The Government Accountability Office (GAO) is issuing more than a dozen recommendations to the Department of Health and Human Services (HHS) after it discovered that HHS has failed to implement all the key privacy safeguards for its pandemic IT systems that collect and store personally identifiable information (PII).
According to its Sept. 18 report, GAO identified that HHS and its component agencies have 99 IT systems that support pandemic public health preparedness and response – 68 of which gather PII.
GAO said that 53 of those 68 systems have privacy impact assessments (PIAs), but that 15 did not have PIAs.
“Such assessments are essential to identifying and mitigating the privacy risks of systems containing PII,” the watchdog wrote. “Until HHS ensures that PIAs are developed for all of its systems containing PII, it will have less assurance that privacy risks are assessed to prevent unauthorized disclosure.”
Additionally, GAO randomly selected nine of HHS’s pandemic systems that include PII for review and found that not all of the key privacy safeguards have been implemented, such as developing PIAs and privacy plans.
“As a result, information collected and stored by some of these systems may be at higher risk for unauthorized disclosure,” the report reads.
Additionally, GAO found that HHS has failed to reduce unnecessary duplication of data in its systems supporting pandemic public health preparedness and response.
“HHS did not attempt to identify duplication or overlap for these systems. However, in its high-level review of the 99 systems, GAO identified instances of duplicative pandemic public health preparedness and response data in multiple systems,” the report reads. “For example, two pandemic systems that collected similar COVID-19 data, such as cases, deaths, and hospitalization data are managed by the same program office.”
GAO made 14 recommendations to HHS, including establishing a systems inventory, addressing duplicative data, and fully implementing privacy safeguards. HHS generally agreed with the recommendations but stated that it “may not be feasible” to “proactively and consistently identify and track” funding and staffing related to systems supporting pandemic public health preparedness and response.
“HHS will undertake its own cost/benefit analysis to determine how best to reduce unnecessary duplication and enhance efficiencies in public health data systems that support HHS’s pandemic preparedness and response efforts,” Melanie Egorin, HHS’s assistant secretary for legislation, said in response to GAO’s report.
