PHRs and HIPAA

Posted May 7, 2008 by Lygeia Ricciardi

Recently Dr. Reid Cushman, who is part of a Project HealthDesign team at the University of Miami that is working on the ethical, legal and social implications of next-generation PHRs, posted a paper on “PHRs and the Next HIPAA”. I’d like to build on and perhaps further clarify some of the topics he raises.

Cushman begins by asking how the existing HIPAA law and regulation apply to PHRs. The short answer is “only somewhat.” The longer answer is that it depends on who is providing the PHR. If the PHR provider is a “Covered Entity” under HIPAA, the law applies to them, whether they are going about their regular business (like caring for patients or paying claims) or providing a PHR. Covered Entities include health plans, health care providers, and healthcare clearing houses.

Most of the new entrants to the health field—whether they are providing platforms where consumer information is stored (such as Microsoft’s Health Vault) or PHR applications (including offerings by Google and CapMed) —are not considered Covered Entities and thus are not directly subject to HIPAA. So if Kaiser Permanente provides a PHR, it is covered. If Google provides a PHR, it is not.

An exception is that a PHR provider may sign a Business Associate agreement with a Covered Entity. In that case, the Business Associate has to comply with HIPAA’s rules, or, if it doesn’t, the sponsoring Covered Entity may be held liable. While this is coverage to a point, Business Associate agreements are not universally required or used, and even if they were, enforcement of HIPAA is notoriously weak.

The question of who is covered and who isn’t is essential because HIPAA protection depends on who holds the data—protection does not “follow” the data itself. So let’s say there is information in your doctor’s medical record about treatment of your diabetes. While that information is under your doctor’s care, it is covered by HIPAA. But if you get a copy of that information and enter it into an independent (non-HIPAA covered) PHR, that same information is no longer covered.

The big takeaway here is that many PHRs (and the health data in them) are in no way covered by HIPAA--or any other significant and comprehensive source of privacy protection. And that’s a problem. It means none of HIPAA’s safeguards--like requiring certain technical security safeguards, privacy training for staff who work with the data, and authorizations from patients before the information is shared with other non-Covered Entities—are required.

How to fix the problem? Cushman asks whether PHRs should be covered by HIPAA, and there have been legislative proposals to do just that, most notably in Senate Bill 1418--the "Wired for Healthcare Quality Act"—which has been stalled since last summer in part because of more general concerns about how best to address privacy and health information exchange legislatively.

A different perspective, championed by the Center for Democracy and Technology, is that while extending HIPAA coverage to PHRs may appear to be an easy fix, it is not appropriate to address privacy in the evolving PHR landscape. HIPAA wasn’t written for entities outside of healthcare, and applying it to PHR companies could stifle innovation and even cause the unintended consequence of weakening privacy protections in some ways.

According to this viewpoint, what’s needed instead is to build on some of HIPAA’s underlying principles (see for example my previous discussion of Fair Information Practices) in establishing a broader framework of legal privacy protections that can then be tailored by regulation to fit the specific cases of PHRs, RHIOs, and other services or entities that handle health information but do not fall under HIPAA.

Regardless of the specific ways in which HIPAA is amended or built on, it is clear that privacy protections for PHRs and for health information exchange more broadly extend well beyond its scope.

The blurring line between cell phones and PHRs

Posted on May 4, 2008 by Lygeia Ricciardi

A couple of times this blog has discussed the use of cell phones--including efforts by Project HealthDesign grantees--for health applications. I wanted to draw your attention to a recent BusinessWeek article that profiles a range of uses of cell phones for health. Note also the RFID-embedded Band Aids!

PHR-Related Events in May

Posted May 1, 2008 by Lygeia Ricciard

While there are many conferences and events that cover some aspect of the overlap between health and information technology, I wanted to draw your attention to a few coming up in the near future that highlight PHRs specifically.

May 6, 2008 – World Congress Leadership Summit on Consumer Connectivity & Web Empowerment
As part of this one-day leadership conference, Lygeia Ricciardi (Project HealthDesign’s blogger) and Vince Kuraitis (Better Health Technologies and the e-CareManagement blog) are on a panel on “Determining the Value and Future Direction of Employer Initiatives Seeking to Establish Employee PHRs” addressing the emerging personal health information network, privacy concerns, and the implications for employer-sponsored PHRs. (Boston, MA)

May 8, 2008 – National Web Conference on Practical Solutions for Engaging Consumers in the Design and Use of PHRs: Beyond User Centered Design
In this third of a three-part web series sponsored by the AHRQ National Resource Center for Health IT, Patty Brennan (Project HealthDesign’s National Program Director) and Kathy Hajopoulos, (University of California, San Francisco Medical Center), will characterize the people, living at home, who use familiar (e.g. paper calendars) and electronic tools to accomplish health management tasks. They will then illustrate user-centered design activities employed by Project HealthDesign, including one team's approach to give women with cancer the tools to create a life-sustaining balance of family life and medical treatment. To register, click on "Enroll". (Online, 1:30 to 3:00 PM Eastern)

May 15, 2008 – TIGER Consumer Empowerment/PHR Collaborative Meeting
The Technology Informatics Guiding Education Reform (TIGER) Initiative is focused on helping the nursing profession to adopt informatics tools, principles, theories and practices that make healthcare safer and more effective, efficient, patient-centered and equitable for all stakeholders. Register for their web-based meeting here.

May 15, 2008 -- HHS Public Consumer Empowerment Workgroup Meeting
This is a meeting of one of the workgroups of the American Health Information Community (the Community), run out of the Department of Health. It is made open to the public via webcast—you can ask questions at the end. (Online)

May 17-21, 2008 – TEPR (Towards the Electronic Patient Record)
The TEPR 2008 Annual Conference program, sponsored by the Medical Records Institute, addresses several major interests including consumer/patient IT systems. http://www.medrecinst.com/tepr/index2.html (Fort Lauderdale, FL)

May 21, 2008 – Moving Toward an E-Enabled Healthcare Environment: Telehealth, EMR, PHR, eRX, and Related Technology Tools from 30,000 Feet - Update and Status
This is an educational panel organized by the 2008 Capitol Hill Steering Committee on Telehealth and Healthare Informatics, which has convened more than 100 widely attended, publicly available educational lunch sessions and technology demonstrations on Capitol Hill. Events are free of charge but require registration with the organizer, Neal Neuberger at nealn@hlthtech.com. (Washington, DC)

May 29 through 31 – AMIA Spring Congress
This meeting of the American Medical Informatics Association (AMIA) is designed to showcase the best of biomedical and health research and education by focusing on four topical tracks, one of which is PHRs. Ken Goodman (Project HealthDesign’s ethics advisor) will discuss “Key Ethical and Social Issues in a Future of Widespread PHR Adoption.” (Phoenix, AZ)

Implantable RFID chips marketed to consumers

Posted April 26, 2008 by Lygeia Ricciardi

Following on our previous discussion of implanted RFID to store health information, note that VeriChip, maker of the chips, is now marketing direct to consumers.

PHRs and Patient Control in the New England Journal of Medicine

Posted April 17, 2008 by Lygeia Ricciardi

In the New England Journal of Medicine’s April 17th edition, Kenneth Mandl and Isaac Kohane provide an overview of PHRs and their impact on health care delivery and biomedical research. The article, available by subscription is also discussed in the New York Times today. You can also find a thoughtful analysis of it on Mark Frisse’s policy blog (Dr Frisse is the Director of Regional Informatics Programs through the Vanderbilt Center for Better Health and a Professor in the Vanderbilt Department of Biomedical Informatics).

In the same issue, there is also an article by Robert Stenbrook entitled Personally Controlled Online Health Data — The Next Big Thing in Medical Care?

A Banner Month for Health Privacy Breaches

Posted April 16, 2008 by Lygeia Ricciardi

It’s been a particularly busy month in the world of health privacy breaches. Health records have been breached both individually and in massive data sets. They include highly personal information on the young and the old, the rich and famous and the poor.

Although Project HealthDesign and its next generation PHR tools are vastly different from the data repository type records that were recently breached, the Project is very aware of the vulnerabilities that exist within currents systems and the need to address those vulnerabilities in any context—its work in association with the University of Miami Bioethics Program continues in that direction.

On Monday the Wall Street Journal reported that nearly 50,000 patient records had been improperly accessed using the computer login of an employee of New York-Presbyterian Hospital. The employee, who worked in patient admissions, sold data on about 2,000 people for roughly $1,350 total.

On April 8, 2008, meanwhile, The Atlanta Journal-Constitution reported that the insurance records of 71,000 disadvantaged Georgia families had been made public. The families were participating in insurance programs for the poor.

On April 3, 2008 the Los Angeles Times reported that staff at the UCLA Medical Center had gone through the cancer treatment records of 70’s TV star Farrah Fawcett (of Charlie’s Angels fame). The Enquirer posted news about the return of her cancer on its web site soon after Fawcett herself had learned of it, and before she had told her son and close friends. The story followed news that pop star Britney Spears’ privacy was breached at the same center following her hospitalization in a psychiatric ward earlier this year.

In late March we learned that a laptop containing personal medical information on about 2,500 patients enrolled in a National Institute of Health (NIH) cardiac study had been stolen from a laptop in the trunk of an employee’s car.

Let’s let this month’s impressive lineup of health privacy breaches serve as a reminder that the topic is, unfortunately, still very much a growing concern as health information becomes more liquid. For some ideas about how to address privacy from a policy and technical perspective, see previous blog entries on privacy (and the Project HealthDesign e-Primer on Privacy and PHRs).

PHR-Related Events in April--Updated

Updated April 10, 2008 by Lygeia Ricciardi

While there are many conferences and events that cover some aspect of the overlap between health and information technology, I wanted to draw your attention to a few coming up this month that are particularly relevant to PHRs:

April 3, 2008 – Personal Health Records: Personal Control of Health Data and Patient Provider Communications.
This is the 2nd in a 3-part Series of web conferences on Personal Health Records sponsored by the Agency for Healthcare Research and Quality. (Online)

April 11-13, 2008 – Consumer Health Informatics: An Intensive Learning Experience
The purpose of this two and one-half day course is to increase the knowledge of clinicians on the needs of the consumer for using e-health systems to provide benefits throughout society. It will offer an in-depth look at the latest research, systems, and practice in Consumer Health Informatics. (Claremont, California)

April 15, 2008 -- HHS Public Consumer Empowerment Workgroup Meeting
This is a meeting of one of the workgroups of the American Health Information Community (the Community), run out of the Department of Health. It is made open to the public via webcast—you can ask questions at the end. (Online)

April 17, 2008 -- Healthcare Informatics Webinar: Google, Microsoft, & Dossia Create the Personal Information Network
In this webinar, experts Vince Kuraitis and David Kibbe discuss their vision of the Personal Health Information Network. 1:00PM Eastern, 10:00AM Pacific. (Online)

April 23/24, 2008 -- HIMSS Virtual Conference & Expo
The is not a Web Seminar; it is a fully interactive event that incorporates online learning, live chat, active movement in and out of exhibit booths and sessions, vendor presentations, contests and more. The conference is 100 percent virtual. Speakers include Jonathan Bush (athenahealth) and Matthew Holt (The Healthcare Blog). (Online)

April 24, 2008 – Innovations in Healthcare Delivery
The Federal Trade Commission will host a one-day public workshop to examine recent trends in health care delivery. In a series of panel discussions, workshop participants will consider the competition and consumer protection issues regarding particular health care delivery innovations. (Washington, DC)

Project HealthDesign and HL7 functional requirements for PHRs compared

Posted on March 27, 2008 by Lygeia Ricciardi

On February 25, 2008 Project HealthDesign publicly released its functional requirements for PHRs. Since then we’ve gotten several comments and questions asking how they relate to other efforts, particularly those of the PHR work group of the healthcare standards development organization HL7, which released its functional model for PHRs in November of 2007. (You can download it in a zip file here.)

While there is some similarity in the two efforts—-both address the desirable features, functions, and infrastructural elements of PHRs, they differ in their objectives, methods, and scope.

The primary objectives of the Project HealthDesign effort are to accelerate the development of PHR applications by obviating the need for developers to create common “building blocks” from scratch each time, and also to facilitate interoperability among PHR applications through the sharing of data and/or common application interfaces.

The Project HealthDesign building blocks (or “platform components,” which will be developed later this year) are not PHR applications unto themselves, but software modules that may be used by or integrated into PHR applications to provide useful services (the way, for example, that a master-patient index is a software module used by HIT applications). For example, one such module provides services for storing and managing medication lists, and another for storing and managing calendar data.

These components won’t necessarily provide the full set of end-user functionality, but they identify the data that the components should handle and the operations that they should provide to *enable* PHR applications themselves to provide the functions that end users need. In this regard, the Project HealthDesign functional requirements are most closely associated with the "infrastructure functions" that the HL7 work group defined.

The stated objective of the HL7 effort, meanwhile, is to “define a standardized model of the functions that may be present in PHR Systems”. According to HL7’s Overview of the PHR-System functional model, the PHR functions can be used to:

• Promote a common understanding of PHR functions upon which developers, vendors, users and other interested parties can plan and evaluate PHR functions.

• Provide the necessary framework to drive the requirements and applications of next level standards, such as PHR content, coding, information models, constructs and interoperability for information portability between sub-systems of a PHR-S and across more than one PHR.

• Establish a standards-based method by which individual countries can apply these PHR functions to care settings, uses, and priorities.

• Inform those concerned with secondary use of PHR data and national infrastructure what functions can be expected in a PHR System.

In short, Project HealthDesign is supporting the development of concrete modular building blocks for engineering PHRs, while HL7 is focused largely on the relatively abstract task of defining the ideal end-user functionality of PHRs.

As far as method is concerned, the Project HealthDesign team followed a “bottom up” or inductive approach, dictated by the needs identified by the grantee teams in their development work, while the HL7 team followed a “top down” or deductive model in which a variety of experts collaborated over the course of several years to envision a broad array of functions that they think should be part of PHRs.

Finally, there is a difference in scope. The HL7 requirements are designed primarily to parallel those of clinical records systems; the Project HealthDesign ones also emphasize consumer-generated data that does not correspond to information in a clinical records system and may in fact prove useful only to the patient (eg how far he runs each day, or the regularity of her menstrual cycle).

The two initiatives validate each other by identifying many similar elements. They are complementary in that Project HealthDesign can vet some of HL7’s existing requirements through field testing and perhaps suggest some new ones; at the same time HL7 can help to identify potential extensions to the Project HealthDesign functional requirements.

The Project HealthDesign team hopes that its requirements will be used by many different information models, such as the CCR and proprietary clinical information systems, and that they will serve as a model for new requirements descriptions.

Using the iPhone for eHealth

Posted on March 20, 2008 by Lygeia Ricciardi

Last summer this blog highlighted the trend toward using cell phones as a means of accessing or linking to a PHR. Earlier this month Apple, maker of the popular iPhone, released a software development kit (SDK) that makes it easier for programmers outside of Apple to write applications for it.

Applications of many types are expected to result from this greater access to the iPhone's inner workings. Several were on show at Apple's announcement of the software development kit, including one for medical professionals produced by ePocrates. Other updates to the iPhone include e-mail and data-syncing software that will make it more attractive for business users.

While seeding the development of consumer health applications was not a specific focus of Apple's announcement, they will not be not far behind. See the previous post on cell phones for brief descriptions of two patient applications for the iPhone that Project HealthDesign teams are currently working on.

In June Apple will release its iPhone 2.0 update, at which time the public will be able to download iPhone applications from iTunes just like music.

For more on the potential implications of greater openness in health care generally (including the openness of code), see the post inspired by the paper “Harnessing Openness to Transform American Health Care” by Elliot Maxwell, which was published early this year.

Value of PHRs to be Studied

Posted on March 19, 2008 by Lygeia Ricciardi

According to Digital HealthCare & Productivity.com, Kaiser Permanente and Microsoft agreed to sponsor a study by the Center for Information Technology Leadership (CITL), a nonprofit research center in Boston, on the potential impact, costs, and value of PHRs. The expected date of completion is some time in fall, 2008.