PHRs and HIPAA

Posted May 7, 2008 by Lygeia Ricciardi

Recently Dr. Reid Cushman, who is part of a Project HealthDesign team at the University of Miami that is working on the ethical, legal and social implications of next-generation PHRs, posted a paper on “PHRs and the Next HIPAA”. I’d like to build on and perhaps further clarify some of the topics he raises.

Cushman begins by asking how the existing HIPAA law and regulation apply to PHRs. The short answer is “only somewhat.” The longer answer is that it depends on who is providing the PHR. If the PHR provider is a “Covered Entity” under HIPAA, the law applies to them, whether they are going about their regular business (like caring for patients or paying claims) or providing a PHR. Covered Entities include health plans, health care providers, and healthcare clearing houses.

Most of the new entrants to the health field—whether they are providing platforms where consumer information is stored (such as Microsoft’s Health Vault) or PHR applications (including offerings by Google and CapMed) —are not considered Covered Entities and thus are not directly subject to HIPAA. So if Kaiser Permanente provides a PHR, it is covered. If Google provides a PHR, it is not.

An exception is that a PHR provider may sign a Business Associate agreement with a Covered Entity. In that case, the Business Associate has to comply with HIPAA’s rules, or, if it doesn’t, the sponsoring Covered Entity may be held liable. While this is coverage to a point, Business Associate agreements are not universally required or used, and even if they were, enforcement of HIPAA is notoriously weak.

The question of who is covered and who isn’t is essential because HIPAA protection depends on who holds the data—protection does not “follow” the data itself. So let’s say there is information in your doctor’s medical record about treatment of your diabetes. While that information is under your doctor’s care, it is covered by HIPAA. But if you get a copy of that information and enter it into an independent (non-HIPAA covered) PHR, that same information is no longer covered.

The big takeaway here is that many PHRs (and the health data in them) are in no way covered by HIPAA--or any other significant and comprehensive source of privacy protection. And that’s a problem. It means none of HIPAA’s safeguards--like requiring certain technical security safeguards, privacy training for staff who work with the data, and authorizations from patients before the information is shared with other non-Covered Entities—are required.

How to fix the problem? Cushman asks whether PHRs should be covered by HIPAA, and there have been legislative proposals to do just that, most notably in Senate Bill 1418--the "Wired for Healthcare Quality Act"—which has been stalled since last summer in part because of more general concerns about how best to address privacy and health information exchange legislatively.

A different perspective, championed by the Center for Democracy and Technology, is that while extending HIPAA coverage to PHRs may appear to be an easy fix, it is not appropriate to address privacy in the evolving PHR landscape. HIPAA wasn’t written for entities outside of healthcare, and applying it to PHR companies could stifle innovation and even cause the unintended consequence of weakening privacy protections in some ways.

According to this viewpoint, what’s needed instead is to build on some of HIPAA’s underlying principles (see for example my previous discussion of Fair Information Practices) in establishing a broader framework of legal privacy protections that can then be tailored by regulation to fit the specific cases of PHRs, RHIOs, and other services or entities that handle health information but do not fall under HIPAA.

Regardless of the specific ways in which HIPAA is amended or built on, it is clear that privacy protections for PHRs and for health information exchange more broadly extend well beyond its scope.

The blurring line between cell phones and PHRs

Posted on May 4, 2008 by Lygeia Ricciardi

A couple of times this blog has discussed the use of cell phones--including efforts by Project HealthDesign grantees--for health applications. I wanted to draw your attention to a recent BusinessWeek article that profiles a range of uses of cell phones for health. Note also the RFID-embedded Band Aids!

PHR-Related Events in May

Posted May 1, 2008 by Lygeia Ricciard

While there are many conferences and events that cover some aspect of the overlap between health and information technology, I wanted to draw your attention to a few coming up in the near future that highlight PHRs specifically.

May 6, 2008 – World Congress Leadership Summit on Consumer Connectivity & Web Empowerment
As part of this one-day leadership conference, Lygeia Ricciardi (Project HealthDesign’s blogger) and Vince Kuraitis (Better Health Technologies and the e-CareManagement blog) are on a panel on “Determining the Value and Future Direction of Employer Initiatives Seeking to Establish Employee PHRs” addressing the emerging personal health information network, privacy concerns, and the implications for employer-sponsored PHRs. (Boston, MA)

May 8, 2008 – National Web Conference on Practical Solutions for Engaging Consumers in the Design and Use of PHRs: Beyond User Centered Design
In this third of a three-part web series sponsored by the AHRQ National Resource Center for Health IT, Patty Brennan (Project HealthDesign’s National Program Director) and Kathy Hajopoulos, (University of California, San Francisco Medical Center), will characterize the people, living at home, who use familiar (e.g. paper calendars) and electronic tools to accomplish health management tasks. They will then illustrate user-centered design activities employed by Project HealthDesign, including one team's approach to give women with cancer the tools to create a life-sustaining balance of family life and medical treatment. To register, click on "Enroll". (Online, 1:30 to 3:00 PM Eastern)

May 15, 2008 – TIGER Consumer Empowerment/PHR Collaborative Meeting
The Technology Informatics Guiding Education Reform (TIGER) Initiative is focused on helping the nursing profession to adopt informatics tools, principles, theories and practices that make healthcare safer and more effective, efficient, patient-centered and equitable for all stakeholders. Register for their web-based meeting here.

May 15, 2008 -- HHS Public Consumer Empowerment Workgroup Meeting
This is a meeting of one of the workgroups of the American Health Information Community (the Community), run out of the Department of Health. It is made open to the public via webcast—you can ask questions at the end. (Online)

May 17-21, 2008 – TEPR (Towards the Electronic Patient Record)
The TEPR 2008 Annual Conference program, sponsored by the Medical Records Institute, addresses several major interests including consumer/patient IT systems. http://www.medrecinst.com/tepr/index2.html (Fort Lauderdale, FL)

May 21, 2008 – Moving Toward an E-Enabled Healthcare Environment: Telehealth, EMR, PHR, eRX, and Related Technology Tools from 30,000 Feet - Update and Status
This is an educational panel organized by the 2008 Capitol Hill Steering Committee on Telehealth and Healthare Informatics, which has convened more than 100 widely attended, publicly available educational lunch sessions and technology demonstrations on Capitol Hill. Events are free of charge but require registration with the organizer, Neal Neuberger at nealn@hlthtech.com. (Washington, DC)

May 29 through 31 – AMIA Spring Congress
This meeting of the American Medical Informatics Association (AMIA) is designed to showcase the best of biomedical and health research and education by focusing on four topical tracks, one of which is PHRs. Ken Goodman (Project HealthDesign’s ethics advisor) will discuss “Key Ethical and Social Issues in a Future of Widespread PHR Adoption.” (Phoenix, AZ)