Confusion over HIPAA slows PHR adoption

Posted March 17, 2009 by Lygeia Ricciardi 

Yesterday Modern Healthcare ran an article (free registration is required for access) about the Mayo Clinic’s delay in deployment of Microsoft’s HealthVault personal health record (PHR) platform, despite an announcement by Mayo in January 2008 that it was planning to provide the tool in order to help its patients to “manage their health and become engaged partners with their providers in a new model of health care.”  

The primary cause for the delay is confusion about whether and how the Health Insurance Portability and Accountability Act (HIPAA) requires entities covered by it (such as Mayo) to establish formal “business associate” agreements with PHR providers (such as Microsoft) as a condition of doing business together.

While until recently many PHRs fell outside of HIPAA’s purview, the stimulus bill (which, when signed into law became the American Recovery and Reinvestment Act, or ARRA—a law that is generally very supportive of health information technology) attempted to extend aspects of its privacy and security coverage to additional PHR providers through their relationships with health care entities. But there is ongoing confusion about to whom these new rules apply. Google, for example, has claimed that the new language does not apply to its Google Health—a PHR platform similar to Health Vault.

Setting up business associate agreements with their partners would mean that PHR providers such as Microsoft and Google would be held to HIPAA’s privacy and security provisions, rather than outside of them, as is the case now. One interesting result of this change would be that data generated by users, such as observations of daily living (ODLs) on diet, exercise, or sleep, which can be added into PHRs would be protected by HIPAA’s privacy protections, which has never before been the case (unless such data were part of a doctor’s or other caregiver’s medical record, which is unusual). ARRA also supports stronger enforcement of HIPAA, so there could be substantial ramifications for privacy violations, which have historically been notoriously under-enforced.

As we’ve discussed previously in this blog, while providing more comprehensive privacy and security requirements for PHRs are in general likely to provide value to consumers and PHR providers alike, extending HIPAA’s reach is not the only mechanism through which to do so. It looks like Congress and/or the Department of Health may have to provide additional clarification or try a different approach to avoid slowing development of the field. What do you think would be best?  

Comments

If you would like a free guide to HIPAA Privacy & Security as enacted in ARRA and the HITECH Act, you can download the 1st Edition PDF from http://www.myhealthtechblog.com/2009/03/hipaa-survival-guide-1st-edition-released.html

Posted by: Deborah Leyva | March 17, 2009 at 12:25 PM

I believe electronic health care records will be much more secure and safe and HIPAA’s privacy protections will definitely insure it.

Posted by: medical records management | May 02, 2011 at 04:57 AM