Health Information Technology:

HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains

GAO-08-1138: Published: Sep 17, 2008. Publicly Released: Sep 17, 2008.

Additional Materials:


Valerie C. Melvin
(202) 512-6304


Office of Public Affairs
(202) 512-4800

Although advances in information technology (IT) can improve the quality and other aspects of health care, the electronic storage and exchange of personal health information introduces risks to the privacy of that information. In January 2007, GAO reported on the status of efforts by the Department of Health and Human Services (HHS) to ensure the privacy of personal health information exchanged within a nationwide health information network. GAO recommended that HHS define and implement an overall privacy approach for protecting that information. For this report, GAO was asked to provide an update on HHS's efforts to address the January 2007 recommendation. To do so, GAO analyzed relevant HHS documents that described the department's privacy-related health IT activities.

Since GAO's January 2007 report on protecting the privacy of electronic personal health information, the department has taken steps to address the recommendation that it develop an overall privacy approach that included (1) identifying milestones and assigning responsibility for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of GAO's recommendation, and it has taken important steps in addressing the two other parts. The HHS Office of the National Coordinator for Health IT has continued to develop and implement health IT initiatives related to nationwide health information exchange. These initiatives include activities that are intended to address key privacy principles and challenges. For example: (1) The Healthcare Information Technology Standards Panel defined standards for implementing security features in systems that process personal health information. (2) The Certification Commission for Healthcare Information Technology defined certification criteria that include privacy protections for both outpatient and inpatient electronic health records. (3) Initiatives aimed at the state level have convened stakeholders to identify and propose solutions for addressing challenges faced by health information exchange organizations in protecting the privacy of electronic health information. In addition, the office has identified milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, as recommended. Further, the Secretary released a federal health IT strategic plan in June 2008 that includes privacy and security objectives along with strategies and target dates for achieving them. Nevertheless, while these steps contribute to an overall privacy approach, they have fallen short of fully implementing GAO's recommendation. In particular, HHS's privacy approach does not include a defined process for assessing and prioritizing the many privacy-related initiatives to ensure that key privacy principles and challenges will be fully and adequately addressed. As a result, stakeholders may lack the overall policies and guidance needed to assist them in their efforts to ensure that privacy protection measures are consistently built into health IT programs and applications. Moreover, the department may miss an opportunity to establish the high degree of public confidence and trust needed to help ensure the success of a nationwide health information network.

Recommendation for Executive Action

  1. Status: Closed - Implemented

    Comments: As of July 2012, the Office of the National Coordinator for Health Information Technology (ONC) had taken steps that contributed to the implementation of this recommendation by, for example, centralizing responsibility for privacy and security issues, formalizing its management of privacy and security issues, and obtaining greater input from stakeholders. In addition, ONC established other mechanisms for assessing and prioritizing initiatives and addressing stakeholder needs: (1) issued, in December 2008, the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, a set of privacy and security principles used for evaluating potential gaps in privacy policies; (2) established, in December 2009, the Office of the Chief Privacy Officer within ONC, and in February 2010, appointed a Chief Privacy Officer to advise the National Coordinator and coordinate with privacy officers in other agencies and countries regarding the privacy, security, and data stewardship of electronic, individually identifiable health information; and (3) implemented a multi-pronged approach to managing privacy-related initiatives that involves prioritizing privacy and security work to meet statutory deadlines and incorporating feedback from various stakeholders. As part of this approach, the Office of the Chief Privacy Officer proposes privacy policy issues for review and input to a workgroup of Health IT Policy Committee members representing health information exchange stakeholders, including small providers, large health care systems, vendors, privacy and security experts, and consumer groups. ONC prioritizes recommendations made by this workgroup in light of other policies and activities. ONC also determines priorities by incorporating feedback about privacy issues from program grantees and from participants in roundtable meetings and through the analysis of public surveys and government data. By taking these actions, HHS strengthened its efforts to address key privacy principles and challenges related to protecting personal health information.

    Recommendation: To ensure that key privacy principles and challenges are fully and adequately addressed, the Secretary of Health and Human Services should direct the National Coordinator for Health IT to include in the department's overall privacy approach a process for assessing and prioritizing its many privacy-related initiatives and the needs of stakeholders.

    Agency Affected: Department of Health and Human Services


Explore the full database of GAO's Open Recommendations »

Apr 11, 2019

Apr 9, 2019

Dec 13, 2018

Dec 12, 2018

Dec 11, 2018

Nov 13, 2018

Sep 27, 2018

Aug 2, 2018

Jun 13, 2018

May 24, 2018

Looking for more? Browse all our products here