Privacy and Security:
Food and Drug Administration Faces Challenges in Establishing Protections for Its Postmarket Risk Analysis System
GAO-09-355: Published: Jun 1, 2009. Publicly Released: Jun 1, 2009.
The Food and Drug Administration (FDA) is responsible for assessing the safety of certain medical products after approval (a process called postmarket risk surveillance). To this end, the Food and Drug Administration Amendments Act of 2007 required that FDA establish a postmarket risk identification and analysis system based on electronic health data. In May 2008, FDA began its Sentinel initiative, intended to fulfill this requirement. Additionally, the Act established a requirement for GAO to review FDA's planned system. GAO's specific objectives were to (1) describe the current status of FDA's implementation of the Sentinel system and (2) identify the key privacy and security challenges associated with FDA's plans for the Sentinel system. To do so, GAO analyzed available system documentation; reviewed key privacy and security laws, guidance, standards, and practices; and obtained and analyzed the views of privacy and security experts.
The Sentinel system is still in the early planning stages, with key decisions about development and milestones yet to be made. In planning for Sentinel, FDA has held outreach meetings with stakeholders, established a senior management team to solicit input from agency components; established a working group to share information with federal partners; and sought input from projects involving both public and private sector entities that are meant to refine research approaches and identify challenges and concerns. Although FDA has developed a preliminary design of the Sentinel process for making medical product safety-related queries, key decisions such as developing a governance model for oversight and enforcement of relevant policies, establishing an architecture, and setting privacy and security policies have not yet been made. Further, FDA has not yet developed a plan or set of milestones for when it expects to have these issues addressed. Because the Sentinel system will rely on sensitive electronic health data, FDA will likely be faced with several significant privacy and security challenges as it continues to develop the Sentinel system including (1) ensuring that appropriate legal mechanisms are established to protect privacy and implement security consistently across the Sentinel system; (2) defining a clear and specific purpose for the system and ensuring that partners use personal health information only for specified purposes; (3) ensuring public involvement and effectively informing the public of the program's planned uses of their personal health information; (4) ensuring that de-identified information--data stripped of fields that uniquely identify individuals--is not re-identified; (5) establishing adequate security controls to protect the personal health information associated with Sentinel; and (6) establishing sufficient oversight and enforcement mechanisms to ensure that privacy and security requirements are consistently implemented. FDA has yet to develop a plan or set milestones for addressing these challenges.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: In fiscal year 2013, we verified that FDA, in response to our recommendation, implemented the Mini-Sentinel pilot program to improve the agency's development of its Sentinel system. As part of its pilot program, FDA has developed policies and procedures to ensure that the system provides consistent application of protections to all system partners, personal health information will be used for the specific purpose of only postmarket safety surveillance, comprehensive security controls are implemented, and key privacy and security requirements are enforced. These actions reduce the potential risk that personal health information used and maintained by the Sentinel system could be compromised.
Recommendation: Given the significant privacy and security challenges, the Commissioner of FDA should develop a plan, including milestones, for developing the Sentinel system and for addressing the privacy and security challenges associated with (1) ensuring consistent application of protections to all Sentinel partners, (2) limiting use of personal health information to a clear and specific purpose, (3) involving the public in the development of the system and informing the public of the program's planned uses of personal health information and privacy protections, (4) using de-identified data, (5) establishing adequate security controls, and (6) overseeing and enforcing key privacy and security requirements.
Agency Affected: Department of Health and Human Services: Public Health Service: Food and Drug Administration