Posted May 7, 2008 by Lygeia Ricciardi
Recently Dr. Reid Cushman, who is part of a Project HealthDesign team at the University of Miami that is working on the ethical, legal and social implications of next-generation PHRs, posted a paper on “PHRs and the Next HIPAA”. I’d like to build on and perhaps further clarify some of the topics he raises.
Cushman begins by asking how the existing HIPAA law and regulation apply to PHRs. The short answer is “only somewhat.” The longer answer is that it depends on who is providing the PHR. If the PHR provider is a “Covered Entity” under HIPAA, the law applies to them, whether they are going about their regular business (like caring for patients or paying claims) or providing a PHR. Covered Entities include health plans, health care providers, and healthcare clearing houses.
Most of the new entrants to the health field—whether they are providing platforms where consumer information is stored (such as Microsoft’s Health Vault) or PHR applications (including offerings by Google and CapMed) —are not considered Covered Entities and thus are not directly subject to HIPAA. So if Kaiser Permanente provides a PHR, it is covered. If Google provides a PHR, it is not.
An exception is that a PHR provider may sign a Business Associate agreement with a Covered Entity. In that case, the Business Associate has to comply with HIPAA’s rules, or, if it doesn’t, the sponsoring Covered Entity may be held liable. While this is coverage to a point, Business Associate agreements are not universally required or used, and even if they were, enforcement of HIPAA is notoriously weak.
The question of who is covered and who isn’t is essential because HIPAA protection depends on who holds the data—protection does not “follow” the data itself. So let’s say there is information in your doctor’s medical record about treatment of your diabetes. While that information is under your doctor’s care, it is covered by HIPAA. But if you get a copy of that information and enter it into an independent (non-HIPAA covered) PHR, that same information is no longer covered.
The big takeaway here is that many PHRs (and the health data in them) are in no way covered by HIPAA--or any other significant and comprehensive source of privacy protection. And that’s a problem. It means none of HIPAA’s safeguards--like requiring certain technical security safeguards, privacy training for staff who work with the data, and authorizations from patients before the information is shared with other non-Covered Entities—are required.
How to fix the problem? Cushman asks whether PHRs should be covered by HIPAA, and there have been legislative proposals to do just that, most notably in Senate Bill 1418--the "Wired for Healthcare Quality Act"—which has been stalled since last summer in part because of more general concerns about how best to address privacy and health information exchange legislatively.
A different perspective, championed by the Center for Democracy and Technology, is that while extending HIPAA coverage to PHRs may appear to be an easy fix, it is not appropriate to address privacy in the evolving PHR landscape. HIPAA wasn’t written for entities outside of healthcare, and applying it to PHR companies could stifle innovation and even cause the unintended consequence of weakening privacy protections in some ways.
According to this viewpoint, what’s needed instead is to build on some of HIPAA’s underlying principles (see for example my previous discussion of Fair Information Practices) in establishing a broader framework of legal privacy protections that can then be tailored by regulation to fit the specific cases of PHRs, RHIOs, and other services or entities that handle health information but do not fall under HIPAA.
Regardless of the specific ways in which HIPAA is amended or built on, it is clear that privacy protections for PHRs and for health information exchange more broadly extend well beyond its scope.