Why GAO Did This Study
HHS and its component agencies are responsible for managing data collection activities to support public health preparedness and response during public health emergencies, such as the COVID-19 pandemic. The Consolidated Appropriations Act of 2023 reiterates the need for HHS to improve these data collection capabilities and includes provisions for GAO to review those capabilities. In addition, the CARES Act includes a provision for GAO to monitor and oversee the federal response to the COVID-19 pandemic.
This report addresses, among other things, the extent to which HHS has (1) identified and reduced unnecessary duplication, overlap, or fragmentation in its preparedness and response data capabilities; and (2) instituted privacy safeguards on selected systems when collecting public health preparedness and response data.
GAO identified lists of systems and compared HHS and component agency efforts to identify unnecessary duplication, overlap, and fragmentation to federal law and guidance. GAO also randomly selected nine systems for review of component agency implementation of privacy safeguards for systems that collect and store PII.
What GAO Found
The Department of Health and Human Services (HHS) has not identified and reduced unnecessary duplication of data in its systems supporting pandemic public health preparedness and response. Because the department did not have a comprehensive list of these systems, GAO worked with key HHS component agencies and identified a total of 99 systems. HHS did not attempt to identify duplication or overlap for these systems. However, in its high-level review of the 99 systems, GAO identified instances of duplicative pandemic public health preparedness and response data in multiple systems. For example, two pandemic systems that collected similar COVID-19 data, such as cases, deaths, and hospitalization data are managed by the same program office.
Regarding privacy, according to the component agencies, 68 of the 99 identified systems collect and store personally identifiable information (PII). These agencies developed privacy impact assessments (PIA) for 53 of the 68; 15 did not have such assessments. Such assessments are essential to identifying and mitigating the privacy risks of systems containing PII. Until HHS ensures that PIAs are developed for all of its systems containing PII, it will have less assurance that privacy risks are assessed to prevent unauthorized disclosure.
Further, HHS and its component agencies did not implement all of the key privacy safeguards for the nine systems that GAO randomly selected for review (see figure). As a result, information collected and stored by some of these systems may be at higher risk for unauthorized disclosure.
Recommendations
GAO is making 14 recommendations to HHS, including establishing a systems inventory, addressing duplicative data, and fully implementing privacy safeguards. HHS generally agreed with the recommendations, although stating that two may not be feasible. GAO continues to believe they are valid.
Not Yet a Premium Partner/Sponsor? Learn more about the OS AI Premium Corporate and Individual Plans here. Plans start at $250 annually.