Privacy, security must be key for FDA drug-tracking system

The Food and Drug Administration's top priority in developing a system to track the reactions from newly approved drugs must be to protect the public's private health information, the Government Accountability Office reported on Tuesday.

FDA is responsible for analyzing the benefits and adverse reactions from medications and medical products it approves for public use. The 2007 Food and Drug Administration Amendments Act required the agency to develop a computer system that would track the performance of the drugs and devices by leveraging electronic health data, without compromising the public's privacy or security.

GAO conducted an audit of the planning process for the system, known as the Sentinel initiative, from May 2008 to May 2009. The agency wrote a report that did not much more than warn FDA about the obvious. "Increased analytical use of personal health information raises concerns about the privacy and security of that information," GAO noted.

FDA has held several meetings with health care companies and patient and consumer advocacy groups, among others, according to the report. A senior management team was formed to collect input from around the agency. FDA also established a group to share information with agencies such as the Veterans Affairs and Defense departments, and has asked for input from public and private sector groups to identify issues.

"Because the Sentinel system is still in such an early stage of planning, FDA has yet to make key decisions related to major aspects of program development such as developing a governance model for oversight and enforcement of relevant policies and establishing an architecture," GAO said.

The agency recommended that FDA Commissioner, Margaret Hamburg, develops a plan for Sentinel that includes how the agency will reach milestones and protect the public's privacy and secure the system.

The watchdog agency also recommended FDA use personal health information for specific purposes, include citizens in the development of the system, inform the public about how it plans to use health information, strip data of personally identifiable components when possible, establish security controls, and enforce privacy and security requirements.

"Protecting the privacy and security of protected health information, as well as the security of all information FDA receives, is of paramount concern," Joshua Sharfstein, acting commissioner of food and drugs at FDA, said in a letter in response to the report. "From the beginning of this program, we have sought to engage thought leaders in the privacy and security field at every juncture."