In testimony before a congressional oversight subcommittee last week, the GAO also cited HHS for not establishing milestones to measure its own progress toward that end.
The GAOs criticism of HHS came during a hearing of the House Oversight and Government Reforms Subcommittee on Information Policy, Census and National Archives. Linda Koontz, director of information management issues for the congressional watchdog agency, and Valerie Melvin, its director of human capital and management information systems issues, authored the 19 pages of written testimony.
In last weeks testimony, the authors also noted that HHS initially disagreed with the GAOs recommendations, saying HHS claimed it already had a comprehensive and integrated approach for ensuring the privacy and security of health information within nationwide health information exchange.
While we acknowledged in our report that HHS has initiated key efforts to address its objective to protect consumer privacy, we found that HHS approach for addressing privacy and security did not address elements that should be included in a comprehensive privacy approach, such as milestones for integration, identification of the entity responsible for integrating the outcomes of privacy-related initiatives, and plans to address key privacy principles and challenges, the GAO testimony said.
But HHS stance appeared to have softened, according to the GAO. The GAO officials noted that, in more recent discussions, ONCHIT head Robert Kolodner has agreed with the need for an overall approach to protect health information and stated that the department was initiating steps to address our recommendation.
Still, they said, HHS is in the early stages of identifying solutions for protecting personal health information and has not yet defined an overall approach for integrating its various privacy-related initiatives and for addressing key privacy principles.
Moreover, the GAO officials testimony noted that contracts with outside entities to provide advice on privacy policies have not yet produced final results. For example, a $17.23 million HHS contract with RTI Internationalwhich created the Health Information Security and Privacy Collaboration and studied state privacy laws in 33 states and Puerto Rico as potential barriers to health information exchangehas not yet reported its nationwide assessment of organizational and policy variations. RTI has a June 30 delivery deadline for its final report on that contract. The federal government also has contracted with the National Governors Association to take a state-by-state approach to privacy issues, but that work is only beginning.
After the meeting, in response to questions about the absence of NCVHS work product in ONCHITs deliberations, Kolodner sent an e-mail to his staff, asking whether the NCVHS recommendations included privacy principles and directed them to look at several sources of them in addition to the five sources theyd selected. Kolodner said the staffers might be able to highlight the few principles they do include (if any) and then include those. If we can do so, we then demonstrate that this is an interactive process and one where we are willing to be responsive to suggestions.