In another blow to the federal government's crusade for a nationwide infrastructure for sharing of medical records, the Government Accountability Office (GAO) has said that efforts to coordinate privacy at the federal level don't pass muster.

In a report, the GAO criticized the Department of Health and Human Services (HHS) for issuing contracts to develop initiatives for health information technology (IT) records-sharing without setting up adequate privacy guidelines.

Although HHS won credit for championing the initiative to share health care records across different systems, the GAO found that it was still in the "early phases of identifying solutions ... and has therefore not yet defined an approach for integrating its various efforts or for fully addressing key privacy principles."

"Until HHS defines an integration approach and milestones for completing these steps, its overall approach for ensuring the privacy and protection of personal health information exchanged throughout a nationwide network will remain unclear," the report said.

HHS disagreed with some of GAO's conclusions, specifically the need for benchmarks to measure progress.


Assistant Secretary Vincent Ventimiglia said that "tightly scripted milestones" would impede HHS' ability to conduct dialogue with stakeholders involved in the initiative.

Among the GAO's findings:

• HHS needs to craft adequate security and policy measures for the interaction of contracting companies and subcontractors that handle medical and personal records. Under the Health Insurance Portability and Accountability Act (HIPAA), "covered entities" are governed by strict disclosure rules about what information they can share and gather, but business partners they share information with may not be.

• 70 percent of Americans are concerned about the potential for a data breach in any system that shared such a large amount of health and personal data.

• HHS' chief "privacy and security solutions contractor," which was not identified in the GAO report, was tasked to provide a report detailing privacy and security guidelines for health organizations in all 50 states, as well as addressing compatibility issues and offering solutions.

The Right To Medical Privacy

Concern over the safety of medical records and personal information has been on the rise in recent years, due in part to the continuing cases of data breaches and thefts of equipment that contain personal data.

Recent cases such as the Emory Healthcare laptop theft continue to illustrate the dangers of sharing information without adequate privacy controls.

The GAO published another report last year that found 40 percent of health insurance contractors and state Medicare/Medicaid agencies had violated customers' privacy in some fashion, and that many health technology vendors outsourced their works to still other vendors, increasing the risk of privacy violations.

Also on the rise is medical identity theft, in which fraudsters steal patients' financial information and use it to charge expensive treatments for themselves, leaving the victims holding the bag.

Lack of laws protecting medical information can mean that medical identity theft victims have thousands of dollars' worth of debt in their name for procedures they never authorized or went through with.

The wildly varying state laws regarding data privacy and breach notification have prompted calls for Congress to pass laws that mandate federal standards for data breaches, but critics have been unimpressed with the efforts so far, saying that they do too much for business and too little for the consumer.