 
Confidentiality of Alcohol and Drug Abuse Patient Records Regulation. 
The Privacy Rule establishes a Federal floor of protections for health 
information held by most health care providers, health plans, and 
health care clearinghouses, while allowing States and organizations to 
provide greater protections as they see fit. These Rules establish the 
foundation principles of, and form the context in which HHS continues 
to implement a comprehensive strategy for, health IT privacy and 
security policy. Furthermore, HHS, like other agencies, must follow and 
implement the Privacy Act of 1974, which provides additional 
protections for records maintained by federal agencies. 

State and Organizational Efforts: 

* Privacy and Security Solutions for Interoperable Health Information 
Exchange: Co-managed by the Agency for Healthcare Research and Quality 
(AHRQ) and the Office of the National Coordinator for Health IT (ONC), 
the Privacy and Security Solutions contract has fostered an environment 
where states and territories have been able to: (1) assess variations 
in organization-level business policies and state laws that affect 
health information exchange; (2) identify and propose practical 
solutions, while preserving the privacy and security requirements in 
applicable Federal and state laws; and (3) develop detailed plans to 
implement solutions to identified privacy and security challenges. 
These implementation plans will not only benefit the states and 
territories that have created them, but other ONC coordinated efforts 
such as the State Alliance for E-Health's Health Information Protection 
task force where interstate health information exchange issues can be 
harmonized nationwide. 

* State Alliance for E-Health: Under contract with ONC, the National 
Governors Association will work with Governors and Governor-named high- 
level executives of states and U.S. territories to establish a high- 
level health IT advisory board. This body will be charged with 
identifying, assessing and, through the formation of consensus 
solutions, mapping ways to resolve state-level health IT issues that 
affect multiple states and pose challenges to interoperable electronic 
health information exchange; providing a forum in which states may 
collaborate so as to increase the efficiency and effectiveness of the 
health IT initiatives that they develop; and focusing on privacy and 
security issues surrounding the use and disclosure of electronic health 
information. 

* Development of Best Practices for State HIE Initiatives: ONC has 
awarded a contract to the Foundation of Research and Education of the 
American Health Information Management Association (AHIMA) to gather 
information from existing state-level Health Information Exchanges and 
define, through a consensus-based process, best practiceS that can be 
disseminated across a broad spectrum of healthcare and governmental 
organizations. Information was gathered related to governance, legal, 
financial and operational characteristics, and health information 
exchange policies. The contractor analyzed findings to develop guiding 
principles and practical guidance for state-level health information 
exchanges. AHIMA developed a work book and final report to disseminate 
guiding principles, and recommendations on how to encourage conformance 
and coordination across state and federal initiatives. 

Federal Activities: 

* American Health Information Community and Confidentiality, Privacy, 
and Security Workgroup: In September 2005, the Secretary established 
the American Health Information Community (AHIC), a federally-chartered 
advisory committee made up of key leaders from the public and private 
sectors, charged with making recommendations to HHS on key health IT 
strategies. In the summer of 2006, the AHIC created a workgroup 
specifically focused on nationwide privacy and security issues raised 
by health IT activities and the findings of the other AHIC workgroups - 
privacy and security are one of the most consistent threads between 
each of the groups and their breakthrough projects. The first set of 
recommendations of this group will be presented to the AHIC in January 
2007. 

* The Certification Commission for Healthcare Information Technology 
(CCHIT): In September 2005, ONC awarded a contract to CCHIT which was 
tasked with reducing barriers to the adoption of interoperable health 
information technologies through the creation of an efficient, credible 
and sustainable product certification program. The CCHIT membership 
includes a broad array of private sector representatives, including 
physicians and other healthcare providers, payers and purchasers, 
health IT vendors, and consumers. An important part of the task for 
CCHIT is to certify the security of health information systems. In each 
successive year, CCHIT will focus on security for ambulatory EHR 
systems, security for inpatient EHR systems and then security for 
network systems. The certification process CCHIT has developed promotes 
well-established, tested, security capabilities in health IT systems 
and certification will be a major contributor to protecting the privacy 
and confidentially of the data these systems manage. 

* Healthcare Information Technology Standards Panel (HITSP): In 
September 2005, ONC awarded a contract to the American National 
Standards Institute (ANSI) to identify standards for use in enhancing 
the exchange of interoperable health data. The process carried out by 
the Healthcare IT Standards Panel (HITSP) has created a unique and 
unprecedented opportunity to bring together the intellectual assets of 
over 260 organizations with a stake in health data standards that will 
increase the interoperability of healthcare systems and information. 

A critical part of the HITSP mission is to harmonize the critical 
standards necessary to protect the privacy and security of health data. 
The panel guides the collaboration of its member organizations through 
a Health IT standards harmonization process that leverages the work and 
membership of multiple standards development organizations along with 
the expertise from the public and private sector. The panel engages in 
a consensus-based process to select the most appropriate standard from 
existing standards, where available, and to identify gaps in standards 
where there are none to assure effective interoperability. HITSP 
ensures that objections by interested parties are appropriately 
addressed and resolved, that the proceedings remain open to the public, 
that the industry's interests are adequately balanced, and further, 
that due process is followed with the ability of interested parties to 
appeal the panel's decisions. Once standards have been identified to 
support specific clinical use-cases, the HITSP will develop 
implementation guides to support system developers' activities in 
pursuing interoperable electronic health records. 

* Nationwide Health Information Network (NHIN): In November 2005, ONC 
awarded contracts to four consortia to develop prototypes capable of 
demonstrating potential solutions for nationwide exchange of health 
information. This initiative is foundational to the President's vision 
for the widespread adoption of secure, interoperable health records 
within 10 years. The prototype architectures developed will provide a 
framework for a public-private discussion on needed capabilities to 
support secure health information exchange across the nation. Each 
contract includes three geographically distinct healthcare markets. The 
output of the NHIN initiative includes prototype architectures that 
include functional requirements, business models, the identification of 
needed standards, and prototype software implementations. It is 
anticipated that this "network of networks" that will form the NHIN 
will be constructed from interoperable health information exchanges and 
sustainable markets for health information service providers. 

A critical portion of the required NHIN deliverables is the development 
of security models that directly address systems architecture needs for 
securing and maintaining the confidentially of health data. 
Furthermore, each participant is required to comply with security 
requirements established by HHS to ensure proper and confidential 
handling of data and information and each is delivering important 
architecture capabilities that will be used in the next steps of the 
NHIN to address the complex issues of authentication, authorization, 
data access restrictions, auditing and logging, consumer controls of 
information access and other critical contributions. 

Summary: 

In summary, as the GAO report itself describes, HHS has made 
considerable progress integrating the activities and processes listed 
above into our overall strategy for ensuring privacy and security 
protections for health information in a health IT infrastructure. Each 
activity and process involves many participants and organizations and 
will play a critical role in ensuring privacy and security of health 
information while advancing the adoption of health IT. Each activity 
and process has numerous deliverables and milestones. Many of our 
initiatives involve complex collaborative efforts and HHS seeks to be 
responsive to public comments and concerns while coordinating these 
public-private initiatives. HHS is focused directly on these privacy 
and security policy issues and is coordinating the integration of these 
policy issues through the health IT technology efforts presented. 

[End of section] 

Appendix VII: Comments from the Department of Veterans Affairs: 

The Secretary Of Veterans Affairs: 
Washington: 

December 27, 2006: 

Ms. Linda D. Koontz: 
Director, Information Management Issues: 
Mr. David A. Powner: 
Director, Information Technology Issues: 
U. S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Ms. Koontz and Mr. Powner: 

The Department of Veterans Affairs (VA) has reviewed your draft report, 
Health Information Technology: Early Efforts Initiated but 
Comprehensive Privacy Approach Needed for National Strategy (GAO-07- 
238). 

I concur with the Government Accountability Office's (GAO) findings and 
conclusions. I support GAO's recommendations as they relate to the need 
for an overall approach that ensures key privacy principles and 
challenges associated with the nationwide exchange of health 
information are addressed fully. 

However, the draft report mischaracterizes a situation in which an 
employee's computer equipment was stolen from the employee's home. Law 
enforcement officials subsequently recovered the equipment, which 
contained information on millions of veterans. After a thorough 
forensics assessment, Federal Bureau of Investigation officials stated 
publicly that they were "highly confident" that the veteran data were 
neither compromised nor accessed. It should be noted that the incident 
did not take place at the Veterans Health Administration level but at a 
Departmental level staff office, which was not a Health Insurance 
Portability and Accountability Act entity. While the context of GAO's 
report is privacy and security of health-related information, it should 
be noted that the data breach of personal information was not from a 
health care system of records. 

In conclusion, I believe the report's effort to highlight methods of 
ensuring the privacy of electronic health information is commendable. 
The enclosure provides technical comments to enable more accuracy and 
clarity in GAO's report. VA appreciates the opportunity to comment on 
your draft report. 

Sincerely, yours, 

Signed by: 

R. James Nicholson: 

Enclosure: 

[End of section] 

Appendix VIII: GAO Contacts and Acknowledgments: 

GAO Contacts: 

Linda D. Koontz, (202) 512-6240 or koontzl@gao.gov David A. Powner, 
(202) 512-9286 or pownerd@gao.gov: 

Acknowledgments: 

In addition to those named above, Mirko J. Dolak, Amanda C. Gill, Nancy 
E. Glover, M. Saad Khan, Charles F. Roney, Sylvia L. Shanks, Sushmita 
L. Srikanth, Teresa F. Tucker, and Morgan F. Walts made key 
contributions to this report. 

(310748): 

FOOTNOTES 

[1] Health IT is the use of technology to electronically collect, 
store, retrieve, and transfer clinical, administrative, and financial 
health information. Health IT is interoperable when systems are able to 
exchange data accurately, effectively, securely, and consistently with 
different IT systems, software applications, and networks in such a way 
that the clinical or operational purposes and meaning of the data are 
preserved and unaltered. 

[2] Use of the term "personal health information" throughout this 
report refers to information relating to the health or health care of 
an individual that identifies, or can be used to identify, the 
individual. 

[3] Executive Order 13335, Incentives for the Use of Health Information 
Technology and Establishing the Position of the National Health 
Information Technology Coordinator (Washington, D.C.: Apr. 27, 2004). 

[4] The National Committee on Vital and Health Statistics was 
established in 1949 as a public advisory committee that is statutorily 
authorized to advise the Secretary of HHS on health data, statistics, 
and national health information policy, including the implementation of 
health IT standards. 

[5] The American Health Information Community is a federally chartered 
advisory committee made up of representatives from both the public and 
private health care sectors. The community provides input and 
recommendations to HHS on making health records electronic and 
providing assurance that the privacy and security of those records are 
protected. 

[6] GAO, 21st Century Challenges: Reexamining the Base of the Federal 
Government, GAO-05-325SP (Washington, D.C.: February 2005). 

[7] GAO, Information Technology: Benefits Realized for Selected Health 
Care Functions, GAO-04-224 (Washington, D.C.: Oct. 31, 2003). 

[8] Executive Order 13335. 

[9] Department of Health and Human Services, "The Decade of Health 
Information Technology: Delivering Consumer-centric and Information- 
rich Health Care: A Framework for Strategic Action" (Washington, D.C.: 
July 21, 2004). 

[10] GAO, Health Care: National Strategy Needed to Accelerate the 
Implementation of Information Technology, GAO-04-947T (Washington, 
D.C.: July 14, 2004). 

[11] GAO, Health Information Technology: HHS Is Continuing Efforts to 
Define Its National Strategy, GAO-06-1071T (Washington, D.C.: Sept. 1, 
2006). 

[12] GAO, Health Information Technology: HHS Is Taking Steps to Develop 
a National Strategy, GAO-05-628 (Washington, D.C.: May 27, 2005); 
GAO, Health Information Technology: HHS Is Continuing Efforts to Define 
a National Strategy, GAO-06-346T (Washington, D.C.: Mar. 15, 2006); 
GAO- 06-1071T. 

[13] Breakthrough areas are components of health care and public health 
that can potentially achieve measurable results in 2 to 3 years. 

[14] AARP is a nonprofit, nonpartisan membership organization for 
people age 50 and over. 

[15] AARP Public Policy Institute; Goldman, Janlori; Stewart, Emily; 
and Tossell, Beth, Health Privacy Project, The Health Insurance 
Portability and Accountability Act Privacy Rule and Patient Access to 
Medical Records, 2006-03 (Washington, D.C.: February 2006). 

[16] The Privacy Act defines a "system of records" as a group of 
records under the control of any agency that contains information about 
an individual and from which information is retrieved by the name of 
the individual or other personal identifier. 

[17] Transactions covered by the standards include enrollment and 
disenrollment in a health plan, eligibility determinations for a health 
plan, health care payment and remittance advice, premium payments, 
health claims information and claim status, coordination of benefits, 
and referral certification and authorizations. 

[18] The statute requires the Secretary to issue standards for privacy 
and security. The standards issued by the Secretary are styled as 
rules. We use that terminology in this report. 

[19] Ambulatory electronic health records are records of medical care 
that include diagnosis, observation, treatment, and rehabilitation that 
is provided on an outpatient basis. Ambulatory care is given to persons 
who are able to ambulate, or walk about. 

[20] In May 2006, several of the AHIC work groups recommended the 
formation of an additional work group composed of privacy, security, 
clinical, and technology experts from each of the other AHIC work 
groups. The AHIC Confidentiality, Privacy, and Security Workgroup first 
convened in August 2006. 

[21] Identity proofing is the process of providing sufficient 
information (e.g., identity history, credentials, documents) to 
establish and verify a person's identity. Identity proofing already 
takes place throughout many industries, including health care. However, 
a standard methodology does not exist. 

[22] User authentication is the process of confirming a person's 
claimed identity, often used as a way to grant access to data, 
resources, and other network services. While a user name and password 
provide a foundational level of authentication, several other 
techniques, most notably two-factor authentication, have additional 
capabilities. 

[23] The Markle Foundation is an organization that works to accelerate 
the use of emerging information and communication technologies to 
address critical public needs, particularly in the areas of health and 
national security. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: