Skip to main content

Health Information Technology: HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains

GAO-08-1138 Published: Sep 17, 2008. Publicly Released: Sep 17, 2008.
Skip to Highlights

Highlights

Although advances in information technology (IT) can improve the quality and other aspects of health care, the electronic storage and exchange of personal health information introduces risks to the privacy of that information. In January 2007, GAO reported on the status of efforts by the Department of Health and Human Services (HHS) to ensure the privacy of personal health information exchanged within a nationwide health information network. GAO recommended that HHS define and implement an overall privacy approach for protecting that information. For this report, GAO was asked to provide an update on HHS's efforts to address the January 2007 recommendation. To do so, GAO analyzed relevant HHS documents that described the department's privacy-related health IT activities.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Health and Human Services To ensure that key privacy principles and challenges are fully and adequately addressed, the Secretary of Health and Human Services should direct the National Coordinator for Health IT to include in the department's overall privacy approach a process for assessing and prioritizing its many privacy-related initiatives and the needs of stakeholders.
Closed – Implemented
As of July 2012, the Office of the National Coordinator for Health Information Technology (ONC) had taken steps to implement this recommendation by centralizing responsibility for privacy and security issues, taking steps to formalize its management of privacy and security issues, and obtaining greater input from stakeholders. Among the specific actions taken, ONC established the following mechanisms for assessing and prioritizing initiatives and addressing stakeholder needs: (1) issued, in December 2008, the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, a set of privacy and security principles used for evaluating...

Full Report

GAO Contacts

Valerie C. Melvin
Managing Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

AccountabilityElectronic data interchangeElectronic health recordsHealth information privacyInformation disclosureInformation managementInformation securityInformation technologyInternal controlsMedical information systemsPrivacy lawPrivacy policiesRecordsRight of privacyRisk managementStandardsStrategic planningPersonal information