GAO takes HHS to task for inadequately addressing privacy problem

By Diana Manos
12:00 AM

The Department of Health and Human Services has made progress toward addressing privacy in healthcare IT, but there is more yet to do, according to a report released by the General Accountability Office.

The GAO said HHS has made advances in healthcare quality and other aspects of healthcare, but privacy risks to electronic storage and exchange of personal health information remain a problem.

The report, released Wednesday, was prepared for Senate leaders.

The new GAO report serves as an update to a January report on HHS efforts to ensure healthcare IT privacy. In January, GAO said HHS should define and implement an overall privacy approach.

Based on a current review of HHS documents describing the agency's privacy-related healthcare IT activities, GAO determined HHS still needs to include "a process for ensuring that key privacy principles and challenges are completely and adequately addressed."

"Stakeholders may lack the overall policies and guidance needed to assist them in their efforts to ensure that privacy protection measures are consistently built into health IT programs and applications," GAO said. "Moreover, the department may miss an opportunity to establish the high degree of public confidence and trust needed to help ensure the success of a nationwide health information network."


HHS generally agreed with GAO's findings.

The GAO report comes amid continued heated debate of healthcare IT privacy issues and increased breaches of privacy reported by hospitals and other healthcare organizations.

Meanwhile, despite a handful of healthcare IT bills introduced this year, nothing has gained traction. Exactly how to protect privacy remains one of the key blockers, as factions weigh in on the need for ease in sharing information versus protecting patient privacy at all cost.

More recent bills include the PRO(TECH)T Act, or the "Protecting Records, Optimizing Treatment, and Easing Communication through Healthcare Technology Act of 2008," introduced by John D. Dingell (D-Mich.) June 25. It would build on the existing the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

A similar bill, the Health-e Information Technology Act of 2008, was more recently introduced by Rep. Pete Stark (D-Calif.) Sept. 15.

Deborah Peel, MD, founder and chair of Patient Privacy Rights has said for any healthcare IT legislation to address privacy adequately, the government first needs to define privacy by law. In addition, patients must be in control of their own electronic health records. Peel contends the HIPAA privacy rule, currently used to protect health records, is not adequate.

Carolyn M. Clancy, MD, director of the Department of Health and Human Services' Agency for Healthcare Research and Quality said the HIPAA Privacy Rule "is carefully balanced to ensure strong privacy protections without impeding the flow of information necessary to provide access to quality healthcare."

Further, she said HHS' Office for Civil Rights has "brought about significant and systemic improvements in compliance" of some 6,100 covered entities, through investigations and voluntary compliance efforts.

Do you think HHS has healthcare IT privacy covered? Send your comments to Senior Editor Diana Manos at