Data plan ignores privacy, GAO says

WASHINGTON --The Bush administration has no clear strategy to protect the privacy of patients as it promotes the use of electronic medical records throughout the nation's health care system, federal investigators say in a new report.

In the report, the Government Accountability Office, an investigative arm of Congress, said the administration had a jumble of studies and vague policy statements but no overall strategy to ensure that privacy protections would be built into computer networks linking insurers, doctors, hospitals and other health care providers.


President Bush has repeatedly called for the creation of such networks, through which health care providers could share information on patients. In 2004, Bush declared that every American should have a "personal electronic medical record" within 10 years -- by 2014.

With computerized records, he said, "we can avoid dangerous medical mistakes, reduce costs and improve care."


In response to the president's plea, federal officials have developed elaborate plans for what they describe as "a nationwide health information network." Bush has said: "One of the things I've insisted upon is that it's got to be secure and private. There's nothing more private than your own health records."

But in the report, issued this month, the GAO said that the administration had taken only rudimentary steps to safeguard sensitive personal data that would be exchanged over the network.

Sen. Daniel K. Akaka, a Hawaii Democrat who requested the investigation, said it showed that "the Bush administration is not doing enough to protect the privacy of confidential health information."

As a result, Akaka said, "more and more companies, health care providers, and carriers are moving forward with health information technology without the necessary protections."

In written comments on the report, Jim Nicholson, the secretary of veterans affairs, who supervises one of the nation's largest health care systems, said, "I concur with the GAO findings."

Dr. Robert M. Kolodner, who coordinates work on information technology at the Department of Health and Human Services, disputed the findings. Kolodner said his department was "very committed to privacy and security as it works toward the president's goal" of switching medical records from paper to electronic files.

Mark A. Rothstein, the chairman of a panel that advises the government on health information policy, essentially agreed with the accountability office. "Health privacy has not received adequate attention at the Department of Health and Human Services," said Rothstein, a professor of law and medical ethics at the University of Louisville School of Medicine. "A sense of urgency is lacking."

Rothstein said that "time is of the essence," because "the private sector is racing ahead" to establish medical record banks and health information exchanges. In December, he pointed out, Wal-Mart, Intel and other companies announced that they were creating a huge database that could store the personal health records of more than 2.5 million employees and retirees.


The companies promised they would have "stringent privacy policies and procedures."

Rothstein said that Congress should not provide more money for a nationwide health information network unless the administration does more to protect the privacy of electronic medical records.