Today’s post is the first in a series entitled:
Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs.
We’ll explore how recent changes in privacy provisions of ARRA/HITECH Federal stimulus legislation affect personal health information (PHI) platform companies (e.g., HealthVault, Google Health, Dossia) and personal health record (PHR) companies.
Health IT expert and journalist Neil Versel described the issue in the April 7 issue of BNET Healthcare:
Although Google and Microsoft have gotten plenty of attention for their Web-based personal health records, both companies have long maintained that they’re not bound by the privacy protections of a 1996 federal law known as HIPAA. And despite a recent HIPAA change — one intended to extend its privacy provisions to services like Google Health and Microsoft’s HealthVault — both companies still insist they’re not bound by the law.
…“Our understanding is that HITECH, which is the jargon for [the health IT] part of the legislation, did not change the definition for a covered entity or a business associate, so our service is offered directly to the consumer,” Google Health Product Manager Roni Zeiger told Modern Healthcare last month. “[O]ur understanding is that we are neither a covered entity nor a business associate,” he continued. “We’re providing a service directly to the consumer or a patient.”
Microsoft offered a similar assessment at the annual Healthcare Information and Management Systems Society conference in Chicago. “We’re still outside [of HIPAA],” said David Cerino, general manager of Microsoft’s Health Solutions Group.
Not everybody agrees with Microsoft and Google. Versel commented in his own blog:
Excuse me? I’ve been struck since Day 1 with the arrogance Google seems to be exhibiting with its entry into healthcare … it seems to me Zeiger is intimating that the law doesn’t apply to Google.
In the BNET article, Versel also quotes David Brailer, the first head of the Office of the National Coordinator for Health Information Technology at HHS:
Brailer, who advised Congress extensively in the crafting of the legislation, is a little dumbfounded by Zeiger’s statement. “I think the intent of the law is clear. It is a fundamental principle of health IT that consumers must trust the stewards of their data,” he says.
Who’s right here? why? and so what?
We’ll discuss these questions in a series of blog posts. Today’s post is the first of three:
-
Overview
-
Legal and Policy Analysis (by Deven McGraw of the Center for Democracy & Technology)
-
Business Implications (by Vince Kuraitis and David C. Kibbe)
In the past we’ve distinguished between the PHI platform companies and PHR companies. The ARRA legislation does not make such a distinction. The term “personal health record” or PHR is used in the legislation — thus, if the product or service fits the definition, regardless of whether or not it is best described as a PHI platform or a PHR, the vendors are potentially subject to regulation as business associates. For sake of simplicity and consistency with the legislation, we’ll use the term PHR from here on to encompass both PHI platform vendors and PHR vendors.
Let’s list three categories of PHR use cases:
-
PHRs Primarily for Patient Benefit
-
PHRs Primarily for Others’ Benefit
-
PHRs for Patient and Others’ Benefit
In the second post in this series, Deven McGraw will describe and comment on differences among these categories.
Article Series - Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs
- Privacy Law Showdown? Setting the Stage
- Privacy Law Showdown? Legal and Policy Analysis.
Discussion
What do you think? Leave a comment. Alternatively, write a post on your own weblog; this blog accepts trackbacks. Your "first time" comment will not appear until approved by the moderator. Comments are closed after a post is 90 days old.