GAO: HHS guidelines for health data de-identification still lacking

Government agencies risk compromising citizens' security and privacy due to possible improper de-identification of electronically submitted patient information says a June 22 Government Accountability Office report.

Having failed to create and distribute proper guidelines to involved entities concerning the correct method of personal identifier information removal from health data, the Health and Human Services Department's Office of Civil Rights ignored requirements in the Health Information Technology for Economic and Clinical Health Act, the GAO says (.pdf)

The act directed HHS to design a resource for de-identification implementation by February 2010, but the agency has yet to comply. Competing priorities for resources and internal reviews forced them to delay, OCR officials told auditors.

Noncompliance ensures that it is impossible for patients to have complete confidence that medical researchers and others involved in handling personally identifiable information properly follows identification removal standards, says the GAO.

The department's lack of an established long term audit system of entity de-identification progress increases the risk of protected health information mistreatment, the GAO report adds.

In the official response to the report, HHS Assistant Secretary for Legislation Jim Esquea disagreed, however, referencing the fact that companies and groups have been operating in compliance with de-identification methods for upwards of 10 years, and that the OCR has not found these standards to present a significant amount of operational issues.

Layla Jones is an editorial intern with the FierceMarkets Government Group.

For more:
- download the GAO HHS report (.pdf)

Related articles: 
HIPPA haunts health IT progress 
5.4 million affected by health data breaches in 2010, says HHS 
HITECH Act's promise of data security not yet realized