Skip to main content

Health Information Technology: HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains

GAO-08-1138 Published: Sep 17, 2008. Publicly Released: Sep 17, 2008.
Jump To:
Skip to Highlights


Although advances in information technology (IT) can improve the quality and other aspects of health care, the electronic storage and exchange of personal health information introduces risks to the privacy of that information. In January 2007, GAO reported on the status of efforts by the Department of Health and Human Services (HHS) to ensure the privacy of personal health information exchanged within a nationwide health information network. GAO recommended that HHS define and implement an overall privacy approach for protecting that information. For this report, GAO was asked to provide an update on HHS's efforts to address the January 2007 recommendation. To do so, GAO analyzed relevant HHS documents that described the department's privacy-related health IT activities.

Skip to Recommendations


Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Health and Human Services To ensure that key privacy principles and challenges are fully and adequately addressed, the Secretary of Health and Human Services should direct the National Coordinator for Health IT to include in the department's overall privacy approach a process for assessing and prioritizing its many privacy-related initiatives and the needs of stakeholders.
Closed – Implemented
As of July 2012, the Office of the National Coordinator for Health Information Technology (ONC) had taken steps to implement this recommendation by centralizing responsibility for privacy and security issues, taking steps to formalize its management of privacy and security issues, and obtaining greater input from stakeholders. Among the specific actions taken, ONC established the following mechanisms for assessing and prioritizing initiatives and addressing stakeholder needs: (1) issued, in December 2008, the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, a set of privacy and security principles used for evaluating potential gaps in privacy policies; (2) established, in December 2009, the Office of the Chief Privacy Officer within ONC, and in February 2010, appointed a Chief Privacy Officer to advise the National Coordinator and coordinate with privacy officers in other agencies and countries regarding the privacy, security, and data stewardship of electronic, individually identifiable health information; and (3) implemented a multi-pronged approach to managing privacy-related initiatives that involves prioritizing privacy and security work to meet statutory deadlines and incorporating feedback from various stakeholders. As part of this approach, the Office of the Chief Privacy Officer proposes privacy policy issues for review and input to a workgroup of Health IT Policy Committee members representing health information exchange stakeholders, including small providers, large health care systems, vendors, privacy and security experts, and consumer groups. This workgroup submits draft recommendations to the Policy Committee for consideration and, after public discussion and deliberation, the Policy Committee adopts, modifies, or rejects the team's suggestions and submits recommendations to ONC. Upon receipt, ONC prioritizes these recommendations in light of other policies and activities and obtains from the directors of its various programs, internal input regarding the impact on various stakeholders, in order to inform decision-making regarding whether the recommendation should be accepted, modified, rejected, or tabled. Recommendations accepted are referred to the HHS Task Force, which deliberates and reaches consensus on, and recommends policies to address, specific privacy issues. ONC also incorporates feedback about privacy issues from program grantees and from participants in roundtable meetings it sponsors about emerging issues and determines privacy and security priorities through the analysis of public surveys and government data. By taking these actions, HHS strengthened its efforts to address key privacy principles and challenges related to protecting personal health information.

Full Report

GAO Contacts

Office of Public Affairs


AccountabilityElectronic data interchangeElectronic health recordsHealth information privacyInformation disclosureInformation managementInformation securityInformation technologyInternal controlsMedical information systemsPrivacy lawPrivacy policiesRecordsRight of privacyRisk managementStandardsStrategic planningPersonal information