The push for a national system for the creation, storage and distribution of electronic medical data on hundreds of millions of Americans undertaken in 2004 by the Bush administration, the Secretary of Health and Human Services (HHS) and the Office of the National Coordinator for Health Information Technology, clearly holds enormous potential for streamlining health care services, costs and efficiencies. Securing that data and protecting electronic personal health information, however, continues to be a challenging task for HHS, according to a new report from the Government Accounting Office (GAO). Click here to see full story.

The progress report, the first since January 2007 on HHS’s efforts, credits the agency with advancing various initiatives to develop and implement an overall privacy approach.

Specifically the GAO gives HHS good marks for identifying milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, a goal GAO had outlined in its original report twenty months ago. Further GAO found that HHS has made some progress in ensuring that key privacy principles in HIPAA are fully addressed, and addressing key challenges associated with the nationwide exchange of health information.

As the report puts it, “The Office of the National Coordinator for Health IT has continued to develop and implement initiatives related to a nationwide health information network.” It continues, however, saying that, “ while the various initiatives that HHS has undertaken are contributing to the development and implementation of an overall privacy approach, more work remains.”

In particular GAO found that the department has not defined a process for ensuring that all privacy principles and challenges will be fully addressed or for ensuring that all stakeholders’ contributions to defining privacy-related activities are appropriately considered and that individual inputs to the privacy framework will be effectively assessed and prioritized to achieve comprehensive coverage of all key privacy principles and challenges.

What HHS continues to lack, according to GAO, is “a defined process for assessing and prioritizing the many privacy-related initiatives and the needs of stakeholders to ensure that privacy issues and challenges will be addressed fully and adequately.” ‘Without a process that accomplishes this,” the report says, “ HHS faces the risk that privacy protection measures may not be consistently and effectively built into health IT programs, thus jeopardizing patient privacy as well as the public confidence and trust that are essential to the success of a future nationwide health information network.”

“Although it has established milestones and assigned responsibility for integrating these outcomes and for the development of a confidentiality, privacy, and security framework,” the report adds, “ the department has not fully implemented our recommendation for an overall privacy approach that is essential to ensuring that privacy principles and challenges are fully and adequately addressed. Unless HHS’s privacy approach includes a defined process for assessing and prioritizing the many privacy-related initiatives, the department may not be able to ensure that key privacy principles and challenges will be fully and adequately addressed. Further, stakeholders may lack the overall policies and guidance needed to assist them in their efforts to ensure that privacy protection measures are consistently built into health IT programs and applications. As a result, the department may miss an opportunity to establish the high degree of public confidence and trust needed to help ensure the success of a nationwide health information network.”

GAO concludes by recommending that the Secretary of Health and Human Services direct the National Coordinator for Health IT to include in the department’s overall privacy approach a process for assessing and prioritizing its many privacy-related initiatives and the needs of stakeholders.