Skip to main content

COVID-19: HHS Needs to Identify Duplicative Pandemic IT Systems and Implement Key Privacy Requirements

GAO-24-106638 Published: Sep 18, 2024. Publicly Released: Sep 18, 2024.
Jump To:

Fast Facts

The Department of Health and Human Services gathers key information needed for public health emergencies, such as pandemics. This includes data on critical response resources and medical care capacity, among other things.

We reviewed HHS's efforts to reduce unnecessary duplication, overlap, or fragmentation in the systems it uses to collect this kind of data, and its efforts to protect personal information.

HHS doesn't have a comprehensive list of these systems and hasn't identified or reduced unnecessary duplication

HHS didn't fully implement key privacy safeguards for the 9 systems we reviewed

Our 14 recommendations address these issues.

Illustrated health care and IT icons over a blurred photo of a person wearing blue scrubs and gloves

Skip to Highlights

Highlights

What GAO Found

The Department of Health and Human Services (HHS) has not identified and reduced unnecessary duplication of data in its systems supporting pandemic public health preparedness and response. Because the department did not have a comprehensive list of these systems, GAO worked with key HHS component agencies and identified a total of 99 systems. HHS did not attempt to identify duplication or overlap for these systems. However, in its high-level review of the 99 systems, GAO identified instances of duplicative pandemic public health preparedness and response data in multiple systems. For example, two pandemic systems that collected similar COVID-19 data, such as cases, deaths, and hospitalization data are managed by the same program office.

Regarding privacy, according to the component agencies, 68 of the 99 identified systems collect and store personally identifiable information (PII). These agencies developed privacy impact assessments (PIA) for 53 of the 68; 15 did not have such assessments. Such assessments are essential to identifying and mitigating the privacy risks of systems containing PII. Until HHS ensures that PIAs are developed for all of its systems containing PII, it will have less assurance that privacy risks are assessed to prevent unauthorized disclosure.

Further, HHS and its component agencies did not implement all of the key privacy safeguards for the nine systems that GAO randomly selected for review (see figure). As a result, information collected and stored by some of these systems may be at higher risk for unauthorized disclosure.

HHS Component Agencies Implementation of Key Privacy Safeguards for Selected Pandemic Systems

HHS Component Agencies Implementation of Key Privacy Safeguards for Selected Pandemic Systems

Why GAO Did This Study

HHS and its component agencies are responsible for managing data collection activities to support public health preparedness and response during public health emergencies, such as the COVID-19 pandemic. The Consolidated Appropriations Act of 2023 reiterates the need for HHS to improve these data collection capabilities and includes provisions for GAO to review those capabilities. In addition, the CARES Act includes a provision for GAO to monitor and oversee the federal response to the COVID-19 pandemic.

This report addresses, among other things, the extent to which HHS has (1) identified and reduced unnecessary duplication, overlap, or fragmentation in its preparedness and response data capabilities; and (2) instituted privacy safeguards on selected systems when collecting public health preparedness and response data.

GAO identified lists of systems and compared HHS and component agency efforts to identify unnecessary duplication, overlap, and fragmentation to federal law and guidance. GAO also randomly selected nine systems for review of component agency implementation of privacy safeguards for systems that collect and store PII.

Recommendations

GAO is making 14 recommendations to HHS, including establishing a systems inventory, addressing duplicative data, and fully implementing privacy safeguards. HHS generally agreed with the recommendations, although stating that two may not be feasible. GAO continues to believe they are valid.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Health and Human Services The Secretary of HHS should ensure that the HHS CIO develops and maintains a department-wide comprehensive list of systems, including component systems, that support pandemic public health preparedness and response. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should ensure that the HHS CIO conducts reviews of systems that support pandemic public health preparedness and response across the department to identify and reduce any unnecessary duplication, overlap, or fragmentation and identify mitigation options, such as consolidation or elimination of systems. The HHS CIO should share the results of its reviews with components when identifying any instances of unnecessary duplication, overlap, or fragmentation. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should ensure that component agencies proactively and consistently identify and track the funding sources and costs dedicated to operating and maintaining all of their systems supporting pandemic public health preparedness and response. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should ensure that component agencies proactively and consistently identify and track staffing resources, including the type and number of staff dedicated to managing all of their systems supporting pandemic public health preparedness and response. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should ensure that the Administration for Strategic Preparedness and Response has an updated privacy impact assessment for the Cooperative Agreement Accountability and Management Platform. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should ensure that the Administration of Strategic Preparedness and Response revises the system privacy plan for ASPR Ready to include the privacy controls in place or planned for meeting the privacy requirements. (Recommendation 6)
Closed – Implemented
In September 2024, we verified that the Administration of Strategic Preparedness and Response updated the ASPR Ready privacy plan to include the privacy controls in place or planned for meeting privacy requirements. As a result, the agency has increased assurance that a key system used for pandemic preparedness and response has adequate privacy controls in place to protect sensitive information.
Department of Health and Human Services The Secretary of HHS should ensure that the Administration for Strategic Preparedness and Response develops assessments of privacy controls for ASPR Ready and the Electronic Medical Records System. (Recommendation 7)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should ensure that the Administration for Strategic Preparedness and Response develops the authorization to operate for the Electronic Medical Records System. (Recommendation 8)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should ensure that the Director of the Centers for Disease Control and Prevention conducts and develops privacy impact assessments for all pandemic public health preparedness and response systems that include personally identifiable information. (Recommendation 9)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should ensure that the Director of the Centers for Disease Control and Prevention ensures that the senior official for privacy reviews and approves the system security categorizations for the COVID-19 Clearinghouse and HHS Protect. (Recommendation 10)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should ensure that the Commissioner of the Food and Drug Administration conducts and develops privacy impact assessments for all pandemic public health preparedness and response systems that include personally identifiable information. (Recommendation 11)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of HHS should ensure that the Commissioner of the Food and Drug Administration conducts an assessment to determine if a system of records notice is required for the Biologics Information Tracking System – Compliance. (Recommendation 12)
Closed – Implemented
In September 2024, we verified that the Food and Drug Administration took action to conduct an assessment to determine whether a system of records notice was required for the Biologics Information Tracking System - Compliance. The agency determined that a system of records notice was not required for the system. As a result, FDA has increased assurance that it has not mistakenly failed to inform the public about the department's use of personally identifiable information for Biologics Information Tracking System - Compliance.
Department of Health and Human Services The Secretary of HHS should ensure that the Commissioner of the Food and Drug Administration ensures that the senior official for privacy reviews and approves the system security categorization for the Biologics Information Tracking System – Compliance. (Recommendation 13)
Closed – Implemented
In September 2024, we verified that the Food and Drug Administration's senior official for privacy reviewed and approved the system security categorization for the Biologics Information Tracking System - Compliance. As a result, the Food and Drug Administration has increased assurance that the determination of the impact of the potential impact that a loss of personally identifiable information was appropriate.
Department of Health and Human Services The Secretary of HHS should ensure that the Commissioner of the Food and Drug Administration develops an assessment of privacy controls for the Biologics Information Tracking System – Compliance. (Recommendation 14)
Closed – Implemented
In September 2024, we verified that the Food and Drug Administration assessed the privacy controls for the Biologics Information Tracking System - Compliance system. As a result, Food and Drug Administration has increased assurance that it is adequately protecting the sensitive information stored in the system.

Full Report

GAO Contacts

Jennifer Franks
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Best practicesHealth careHuman capital managementInformation systemspandemicsPersonally identifiable informationPrivacyPublic healthPublic health emergenciesBiologics