HIPAA Rules Now Apply to PHRs

This post was written by Aliya Sternstein.

It's not a new law, but it's a tangible, short-term step toward protecting the privacy of patient data that travels online. To address loopholes in current patient privacy legislation, the Health and Human Services Department on Thursday proposed privacy rules that would apply to vendors of technology that transmit personal health data.

The existing privacy law, the 1996 Health Insurance Portability and Accountability Act (HIPAA), mostly applies to providers and healthcare plans. It does not cover third-party health information technology companies, including Google and Microsoft, which now handle mounds of personal health data because patients, doctors and hospitals are increasingly turning to the Internet to improve care. Google and Microsoft offer so-called personal health records that patients create and control.

Thursday's regulations would impose most of the same rules that apply to HIPAA-covered people on business partners who work with HIPAA-covered parties, such as personal health record vendors and operators of e-prescription systems. In addition, doctors and plans would be forbidden from selling protected patient information without the patient's approval.

Ever since Congress committed $25.8 billion of economic stimulus money to health IT, the Obama administration has vowed to architect a nationwide health information network that is both efficient and protected.

"While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work," HHS Secretary Kathleen Sebelius reiterated in a statement on Thursday.

Privacy advocates have been begging Congress to pass a new health privacy law before the administration spends billions of stimulus dollars enticing the medical profession to switch to e-records. In the meantime, HHS has been instituting a series of rules that address e-records, such as Thursday's proposal. Bear in mind that rules can be revoked with the sign of a pen, whereas laws necessitate an act of Congress to change.

Clarification (Posted 6:40 pm, Friday, July 9.)

HIPAA RULES NOW APPLY to SOME PHRs

Thursday's privacy rule would only cover third-party PHR vendors if the vendors have a contract with the patient's doctor or health plan. Google and Microsoft products independently offered to consumers are not addressed in the proposal.

The new rule defines affected companies -- so-called business associates -- as third-parties handling personal health data "on behalf of a covered entity," such as a provider or plan.

"We're going to be urging HHS to be more clear in their guidance [by providing] a facts and circumstances test of what is a business associate," said Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, a privacy group.

CDT's blog on Friday added that the guidance clarified some privacy and security elements "without shedding light on exactly when the business associate relationship is established in these circumstances. CDT would like greater official guidance on what factors HHS believes trigger business associate requirements for PHR vendors."