Agencies using medical data got in the act early
VA had been dealing with privacy issues for years before the E-Government Act mandated agency assessments, Barbra Symonds says.
Agencies that handle medical information have a leg up on meeting the privacy requirements of the E-Government Act of 2002. The reason: They've been dealing with such issues for years.
Confidential medical information is subject to greater attention than other federal data, thanks to the 1970s Privacy Act and the Health Information Portability and Accountability Act of 1996. Therefore, agencies such as the Veterans Affairs Department and the Centers for Medicare and Medicaid Services (CMS) have already activated most of OMB's privacy requirements.
'The E-Gov Act put into law the privacy impact assessments that we have been doing in practice,' said Barbra Symonds, director of the Privacy Service in VA's Office of Cyber and Information Security within the Office of Information and Technology. 'But [VA] did not have the formal practice of submitting to OMB and notifying all of the project managers what had to be completed. It made it official and codified it for us.'
For example, VA has addressed privacy concerns in the systems its uses to plan IT projects, and offers employees special training to increase awareness of the issue.
The law also helped spur program managers to adopt standardized privacy policies.
OMB has emphasized the need for agencies to address privacy concerns during the design phase of IT systems. Such concerns had often fallen by the wayside, as agencies focused on simply getting systems operational.
But requiring privacy assessments as part of agencies' business cases puts the topic in focus early in the development process, Symonds said.
VA has integrated privacy assessment questions into its capital asset management system. Program managers preparing business cases, known as Exhibit 300s, answer privacy questions at the concept stage and again in the more detailed development phase.
VA assessed 300 business cases to determine which ones would require a privacy assessment. Symonds and her crew worked with project managers to collect the information, and submitted assessments to the CIO's office. The department did not uncover any real shortcomings as it assessed its own attention to privacy, she said.Training online
VA also last month began using an online training module that details the responsibilities of program and project managers in incorporating privacy regulations with systems plans. The department this month will begin compiling and reviewing information for the 2006 budget business cases it will submit in September.
'We're doing a lot of educating and awareness at the beginning, planning and design stages, so we don't have unanticipated designs or results,' Symonds said.
While agencies that handle medical data have experience in maintaining data privacy, they face additional challenges in meeting the administration's goals to improve the ease and efficiency of online services.
'Basically, you have to treat this information like a treasure and hold yourself to a higher standard, but you can't let this hold you back,' said Julie Boughn, deputy director of the CMS IT Modernization Program Office. 'The biggest pressure is to do more things over the Internet among many stakeholders, while coming up with the resources to do them correctly to safeguard privacy.'
Health care providers and Medicare and Medicaid beneficiaries have called on CMS to put services online to make transactions easier and faster, Boughn said. Congress wants more services provided on the Web, too, but finding the resources to adequately protect the privacy of the information is a challenge.
'We have to make sure we're making the information more accessible, but only making it accessible to the people who should be able to see it,' Boughn said. 'To make it more accessible, we have to pay very close attention to our security.'
To meet HIPAA requirements for reporting how confidential data is used, agencies have had to build systems to track that information. Security managers like that rule, Boughn said, because it sets a standard for information security.