The implementation of new technology has moved ahead of the development of privacy and security policies under the federal governments current health IT efforts -- a move that could prove difficult and costly to reverse, government auditors said.
In a report released on Thursday, the Government Accountability Office said it wants HHS to define and implement an overall privacy plan that includes key principles that address differences in states laws, the amount of health information that could be released and the individuals ability to access and amend their own records.
In its report, the GAO said it wants HHS to establish tangible milestones and measures that ensure that personal health records and the overall exchange of health information will be properly secure and protected.
While progress has been made initiating these efforts, much work remains before they are completed and the outcomes of the various efforts are integrated, David Powner, director of information technology management issues at GAO, told federal lawmakers at a congressional hearing on Thursday.
HHS officials said they disagree with the GAO recommendation and, in written comments, referred the GAO to its comprehensive and integrated approach for ensuring the privacy and security of health information initiatives, according to the report.
In 2005, HHS awarded several health IT contracts that included requirements for addressing the privacy of personal health information. A year later, the department contracted for regional health information exchanges in 33 states and Puerto Rico as a way to field-test organization-level privacy and security-related policies, according to the report. AHIC also has a work group dedicated to privacy and security policy. by Matthew DoBias