GAO Recommends That FDA Ensure Data Security within the Sentinel System

June 11, 2009
Pharmaceutical Technology Editors

ePT--the Electronic Newsletter of Pharmaceutical Technology

The US Government Accountability Office recommended that the US Food and Drug Administration draft a plan, including milestones, for developing its Sentinel system and ensuring the privacy and security of patients' healthcare data.

In a report it published this month, the US Government Accountability Office (GAO) recommended that the US Food and Drug Administration draft a plan, including milestones, for developing its Sentinel system and ensuring the privacy and security of patients’ healthcare data. “The Sentinel system is still in the early planning stages, with key decisions about development and milestones yet to be made,” according to the report.

GAO noted the steps that FDA has taken to plan for the Sentinel system and obtain public input. The agency has met with stakeholders, assembled a senior management team to solicit comments from within the agency, and sought input from public and private bodies about refining research approaches and identifying challenges, according to the report.

FDA has not, however, established a mechanism for the oversight and enforcement of relevant policies, established an architecture for the system, or set privacy and security policies. In its report, GAO recommended that FDA:

  • Ensure that appropriate legal mechanisms are established to protect privacy and maintain security consistently throughout the Sentinel system

  • Define a clear and specific purpose for the system and ensure that partners use personal health information only for specified purposes

  • Ensure public involvement and inform the public of the program’s planned uses of personal health information 

  • Ensure that de-identified information (i.e., data stripped of fields that uniquely identify individuals) is not reidentified

  • Establish adequate security controls to protect the personal health information associated with Sentinel

  • Establish oversight and enforcement mechanisms to ensure that privacy and security requirements are implemented consistently. 

In comments submitted to GAO, FDA agreed with these recommendations and reiterated its commitment to protecting the privacy and security of patients’ health information. The agency asserted, however, that GAO’s report contained inaccuracies that would mislead patients into believing that their protected health information was at risk.

In its comments, FDA said it planned to develop Sentinel as a distributed network, within which protected health information would not be shared. The data would remain under the control and protection of its owners. Data owners would analyze their data separately and only share summaries of the results.

FDA acknowledged, however, that further analysis conducted outside of Sentinel might sometimes be necessary. “Such secondary analysis could involve the sharing of protected health information, and many of the concerns raised in our report apply in these circumstances,” said GAO.

FDA established the Sentinel Initiative in May 2008 to comply with the FDA Amendments Act (FDAAA) of 2007. The Initiative’s goal is to examine electronic health data to identify and analyze the postmarket risks that drugs pose. FDAAA also required GAO to review the system, assess the initiative’s current status, and identify its key privacy and security challenges. GAO’s report fulfills this requirement.