PHRs and HIPAA

Posted May 7, 2008 by Lygeia Ricciardi

Recently Dr. Reid Cushman, who is part of a Project HealthDesign team at the University of Miami that is working on the ethical, legal and social implications of next-generation PHRs, posted a paper on “PHRs and the Next HIPAA”. I’d like to build on and perhaps further clarify some of the topics he raises.

Cushman begins by asking how the existing HIPAA law and regulation apply to PHRs. The short answer is “only somewhat.” The longer answer is that it depends on who is providing the PHR. If the PHR provider is a “Covered Entity” under HIPAA, the law applies to them, whether they are going about their regular business (like caring for patients or paying claims) or providing a PHR. Covered Entities include health plans, health care providers, and healthcare clearing houses.

Most of the new entrants to the health field—whether they are providing platforms where consumer information is stored (such as Microsoft’s Health Vault) or PHR applications (including offerings by Google and CapMed) —are not considered Covered Entities and thus are not directly subject to HIPAA. So if Kaiser Permanente provides a PHR, it is covered. If Google provides a PHR, it is not.

An exception is that a PHR provider may sign a Business Associate agreement with a Covered Entity. In that case, the Business Associate has to comply with HIPAA’s rules, or, if it doesn’t, the sponsoring Covered Entity may be held liable. While this is coverage to a point, Business Associate agreements are not universally required or used, and even if they were, enforcement of HIPAA is notoriously weak.

The question of who is covered and who isn’t is essential because HIPAA protection depends on who holds the data—protection does not “follow” the data itself. So let’s say there is information in your doctor’s medical record about treatment of your diabetes. While that information is under your doctor’s care, it is covered by HIPAA. But if you get a copy of that information and enter it into an independent (non-HIPAA covered) PHR, that same information is no longer covered.

The big takeaway here is that many PHRs (and the health data in them) are in no way covered by HIPAA--or any other significant and comprehensive source of privacy protection. And that’s a problem. It means none of HIPAA’s safeguards--like requiring certain technical security safeguards, privacy training for staff who work with the data, and authorizations from patients before the information is shared with other non-Covered Entities—are required.

How to fix the problem? Cushman asks whether PHRs should be covered by HIPAA, and there have been legislative proposals to do just that, most notably in Senate Bill 1418--the "Wired for Healthcare Quality Act"—which has been stalled since last summer in part because of more general concerns about how best to address privacy and health information exchange legislatively.

A different perspective, championed by the Center for Democracy and Technology, is that while extending HIPAA coverage to PHRs may appear to be an easy fix, it is not appropriate to address privacy in the evolving PHR landscape. HIPAA wasn’t written for entities outside of healthcare, and applying it to PHR companies could stifle innovation and even cause the unintended consequence of weakening privacy protections in some ways.

According to this viewpoint, what’s needed instead is to build on some of HIPAA’s underlying principles (see for example my previous discussion of Fair Information Practices) in establishing a broader framework of legal privacy protections that can then be tailored by regulation to fit the specific cases of PHRs, RHIOs, and other services or entities that handle health information but do not fall under HIPAA.

Regardless of the specific ways in which HIPAA is amended or built on, it is clear that privacy protections for PHRs and for health information exchange more broadly extend well beyond its scope.

Openness in health care paper released

Posted January 22, 2008, by Lygeia Ricciardi

Today the Digital Connections Council of the Committee for Economic Development released “Harnessing Openness to Transform American Health Care” by Elliot Maxwell.

This is the paper many of you read advance copies of through this blog last October. Thanks for your interest and for harnessing openness yourselves by submitting your own commentary here and to the author directly.

Minimal federal government impact on PHRs in 2008?

Posted January 16, 2008 by Lygeia Ricciardi

The recently released budget for ONC—the Office of the National Coordinator (for Health IT)—remains the same as last year: $61.3 million. It didn’t receive the dramatic boost requested by President Bush (who asked for $117.9 million).

Though National Coordinator Robert Kolodner vows to “keep making progress”, anticipated work in a couple of areas will be curtailed, including the build out of the Nationwide Health Information Network (NHIN), for which expansion to additional communities had been planned, and work on defining the architecture of personal health records.

While in general I favor greater federal support for health information exchange, I tend to agree with Chillmark Research’s assessment of the budgetary flatlining – at least as it applies to PHRs. In short, PHRs and HIT in general will be “saved from meddling”. As Chillmark blogger John Moore points out, there are numerous other private sector and NGO efforts underway (he mentions Project HealthDesign among them) that are likely to be more relevant and effective in helping PHRs to progress.

When it comes to defining the platform architecture, technical features, and the like for PHRs, I strongly believe the private sector should take the lead, and government should avoid doing anything to hamper creative development. This is not to say that there isn’t a crucial role for the feds to play—notably in the area of defining legal and regulatory parameters to protect public privacy, as well as in making new tools and services available to underprivileged populations.

Though ONC is unlikely to make any dramatic moves affecting PHRs, and indeed major policy shakeups of any kind are unlikely in an election year, I am still keeping my eye on the Wired for HealthCare Quality Act, which I really do think is likely to pass this year.

Regardless of what happens in the federal government, we can look forward to June, when Project HealthDesign grantees unveil their prototype PHR applications at a DC event that culminates their 18-month journey.  Stay tuned for more details!

Best Practices for Employers Offering PHRs

Posted by Lygeia Ricciardi on December 20, 2007

Yesterday the Health Privacy Project, the California HealthCare Foundation, and a group of corporate and nonprofit leaders released “Best Practices for Employers Offering Personal Health Records (PHRs)”. While a number of companies already are offering PHRs to their employees, concerns about consumer anxiety and regulatory uncertainty persist. The ten Best Practices are designed to address these concerns.

Highlights of the Best Practices include that employers should give employees control of access to and use of the PHR, and the establishment of “chain of trust” agreements between employers and their business partners to assure that information in the PHR is consistently protected. The companies and organizations that developed the Best Practices include the Center for Democracy & Technology, Dell, Google, Hewitt Associates, IBM, the Markle Foundation, Omnimedix Institute, Pfizer, Pitney Bowes, Revolution Health, Wal-Mart, and WebMD.

For the full story, go to www.healthprivacy.org/bestpractices

Who Pays for PHRs?

Posted by Lygeia Ricciardi on November 13, 2007

RTI International participates in numerous efforts that ultimately support PHRs and the electronic exchange of health information, including the multi-state security and privacy collaboration (HISPC) and a variety of research topics on health and communication. A recent study by Barbara Massoudi of RTI—who is a Project HealthDesign grantee--confirms a number of consumer attitudes toward PHRs you might expect. For example, consumers want:

• User-friendly tools and interfaces
• Control of who accesses their information
• Strong security measures
• Regular backups of PHR data
• Enhanced communication with their care providers via a PHR

None of these findings particularly surprised me, though I am pleased to see them. One thing I am puzzling over, though, (and I know I am not alone) is how the money that supports PHR development and use will flow.

On the one hand, Dr Massoudi’s findings show that “consumers agree that some cost [to consumers] is probably necessary to make the system work.” Some survey participants said that they don’t value things when they are free, and most were willing to pay about $10/month for basic PHR subscription services.

On the other hand, study participants want financial incentives for using a PHR. They suggested discounts on health insurance premiums or income taxes, or at least the ability to use flex spending to pay for PHRs. Another option is to base consumer incentives on “pay for performance” rather than technology use. Health insurance companies could reward consumers for good behaviors that might be enhanced through use of a PHR (eg regular exercise) or even positive outcomes (eg improving cholesterol levels), though they’d have to be careful to avoid penalizing people for random chance (say, getting hit by a bus) or genetic bad luck (like a predisposition to develop breast cancer).

Perhaps some combination of asking consumers to pay for PHRs and paying them for using them well would make indeed sense. But then of course there’s the question of who should create the incentives—payers, employers, government? A number of stories about dentists paying their patients to stop them from eating excess candy circulated post-Halloween, but providers are sufficiently hampered by misaligned financial incentives that it doesn’t make sense for them to pay for PHRs—unless, as in the case of the Halloween candy—it can generate some good press.

In the absence of a complete health financing overhaul, perhaps the best strategy to promote PHRs is to design tools that really “work”. If well-designed and user-centric PHRs can indeed create a track record of improving health, I think it will be easy to get people—even consumers—to pay for them. Isn’t better health the ultimate incentive?

See Barbara Massoudi’s full slide deck from her recent “Steering Committee on Telehealth and Healthcare Informatics” briefing on Capitol Hill.

Openness in Healthcare

Posted by Lygeia Ricciardi on October 20, 2007

“With enough eyeballs, all bugs are shallow.” Roughly translated, a large enough number of minds can solve any technical problem. Such is the perspective of open-source advocate Eric S. Raymond.

If ever a morass of problems needed the input of many minds, it is the US health care system. In the next couple of months Elliot Maxwell, an author, lecturer, and IT strategy advisor, will publish a paper called “Openness in Healthcare” commissioned by the Committee for Economic Development, a non-profit economic and social policy research organization. 

The paper explores the concept of openness in health care from many angles, including biomedical research—like the collaborative process behind mapping the human genome; access to data from ongoing clinical trials for drugs and devices; and the implications of EHRs, PHRs, and the information-sharing culture they encourage. According to Maxwell’s Rule, “the team with the most smart people wins." Yet he does not argue that greater openness is a necessary or even positive condition in all circumstances.

The paper opens the reader’s mind to new ways of approaching old problems. It also includes policy recommendations regarding areas in which Maxwell believes greater openness is most likely to have a positive impact. He has offered to make “advance” copies of the paper available to readers of the Project HealthDesign blog upon request. If you want one, please submit a request to this blog via the “post” function (I won’t post your request unless you include a comment).

So how does openness apply to Project HealthDesign and its grantees? Steve Downs, the Robert Wood Johnson Foundation program officer overseeing the project, has several ideas. First, Project HealthDesign is built on the assumption of an (eventual) open flow of health data. Though HIPAA gives people the right to ask for their health records, the information is typically not available in digital form. At some point, if PHRs are going to be successful, we’ll need the ability to download our personal health data, in a standard format, from all of our providers. Clearly we have a ways to go.

Another relevant aspect of openness is the concept of open source. As the grantees know, any creation resulting from Project HealthDesign must be either placed in the public domain or licensed as open source, meaning that the software “source code” is publicly available with few (or no) intellectual property restrictions. As Downs says, “Some of the teams are solving problems that others will encounter in ways that are generalizable—making those solutions publicly available is the best way to leverage their impact.” His hope is that access to the inner workings of nine cutting-edge PHR applications will catalyze development within the broader PHR industry.

On a related point, Downs points out the desirability of providing access to application programming interfaces or APIs to PHR services. APIs are interfaces that enable developers to write software that can communicate with or draw on the resources of the service that offers the API. For example, Microsoft has an API that enables developers to write programs that work with Windows. Similarly, Google Maps has an API that developers use to integrate mapping interfaces in their web sites. If services that maintain PHRs offered APIs, then developers, such as the Project HealthDesign grantees, could build tools that draw on the data stored in the PHRs. That way, not everyone who wants to build a better medication reminder service needs to solve the problem of how to get access to the current meds list–they can simply write to the API of the PHR provider and request the meds list.

As Elliot Maxwell points out in his paper, openness is not an absolute value, but a spectrum of possibilities. A question for Project HealthDesign grantees and others developing PHRs: Are there ways in which openness has been a help or a hindrance in your work? Do you have ideas about how the status quo should be more—or less—open?

Is your state working on Health IT legislation?

Posted by Lygeia Ricciardi October 19, 2007

A couple of months ago I wrote about the federal Wired for Healthcare Quality Act of 2007. According to many experts, that bill is still probably the most important to watch if you care about Health IT, but it has been moving slowly. Among other things, in recent months Congress has instead been focused on reauthorizing the State Children's Health Insurance Program (SCHIP).

Perhaps in response to a slow rate of movement on the national front, states have been picking up the pace in passing their own health IT legislation. At the eHealth Initiative (eHI) national conference last week, Vice President Christine Bechtel reported that roughly 15 health IT bills have become law. Last year, 121 pieces of health IT legislation were introduced in 38 states. This year, already more than 200 have been introduced. The more recent bills place a greater emphasis than previous ones on tightly integrating health IT with the goals of increasing the quality, safety, and efficiency of health care.

Common themes of state health IT legislation include provision of funding for startup costs for RHIOs or healthcare providers, efforts to safeguard privacy, and encouraging consumer engagement in health through IT. This last theme is, of course, the most likely to impact developers of PHRs. To find out what your state is doing, have a look at eHI’s state legislation tracking center.

Health IT Legislation in the Works

At Project HealthDesign, we’ve challenged our grantee teams to push the PHR envelope by designing and testing a broad spectrum of innovations in how consumers can use information technology to better manage their health and more easily navigate the health care system.

 

While we’re looking toward the next generation of PHRs and personal health applications, it is also key to keep abreast of the current legislative landscape which, depending on how things play out, could significantly influence the development and utilization of these technologies.

 

Congress may soon pass the first bill with a primary aim of wiring the nation’s health system. The deal isn’t done, and not all parties are entirely pleased with it, but on June 21^st, the Wired for Health Care Quality Act of 2007 gained Senate Committee approval.  If nothing throws it off course, a version of it could come up for a full Senate vote early this fall. Sponsors of the bill are Senators Edward Kennedy (D-MA), Michael Enzi (R-WY), Hillary Clinton (D-NY), and Orrin Hatch (R-UT).

 

The Wired for Health Care Quality Act of 2007 (S.1693) would provide more than $320 million in grants and loans to help health care providers purchase and use IT systems and to support the development of local and regional health information exchange networks. It would also establish new and codify existing government bodies that work on health information technology (HIT) and encourage the integration of HIT into clinical education.

 

The bill also addresses privacy. Privacy is of course, a key topic in HIT policy and PHR design discussions because national polls and surveys—and Project HealthDesign grantees’ user group testing—identify it as a primary concern in this context. People fear that digitization of their health information could lead to embarrassment and to discrimination by employers, insurance providers and others.

 

The privacy provisions of the Wired Act are relevant to PHR developers and Project HealthDesign on two levels. The most immediate is that they would expand the coverage of the privacy law, HIPAA—the Health Insurance Portability and Accountability Act—to include a number of entities involved in HIT that are not currently covered. While it does not specifically name PHRs and PHR companies, the bill’s definition of a new category of HIPAA “covered entity” is an “operator of a health information electronic database”…which could arguably apply to some PHRs.

 

Complying with HIPAA could require PHR companies to do some extra administrative work, but whether that work would provide the desired effect is open to debate. HIPAA was designed to protect patient privacy by limiting access to private health data to those involved in the daily business of clinical care, such as doctors and insurance providers, but as a July 3^rd New York Times article “Keeping Patients' Details Private, Even From Kin,” recently pointed out, it is frequently misunderstood and misapplied, often to the detriment of patients. For example, because of misguided fears of violating HIPAA, many providers refuse to share critical information about a patient's condition even with their closest relatives. Given that HIPAA was not drafted with PHRs in mind, the likelihood of misapplication could be even higher.

 

Although the Wired bill as drafted would answer some privacy concerns (it addresses privacy in several specific contexts in addition to expanding HIPAA), according to some consumer advocacy organizations it does not go far enough in establishing—in an overarching way—who should have access to electronic personal health information and why, and what should happen in the event of a privacy leak.

 

A new addition to the picture is the introduction on July 18th of the Health Information Privacy and Security Act of 2007 (S.1814)—by the same primary sponsor as the Wired bill, Senator Edward Kennedy (D-MA), along with Senator Patrick Leahy (D-VT). This second bill would establish a more comprehensive set of privacy policies, but it’s not clear that both bills will become law. Passage of the Wired Act without the Privacy and Security Act, which is likely to be much more controversial politically, will be studied carefully to determine how it would amend HIPAA’s privacy provisions and to determine its effects on PHRs.

 

“HIPAA was never intended to be the final word on privacy,” said Ken Goodman, director of the University of Miami’s Bioethics Program and leader of the Project HealthDesign team looking at legal and ethical issues raised by PHRs. “These legislative initiatives make it clear that we are still trying to strike a balance between privacy rights and the benefits of electronic records. What we’ve learned repeatedly is that people will tend to vote with their feet—that is, if they value a technology and trust the safeguards in place to govern its use, some privacy anxiety will be reduced as the technology is adopted.”

 

“The same is true for PHRs,” Goodman said. “If patients value the convenience and improved care many believe PHRs will help provide, they will balance those benefits against privacy laws reckoned to be just a little too prickly.”

 

One of the goals of this blog is to keep readers informed about policies that could affect the development of PHRs. We’ve tried here to give you a glimpse at the lay of the land on Capitol Hill—and encourage you to post your opinions and reactions using the Comments link below. The full text of both bills can be found on the Library of Congress’ web site. A summary of the Health Information Privacy and Security Act of 2007 is on Senator Kennedy’s web site.