Federal Privacy Regs Puzzle State AgenciesUnclear Rules Mean States, Localities Become Risk Adverse
State and local agencies that must comply with federal regulations have complained that they can be befuddled by privacy requirements that could limit the effectiveness of their information sharing systems.
See Also: Data Security Risk: A CISO's Perspective
The U.S. Government Accountability Office on Feb. 21 made pubic the report, Human Services: Sustained and Coordinated Efforts Could Facilitate Data Sharing While Protecting Privacy, which examined four selected states and localities that employed systematic and automated data sharing to improve eligibility or case management processes.
GAO said the stakeholders from the states of Michigan and Utah and from Allegheny County, Pa., and New York City identified a number of challenges to increased data sharing related to the interpretation of federal privacy requirements. These included confusion or misperceptions around what agencies are allowed to share as well as a tendency to be risk averse and overly cautious in their interpretation of federal privacy requirements.
A congressional auditor cited an example in which an agency's legal counsel might advise against sharing data as a precautionary measure rather than because of an explicit prohibition.
"Potential inconsistencies in federal privacy requirements that apply to data sharing across multiple programs are a challenge," Kay Brown, GAO director of education, workforce and income security issues, wrote in the report. "Child welfare workers have difficulty meeting a federal obligation to monitor and support foster care children's educational stability and performance because of the federal law limiting access to education records without parental consent."
Suggestions from Beyond the Beltway
Representatives from the state and local governments told GAO that federal agencies should:
- Clarify federal privacy requirements and consider harmonizing requirements, saying that would prove extremely useful;
- Develop model data sharing agreements and informed consent language that comply with federal privacy requirements or provide existing examples;
- Reexamine requirements to ensure more consistent privacy rules for data sharing across human services programs and agencies.
GAO, the investigative arm of Congress, began its inquiry at the bequest of Congressional oversight committees because state and local human services agencies administer funds from various federal programs to help those in need, many of whom are served by multiple programs.
Sen. Tom Carper, the Delaware Democrat who chairs the Senate Homeland Security and Governmental Affairs Committee, says the GAO report underscores the need for better collaboration between state agencies as well as the federal government to share key information.
"The federal government needs to lead this effort by clarifying for states the rules regarding the sharing and coordination of information," Carper says in a statement. "The GAO has laid out common sense steps that will allow state governments to utilize new technology, prevent fraud, run more effective programs, and reduce the burden and frustration of beneficiaries. It will also save a lot of money. That's what I like to call a win-win."
Rep. Dave Reichert, the Washington Republican who chairs the Ways and Means Subcommittee on Human Resources, sees the GAO report as refuting claims that privacy protection prevents states from conducting effective data exchanges.
GAO reports that federal agencies have some related efforts under way. Brown cited a Department of Health and Human Services initiative to prepare a toolkit that would describe privacy rules among several programs as well as typical data sharing activities, although specific plans for its completion, dissemination and follow-up have not been established.
In 2010, the Office of Management and Budget issued a memorandum to federal agencies to encourage sharing data while protecting privacy. But OMB told GAO that the White House budget office has no plans to undertake specific actions related to privacy requirements, such as identifying model data sharing agreements or other tools, citing resource constraints, although they acknowledged the usefulness of such tools.
GAO recommended that HHS ensure timely completion of its work to clarify privacy requirements across programs, and OMB consider additional ways to disseminate useful data sharing practices and tools that address privacy requirements.
HHS agreed with GAO's recommendation. OMB told GAO that it had continuing efforts to promote data sharing. Still, GAO said it continues to believe that OMB should do more in this area to specifically address privacy issues within existing resources.
Data sharing across programs can improve administrative efficiencies and client service but some agencies expressed concern about how to share more data while maintaining client privacy.