Government Not Doing Enough to Ensure Medical-Record Privacy
The federal government needs to do more to ensure privacy and confidentiality in any national electronic health information network that is developed.
In particular, the Office of the National Coordinator for Health Information Technology needs to develop a process for assessing the myriad privacy concerns of different stakeholders and for determining how all of those concerns will be addressed in an overall strategy for ensuring privacy and confidentiality, according to a report by the Government Accountability Office (GAO) released in September.
The Department of Health and Human Services' (HHS) “privacy approach does not include a defined process for assessing and prioritizing the many privacy-related initiatives to ensure that key privacy principles and challenges will be fully and adequately addressed,” according to the report. “As a result, stakeholders may lack the overall policies and guidance needed to assist them in their efforts to ensure that privacy protection measures are consistently built into health information technology programs and applications. Moreover, the department may miss an opportunity to establish the high degree of public confidence and trust needed to help ensure the success of a nationwide health information network.”
In January 2007, the GAO issued a report on protecting the privacy of electronic health information that asked HHS to identify milestones and assign responsibility for integrating the outcomes of its privacy-related initiatives, ensure that key privacy principles are addressed, and address key challenges associated with the nationwide exchange of health information.
The new GAO report noted that HHS has undertaken some important steps. They include the following:
•
The Healthcare Information Technology Standards Panel defined standards for implementing security features in systems that process personal health information.
The panel is a body of the American National Standards Institute. According to the institute's Web site, “The mission of the Healthcare Information Technology Standards Panel is to serve as a cooperative partnership between the public and private sectors for the purpose of achieving a widely accepted and useful set of standards specifically to enable and support widespread interoperability among health care software applications, as they will interact in a local, regional, and national health information network for the United States.”
•
The Certification Commission for Healthcare Information Technology defined certification criteria that included privacy protections for both outpatient and inpatient electronic health records. The Certification Commission Healthcare Information Technology is a recognized certification body for electronic health records and their networks and an independent, voluntary, private-sector initiative.
•
Initiatives aimed at the state level have convened stakeholders to identify and propose solutions for addressing challenges faced by health information exchange organizations in protecting the privacy of electronic health information.
In addition, the secretary of HHS released a federal health information technology strategic plan in June that includes privacy and security objectives, along with strategies and target dates for achieving them.
But HHS needs to do more, the GAO said.
“In particular, the department has not defined a process for ensuring that all privacy principles and challenges will be fully and adequately addressed,” the GAO stated. “This process would include, for example, steps for ensuring that all stakeholders' contributions to defining privacy-related activities are appropriately considered and that individual inputs to the privacy framework will be effectively assessed and prioritized to achieve comprehensive coverage of all key privacy principles and challenges.
“Such a process is important given the large number and variety of activities being undertaken and the many stakeholders contributing to the health information technology initiatives. In particular, the contributing activities involve a wide variety of stakeholders, including federal, state, and private-sector entities.”
“HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains” is posted at<www.gao.gov/new.items/d081138.pdf>. Information about the Certification Commission for Healthcare Information Technology is posted at<www.cchit.org>.▪
Information & Authors
Information
Published In
History
Published online: 7 November 2008
Published in print: November 7, 2008
Notes
The GAO finds that the Department of Health and Human Services has not yet defined a process for ensuring that privacy principles and challenges will be fully addressed as the nation adopts health information technology.
Authors
Metrics & Citations
Metrics
Citations
Export Citations
If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.
For more information or tips please see 'Downloading to a citation manager' in the Help menu.
There are no citations for this item
View Options
View options
Get Access
Login options
Already a subscriber? Access your subscription through your login credentials or your institution for full access to this article.
Personal login Institutional Login Open Athens loginNot a subscriber?
PsychiatryOnline subscription options offer access to the DSM-5-TR® library, books, journals, CME, and patient resources. This all-in-one virtual library provides psychiatrists and mental health professionals with key resources for diagnosis, treatment, research, and professional development.
Need more help? PsychiatryOnline Customer Service may be reached by emailing [email protected] or by calling 800-368-5777 (in the U.S.) or 703-907-7322 (outside the U.S.).