GAO cites HHS for not establishing IT milestones

Part one of a two-part series:

In an update of a January report, the Government Accountability Office has again criticized HHS for failing to have an integrated approach to developing a national privacy policy for healthcare information technology. In testimony before a congressional oversight subcommittee Tuesday, the GAO also cited HHS for not establishing milestones to measure its own progress toward that end.

But the GAO itself came in line for some harsh words, this time from a pair of privacy advocates who charge that the congressional watchdog has kept its head in the sand when it comes to the current privacy environment and the lack of protection afforded by a key federal privacy rule.

Meanwhile, the head of a coalition composed mostly of healthcare systems and pharmaceutical manufacturers and resellers testified in defense of the Health Insurance Portability and Accountability Act privacy rule, while warning against adding privacy constraints to it and calling for eliminating by federal pre-emption the more stringent state privacy laws that HIPAA now allows. And, a privacy expert who worked on developing HIPAA during the Clinton administration, chided the Justice Department and HHS for failing to enforce the act's existing privacy provisions.

The GAO's criticism of HHS came during a hearing of the House Oversight and Government Reform's Subcommittee on Information Policy, Census and National Archives.

Linda Koontz, director of information management issues for the congressional watchdog agency, and Valerie Melvin, its director of human capital and management information systems issues, were listed as authors of the 19 pages of written testimony.

In a January report, the GAO knocked HHS and its Office of the National Coordinator for Health Information Technology, accusing them of foot-dragging in setting a national healthcare IT privacy policy.

In their recent testimony, the GAO officials recapped for the congressional subcommittee that their January report contained recommendations that HHS "define and implement an overall approach" for privacy protection and "identify milestones for integrating the outcomes of its privacy-related initiatives," as well as "ensure that key privacy principles are fully addressed."

The authors also noted that, initially, HHS disagreed with the GAO's recommendations, saying HHS already had a "comprehensive and integrated approach for ensuring the privacy and security of health information within nationwide health information exchange."

"While we acknowledged in our report that HHS has initiated key efforts to address its objective to protect consumer privacy, we found that HHS’ approach for addressing privacy and security did not address elements that should be included in a comprehensive privacy approach, such as milestones for integration, identification of the entity responsible for integrating the outcomes of privacy related initiatives, and plans to address key privacy principles and challenges," the GAO testimony said.

The GAO officials recognized that, in more recent discussions, ONCHIT head Robert Kolodner has "agreed with the need for an overall approach to protect health information and stated that the department was initiating steps to address our recommendation." Still, they said, "HHS is in the early stages of identifying solutions for protecting personal health information and has not yet defined an overall approach for integrating its various privacy-related initiatives and for addressing key privacy principles."

Further, the GAO officials' testimony noted that contracts with outside entities to provide advice on privacy policies "have not yet produced final results." For example, a $17.23 million HHS contract with RTI International—which created the Health Information Security and Privacy Collaboration and studied state privacy laws in 33 states and Puerto Rico as potential barriers to health information exchange—"has not yet reported its nationwide assessment of organizational and policy variations." RTI has a June 30 delivery deadline for its final report on that contract. The federal government also has contracted with the National Governors Association to take a state-by-state approach to privacy issues, but that work is only beginning.

The GAO also mentioned some early work was under way by a privacy, security and confidentiality work group formed last July under the American Health Information Community, an IT advisory panel appointed in 2005 by HHS Secretary Mike Leavitt. The work group, at AHIC's instruction, has spent much of its time thus far dealing with the security issue of IT system user authentication, not on broad privacy issues. Its co-chairman, Paul Feldman, resigned in February, citing his frustration over a lack of progress in developing a substantive privacy policy.

Additionally, the GAO officials testified Tuesday that HHS "has not accepted or agreed to implement the recommendations" made in a June 22, 2006 report to Leavitt by the National Committee on Vital and Health Statistics. The NCVHS spent 18 months developing its privacy policy recommendations specifically for an interoperable national health information network that HHS is proposing. The NCVHS provided Leavitt with 26 recommendations, including definitions of privacy as "an individual's right to control the acquisition, uses or disclosures of his or her identifiable health data," and confidentiality as "the obligations of those who receive information to respect the privacy interests of those to whom the data relate."

The notable absence of the NCVHS recommendations even from the limited ONCHIT privacy policy deliberations thus far was highlighted at an AHIC meeting last week when Kolodner revealed that his staffers had been setting up a process to select a set of healthcare IT privacy principles.

In his PowerPoint presentation, Kolodner introduced a table that his staff prepared of privacy principles from five organizations. The NCVHS and its recommendations to Leavitt were not among the five.

The head of the NCVHS privacy subcommittee, Mark Rothstein, who directs the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, said last week he had been unaware of the new ONCHIT privacy policy effort before Kolodner's announcement and he had not been contacted by ONCHIT staffers about the NCVHS privacy recommendations.

After the meeting, however, in response to questions about the absence of NCVHS work product in the table, Kolodner sent an e-mail to his staff, asking whether the NCVHS recommendations included privacy principles and directed them to look at several sources of privacy principles in addition to the five sources they'd selected. Kolodner said the staffers "might be able to highlight the few principles they do include (if any) and then include those. ... If we can do so, we then demonstrate that this is an interactive process ... and one where we are willing to be responsive to suggestions."

One of the observations made by the NCVHS in its report to Leavitt was that the HIPAA privacy rule wasn't broad enough to protect patient privacy under an interconnected, national health information network as HHS envisioned. The GAO officials, in their testimony Tuesday, confirmed that "HIPAA's protection of health information is limited by its scope of defined terms," noting that it is applicable only to specified "covered entities," that is, health plans, healthcare providers and claims clearinghouses. "Our description of HIPAA's protection of privacy or personal health information is limited accordingly."

That is a key limitation, according to privacy advocates, and it points to a failing not only of HHS and ONCHIT, but also of the GAO.

Part two to include privacy advocates, a HIPAA supporter and the GAO respond.

What do you think? Write us with your comments at Please include your name, title and hometown.