Privacy Law Showdown? Setting the Stage

Today’s post is the first in a series entitled:

Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs. 

We’ll explore how recent changes in privacy provisions of  ARRA/HITECH Federal stimulus legislation affect personal health information (PHI) platform companies (e.g., HealthVault, Google Health,  Dossia) and personal health record (PHR) companies.

Health IT expert and journalist Neil Versel described the issue in the April 7 issue of BNET Healthcare:

Although Google and Microsoft have gotten plenty of attention for their Web-based personal health records, both companies have long maintained that they’re not bound by the privacy protections of a 1996 federal law known as HIPAA. And despite a recent HIPAA change — one intended to extend its privacy provisions to services like Google Health and Microsoft’s HealthVault — both companies still insist they’re not bound by the law.

…“Our understanding is that HITECH, which is the jargon for [the health IT] part of the legislation, did not change the definition for a covered entity or a business associate, so our service is offered directly to the consumer,” Google Health Product Manager Roni Zeiger told Modern Healthcare last month. “[O]ur understanding is that we are neither a covered entity nor a business associate,” he continued. “We’re providing a service directly to the consumer or a patient.”

Microsoft offered a similar assessment at the annual Healthcare Information and Management Systems Society conference in Chicago. “We’re still outside [of HIPAA],” said David Cerino, general manager of Microsoft’s Health Solutions Group.

Not everybody agrees with Microsoft and Google. Versel commented in his own blog:

Excuse me? I’ve been struck since Day 1 with the arrogance Google seems to be exhibiting with its entry into healthcare …  it seems to me Zeiger is intimating that the law doesn’t apply to Google.

In the BNET article, Versel also quotes David Brailer, the first head of the Office of the National Coordinator for Health Information Technology at HHS:

Brailer, who advised Congress extensively in the crafting of the legislation, is a little dumbfounded by Zeiger’s statement. “I think the intent of the law is clear. It is a fundamental principle of health IT that consumers must trust the stewards of their data,” he says.

Who’s right here? why? and so what?

We’ll discuss these questions in a series of  blog posts. Today’s post is the first of three:

1. Overview
2. Legal and Policy Analysis (by Deven McGraw of the Center for Democracy & Technology)
3. Business Implications (by Vince Kuraitis and David C. Kibbe)

In the past we’ve distinguished between the PHI platform companies and PHR companies. The ARRA legislation does not make such a distinction. The term “personal health record” or PHR is used in the legislation — thus, if the product or service fits the definition, regardless of whether or not it is best described as a PHI platform or a PHR, the vendors are potentially subject to regulation as business associates. For sake of simplicity and consistency with the legislation, we’ll use the term PHR from here on to encompass both PHI platform vendors and PHR vendors.

Let’s list three categories of PHR use cases:

1. PHRs Primarily for Patient Benefit
2. PHRs Primarily for Others’ Benefit
3. PHRs for Patient and Others’ Benefit

In the second post in this series, Deven McGraw will describe and comment on differences among these categories.