But the GAO itself came in line for some harsh words, this time from a pair of privacy advocates who charge that the congressional watchdog has kept its head in the sand when it comes to the current privacy environment and the lack of protection afforded by a key federal privacy rule.
Meanwhile, the head of a coalition composed mostly of healthcare systems and pharmaceutical manufacturers and resellers testified in defense of the Health Insurance Portability and Accountability Act privacy rule, while warning against adding privacy constraints to it and calling for eliminating by federal pre-emption the more stringent state privacy laws that HIPAA now allows. And, a privacy expert who worked on developing HIPAA during the Clinton administration, chided the Justice Department and HHS for failing to enforce the act's existing privacy provisions.
The GAO's criticism of HHS came during a hearing of the House Oversight and Government Reform's Subcommittee on Information Policy, Census and National Archives.
Linda Koontz, director of information management issues for the congressional watchdog agency, and Valerie Melvin, its director of human capital and management information systems issues, were listed as authors of the 19 pages of written testimony.
In their recent testimony, the GAO officials recapped for the congressional subcommittee that their January report contained recommendations that HHS "define and implement an overall approach" for privacy protection and "identify milestones for integrating the outcomes of its privacy-related initiatives," as well as "ensure that key privacy principles are fully addressed."
The authors also noted that, initially, HHS disagreed with the GAO's recommendations, saying HHS already had a "comprehensive and integrated approach for ensuring the privacy and security of health information within nationwide health information exchange."
"While we acknowledged in our report that HHS has initiated key efforts to address its objective to protect consumer privacy, we found that HHS’ approach for addressing privacy and security did not address elements that should be included in a comprehensive privacy approach, such as milestones for integration, identification of the entity responsible for integrating the outcomes of privacy related initiatives, and plans to address key privacy principles and challenges," the GAO testimony said.
The GAO officials recognized that, in more recent discussions, ONCHIT head Robert Kolodner has "agreed with the need for an overall approach to protect health information and stated that the department was initiating steps to address our recommendation." Still, they said, "HHS is in the early stages of identifying solutions for protecting personal health information and has not yet defined an overall approach for integrating its various privacy-related initiatives and for addressing key privacy principles."
Further, the GAO officials' testimony noted that contracts with outside entities to provide advice on privacy policies "have not yet produced final results." For example, a $17.23 million HHS contract with RTI International—which created the Health Information Security and Privacy Collaboration and studied state privacy laws in 33 states and Puerto Rico as potential barriers to health information exchange—"has not yet reported its nationwide assessment of organizational and policy variations." RTI has a June 30 delivery deadline for its final report on that contract. The federal government also has contracted with the National Governors Association to take a state-by-state approach to privacy issues, but that work is only beginning.
In his PowerPoint presentation, Kolodner introduced a table that his staff prepared of privacy principles from five organizations. The NCVHS and its recommendations to Leavitt were not among the five.
After the meeting, however, in response to questions about the absence of NCVHS work product in the table, Kolodner sent an e-mail to his staff, asking whether the NCVHS recommendations included privacy principles and directed them to look at several sources of privacy principles in addition to the five sources they'd selected. Kolodner said the staffers "might be able to highlight the few principles they do include (if any) and then include those. ... If we can do so, we then demonstrate that this is an interactive process ... and one where we are willing to be responsive to suggestions."
One of the observations made by the NCVHS in its report to Leavitt was that the HIPAA privacy rule wasn't broad enough to protect patient privacy under an interconnected, national health information network as HHS envisioned. The GAO officials, in their testimony Tuesday, confirmed that "HIPAA's protection of health information is limited by its scope of defined terms," noting that it is applicable only to specified "covered entities," that is, health plans, healthcare providers and claims clearinghouses. "Our description of HIPAA's protection of privacy or personal health information is limited accordingly."
That is a key limitation, according to privacy advocates, and it points to a failing not only of HHS and ONCHIT, but also of the GAO.
Part two to include privacy advocates, a HIPAA supporter and the GAO respond.
What do you think? Write us with your comments at firstname.lastname@example.org. Please include your name, title and hometown.