In a report issued September 17, 2008, the GAO commented that the Department of Health and Human Services (HHS) has made substantial strides in devising a national plan for protecting the privacy of patients’ electronic personal health information, but that HHS still needs to do more to ensure key privacy principles are fully addressed. The GAO’s remarks were contained in a report issued to the U.S. Senate Committee on Homeland Security and Governmental Affairs of a follow-up study by the GAO regarding the Office of the National Coordinator of Health IT’s efforts to insure the privacy of electronic personal health information exchange within a nationwide health information network.

According to the report, the objective of the GAO was to provide an update on the department’s efforts to define and implement an overall privacy approach. In January 2007, the GAO had reported on the activities of HHS and the National Coordinator for HIT to identify solutions for protecting personal health information. At that point, the GAO noted that HHS was in the early stages of these activities and had not yet defined an overall approach for addressing key privacy principles and challenges, nor had HHS defined milestones or identified a responsible entity for integrating the results of these activities.

The GAO noted that the HHS Office of the National Coordinator for Health IT has continued to develop and implement health IT initiatives related to nationwide health information exchange, which are intended to address key privacy principles and challenges. The following examples of initiatives by the Office of the National Coordinator for Health IT were cited by the GAO:

• The Healthcare Information Technology Standards Panel defined standards for implementing security features and systems that process personal health information.

• The Certification Commission for Healthcare Information Technology defined certification criteria that include privacy protections for both outpatient and inpatient electronic health records.

• State-level initiatives (such as the Health Information Security and Privacy Collaboration and the State Alliance for e-Health) have convened stakeholders to identify and propose solutions for addressing challenges faced by health information exchange organizations and protecting the privacy of electronic health information.

The GAO concluded that while the above initiatives are significant to addressing privacy issues and challenges, they fall short of fully implementing the GAO’s previous recommendations. The GAO commented that HHS specifically had not defined, as part of its approach, a process for ensuring that all privacy principles and challenges will be fully and adequately addressed. A copy of this report, GAO-08-1138, is available on the GAO’s web site at