GAO says HHS is on the road to a coordinated privacy policy, but not there yet

GAO testimony before a Senate subcommittee yesterday provides a concise overview of the past few years’ developments in the realms of privacy and interoperability as they relate to HIT — both in terms of regulations and the superstructure necessary to implement them.

HHS believes that it is further down the road to developing an integrated approach to ensuring the protection of privacy of patient information than does GAO. 

It has certainly cooked up another big batch of alphabet soup — ONCHIT, NHIN, NCVHS, etc.  But per the GAO,

HHS is in the early stages of its efforts and has therefore not yet defined an overall approach for integrating its various privacy-related initiatives and addressing key privacy principles, nor has it defined milestones for integrating the results of these activities. GAO identified key challenges associated with protecting electronic personal health information in four areas (see table).

Update 2/5/07:  All of the testimony from the hearing is up on the subcommittee’s website.  Pay special attention to Mark Rothstein’s statement.  He chairs the privacy and confidentiality subcommittee of the National Committee on Vital and Health Statistics (NCVHS), and is rightfully steamed over HHS’s sitting on his recommendations for six months.  He began:

In my testimony today, I want to make only two points. First, HHS has made very little meaningful progress in developing and implementing measures to protect the privacy of health information in electronic health networks. Second, time is of the essence. HHS must begin to act immediately on the key privacy issues, and Congress needs to hold HHS accountable.

Here’s hoping that the regulatory structure can catch up with the realities of the marketplace.

— David Harlow