Posted March 17, 2009 by Lygeia Ricciardi
The primary cause for the delay is confusion about whether and how the Health Insurance Portability and Accountability Act (HIPAA) requires entities covered by it (such as Mayo) to establish formal “business associate” agreements with PHR providers (such as Microsoft) as a condition of doing business together.
While until recently many PHRs fell outside of HIPAA’s purview, the stimulus bill (which, when signed into law became the American Recovery and Reinvestment Act, or ARRA—a law that is generally very supportive of health information technology) attempted to extend aspects of its privacy and security coverage to additional PHR providers through their relationships with health care entities. But there is ongoing confusion about to whom these new rules apply. Google, for example, has claimed that the new language does not apply to its Google Health—a PHR platform similar to Health Vault.
Setting up business associate agreements with their partners would mean that PHR providers such as Microsoft and Google would be held to HIPAA’s privacy and security provisions, rather than outside of them, as is the case now. One interesting result of this change would be that data generated by users, such as observations of daily living (ODLs) on diet, exercise, or sleep, which can be added into PHRs would be protected by HIPAA’s privacy protections, which has never before been the case (unless such data were part of a doctor’s or other caregiver’s medical record, which is unusual). ARRA also supports stronger enforcement of HIPAA, so there could be substantial ramifications for privacy violations, which have historically been notoriously under-enforced.
As we’ve discussed previously in this blog, while providing more comprehensive privacy and security requirements for PHRs are in general likely to provide value to consumers and PHR providers alike, extending HIPAA’s reach is not the only mechanism through which to do so. It looks like Congress and/or the Department of Health may have to provide additional clarification or try a different approach to avoid slowing development of the field. What do you think would be best?