Health Information Technology: Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy

In September 2007, we reported on the results of a follow-up engagement on health IT and privacy. In that report (GAO-08-1138), we noted that HHS and its Office of the National Coordinator for Health IT had taken important steps toward protecting the privacy of electronic health information by, for example, (1) documenting milestones for privacy-related objectives and tasks in the federal health IT strategic plan and (2) assigning responsibility for integrating the outcomes of its privacy-related activities and developing a planned privacy framework to the Director of the Office of Policy and Research within the National Coordinator's office. These activities addressed our recommendation that the department identify milestones and the entity responsible for integrating the outcomes of privacy-related initiatives.

In December 2008, the Department of Health and Human Services' Office of the National Coordinator for Health IT published a privacy framework which encompassed HIPAA privacy principles. The stated goal of the office's effort was to establish a policy framework to guide the adoption of health IT and improve the availability of information through electronic health information exchange. The department, through the National Coordinator's office, also developed a privacy and security toolkit intended to help health care providers implement the principles in the privacy framework. The toolkit is a series of guidance documents that clarify how each section of the HIPAA Privacy and Security Rules can be used to help structure privacy and security policies related to electronic health information exchange. By taking these actions, HHS has developed a privacy framework and tools that health care providers and health information exchange entities can use as guidance to help them ensure that key HIPAA privacy principles are addressed by their efforts to protect electronic personal health information.

In efforts related to the Federal Health IT Strategic Plan, HHS and the Office of the National Coordinator for Health IT developed and implemented initiatives intended to address the key challenges related to this recommendation. For example, the Health Information Security and Privacy Collaboration (HISPC) and the State Alliance for e-Health took steps to address challenges associated with legal and policy issues. Specifically, HISPC researched solutions for legal and policy issues resulting from varying state laws and business practices, and the State Alliance for e-Health worked to reach consensus among 42 states on privacy and security issues, such as the resolution of variations in legal and policy requirements. In addition, the National Committee on Vital and Health Statistics addressed challenges associated with the disclosure of personal health information by defining standards for the protection of such information from unintentional disclosures. Also, the American Health Information Community established guidelines for interaction with users to ensure appropriate access rights, to help address challenges associated with individuals' rights to request access and amendments to health information. Finally, the Healthcare Information Technology Standards Panel defined standards for implementing security features in health IT systems that process personal health information. This activity was intended to help providers and other health IT entities address challenges associated with implementing security mechanisms for protecting health information. Through these initiatives, the department took steps intended to address key privacy and security challenges in protecting electronic personal health information. The outcomes of these efforts provide guidance that can be used to help health care providers and other entities address challenges they face in protecting personal health information exchanged within electronic health information networks.