GAO questions HHS efforts to secure electronic health records

Computerworld - The U.S. Department of Health and Human Services (HHS) has not come up with a way to tie together the various initiatives it has ongoing to tackle the thorny privacy and security issues related to exchanging health care records electronically.

That concern is in a report released Thursday by the U.S. Government Accountability Office (GAO) that calls on HHS to define and put into place a comprehensive approach for protecting health information. Until it does that -- and identifies milestones for its approach -- the privacy and protection of personal health information exchanged through a nationwide network "will remain unclear," according to the report.

HHS disagreed with the GAO comments, the report said, arguing that it does have in place a "comprehensive and integrated approach for ensuring privacy and security of health information." In addition, HHS disagreed with the report's suggestion that it identify benchmarks for its work, noting that tightly scripted milestones "would impede HHS's processes and preclude stakeholder dialogue on the direction of important policy matters."

In addition to integrating its various privacy and security projects, the GAO recommended that HHS identify an entity who would be responsible for the integration of the privacy and security initiatives. HHS, however, did not comment on this suggestion, nor did it provide any information regarding any effort to assign responsibility for the activities, according to the report.

HHS officials did not respond to a request for comment on the GAO findings.

The report noted that HHS and its National Coordinator for Health IT have taken several steps to protect personal health information, including setting up two health information advisory committees and awarding several contracts that include requirements for addressing the privacy of health information exchanged nationwide.