The US Government Accountability Office issues the following release and associated report a few days ago. At the same time I received an announcement of a Health IT privacy conference that is planned for Brisbane late in the year.
Health Information Technology: HHS Has Taken Important Steps to Address Privacy Principles and Challenges, Although More Work Remains
GAO-08-1138 September 17, 2008
Highlights Page (PDF) Full Report (PDF, 23 pages) Accessible Text Recommendations (HTML)
Summary
Although advances in information technology (IT) can improve the quality and other aspects of health care, the electronic storage and exchange of personal health information introduces risks to the privacy of that information. In January 2007, GAO reported on the status of efforts by the Department of Health and Human Services (HHS) to ensure the privacy of personal health information exchanged within a nationwide health information network. GAO recommended that HHS define and implement an overall privacy approach for protecting that information. For this report, GAO was asked to provide an update on HHS's efforts to address the January 2007 recommendation. To do so, GAO analyzed relevant HHS documents that described the department's privacy-related health IT activities.
Since GAO's January 2007 report on protecting the privacy of electronic personal health information, the department has taken steps to address the recommendation that it develop an overall privacy approach that included (1) identifying milestones and assigning responsibility for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of GAO's recommendation, and it has taken important steps in addressing the two other parts. The HHS Office of the National Coordinator for Health IT has continued to develop and implement health IT initiatives related to nationwide health information exchange. These initiatives include activities that are intended to address key privacy principles and challenges. For example: (1) The Healthcare Information Technology Standards Panel defined standards for implementing security features in systems that process personal health information. (2) The Certification Commission for Healthcare Information Technology defined certification criteria that include privacy protections for both outpatient and inpatient electronic health records. (3) Initiatives aimed at the state level have convened stakeholders to identify and propose solutions for addressing challenges faced by health information exchange organizations in protecting the privacy of electronic health information. In addition, the office has identified milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, as recommended. Further, the Secretary released a federal health IT strategic plan in June 2008 that includes privacy and security objectives along with strategies and target dates for achieving them. Nevertheless, while these steps contribute to an overall privacy approach, they have fallen short of fully implementing GAO's recommendation. In particular, HHS's privacy approach does not include a defined process for assessing and prioritizing the many privacy-related initiatives to ensure that key privacy principles and challenges will be fully and adequately addressed. As a result, stakeholders may lack the overall policies and guidance needed to assist them in their efforts to ensure that privacy protection measures are consistently built into health IT programs and applications. Moreover, the department may miss an opportunity to establish the high degree of public confidence and trust needed to help ensure the success of a nationwide health information network.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Valerie C. Melvin
Government Accountability Office: Information Technology
(202) 512-6304
Recommendations for Executive Action
Recommendation: To ensure that key privacy principles and challenges are fully and adequately addressed, the Secretary of Health and Human Services should direct the National Coordinator for Health IT to include in the department's overall privacy approach a process for assessing and prioritizing its many privacy-related initiatives and the needs of stakeholders.
Agency Affected: Department of Health and Human Services
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
----- End Release.
Link is found here:
http://www.gao.gov/products/GAO-08-1138
The last paragraph of the summary is the most important. Here the GAO makes it quite clear the US Federal Health Department has not developed a co-ordinating process for ensuring privacy is properly protected and the Health Information Network program moves forward and that there is only one chance to get this right. Once the public loose trust in the way health information is shared it will be very hard to win it back.
I agree 100% with theses points (the need for a defined process and the risk of failure) and we need to build this understanding into all our plans as well! NEHTA has been a good deal less than forthcoming about its processes to date. I do hope the planned HISA conference helps flush out what the plans really are and make a contribution to improvement if required!
Here is the background I received on it.
Begin Announcement. ----
Australia is on the verge of substantial changes to the laws governing health privacy. The Australian Law Reform Commission’s report is now with parliament and new laws and regulations will soon be developed as a consequence of this submission. These changes will have a significant impact on the way healthcare professionals work with health information of all kinds and could significantly impact the way healthcare is delivered in some situations.
It is now time to understand how to prepare for these changes and also to provide leadership and feedback to the government as they draft the laws and subsequent privacy regulations that will be derived from this report.
These are the deliverables of the Health Privacy Futures conference. The program has an outstanding lineup of health privacy leaders, with a deep and practical understanding of the Australian healthcare environment. I have attached a conference brochure which outlines the provisional conference program and featured speakers.
You can find out more about the conference, or you can register for this event, by going to the Health Privacy Futures website at www.healthprivacy.org.au. There are substantial discounts for Early Bird Registration which will end on October 8.
End Announcement.----
Those interested should consider attending.
David.