Thinking Beyond HIPAA: PHRs and Privacy

Outline
✓ HIPAA Privacy Rule and “covered entities”
✓ PHRs
✓ Google Health’s privacy policy vs. HealthVault’s
✓ Arguments for/against extending HIPAA coverage
✓ Author’s recommendation

What you need to know about HIPAA

HIPAA
The Health Insurance Portability and Accountability Act
(HIPAA) of 1996 Privacy Rule governs covered
entities use and disclosure of individual’s
protected health information (PHI) in any form.
It has built-in standards for privacy and security, including
standards governing disclosure, access, and correction.
PHI is a subset of individually identifiable health
information that is maintained or transmitted in
any form (including oral) and is created or
received by a health care provider.
It relates to the past, present or future physical
or mental condition of an individual; provision
of health care to an individual; or payment for
that health care; and identifies or could be used
to identify the individual.
Source: EPIC.org Source: Office for Civil Rights

HIPAA
The HIPAA Privacy Rule gives you a right to privacy
for those people (covered entities) you HAVE to share
your health secrets, not those you CHOOSE.

A “Covered Entity” Is:
HIPAA
A healthcare clearinghouse
Converts health data into or out of standard formats
Or
A sponsor
Provides Medicare prescription drug cards
Or
A healthcare provider
Provides healthcare or services as defined under HIPAA.
Or
A health plan
Provides insurance

A “Non-Covered Entity” Is Everything Else. Including:
HIPAA
Internet Companies Employers
&

HIPAA
Because HIPAA gives patients
the right to access,
inspect, and copy PHI held by covered entities,
patients are able to manually input their health information into
PHRs offered by non-covered entities.
This is why HIPAA non-covered
entities are not necessarily in
defiance of HIPAA.

Covered Entity Non-Covered Entity
HIPAA
HIPAA still regulates how
information from a covered entity
enters a PHR.
=Most Control
Source: Office for Civil Rights

HIPAA Privacy Shortcomings
HIPAA
✓ Large degree of sharing information without consent
- Loophole in “health care operations” category
- Loophole in usage of limited data sets
In a limited data set only 16 specified identifiers
are removed, which is 2 identifiers short of fully
de-identified data:
1) Dates: including those for the patient’s birth,
admissions, treatment, discharge, and payment
history
2) Geographical locators: such as city, state,
and ZIP codes to stay with the patients records.”
Source: Modern Healthcare
Source: Office for Civil Rights

Limited Data
“Just giving a date of birth, gender and ZIP
code can identify 86% of people in the United
States by name.” - Paul Tang, Chief Medical Information Officer of Palo
Alto Medical Foundation
Modern Healthcare, 01607480, September 29, 2008, Vol. 38, Issue 39

Ex. Loopholes
Loophole Ex. Loophole Ex.
“A drug manufacturer can pay a
physician or a pharmacy to send refill
“Health care entities are allowed, for
reminders to patients, or to send
fundraising activities, to release to
information about a drug to all
business associates - without explicit
patients identified with a particular
individual authorization - limited
conditions or taking particular
patient information...This clause was
medications. Although the drug
responsible for the data breached at
manufacturer would not get the PHI
UCLA Medical Center when they
from the physician or pharmacy, it
hired an outside firm to do a fund
would accomplish the same
raising program.”
marketing goals by paying someone
else to promote its products.”
Source: EPIC.org Source: Chilmark Research

What you need to know about PHRs

PHRs
“A personal health record (PHR) is an electronic
record of an individual’s health information by which
the individual controls access to the information and
may have the ability to manage, track, and
participate in his or her own health care.”
Source: Office for Civil Rights

EHRs
Not to be confused with PHR, EHR stands for
electronic health record and refers to a system
that collects patient medical data from
multiple sources exclusively for health care providers.

EHRs & ARRA
The House just passed the American Recovery &
Reinvestment Act (ARRA) of 2009, in part to
incentivize healthcare providers to migrate to EHRs.
Sequentially this legislation may
increase the availability and
reliability of PHRs.
Health Information Technology Provision:
Provides $19 billion of financial incentives to
help physicians purchase and implement HIT,
specifically for the development of uniform
electronic standards.
Source: AMA Source: American Medical Association & Health
Data Management Magazine

ARRA
Privacy Provision:
Expands the current HIPAA privacy & security protections
around the e-transfer of patient health info through Health
Information Technology systems. And, proposes
temporary breach notification requirements for
previously unregulated entities.
NOTE: The Privacy Provision is a “Draft Rule,” meaning
that it is a temporary requirement that will remain in
effect until Congress passes new legislation based on a
“A breach of security is defined as the
acquisition of identifiable health report currently in development by the Health & Human
information of an individual, from a PHR, Services and the Federal Trade Commission.
without authorization. De-identified
information fall outside the scope of the rule.
Source: info.rmatics.org Source: American Medical Association & Health
Data Management Magazine

ARRA
The FTC staff estimates that PHR related companies
would on average experience 11 data breaches a
year, with the associated breach notification costs
averaging $1M a year for each company.
Source: Modern Healthcare. April 20, 2009 v39 i16 p10.

Things to look for in privacy policies

NC Privacy Policies
Privacy policies vary widely among PHRs offered by
HIPAA non-covered entities. Even the top two
Internet company’s PHR privacy policies have
discrepancies, which makes informed consent less likely.
NOTE: The following slides represent
privacy policy information I found posted
on the websites of Google Health and
Microsoft HealthVault.

Sharing Info Sharing Info Sharing Info
“We do not sell user health information, and we do
“No Program or individual has access to your info
not share it with other individuals or services unless a
through the Service unless and until an authorized
user explicitly authorizes us to do so, or in the limited
user opts-in.”
circumstances described in our privacy policy.”
“Service users with whom you have shared your
“If you share your information with others, you can records can also give a Program access to those
view a list of who has access to your information and records. You can see a complete history of how
you can revoke sharing privileges at any time.” Programs have accessed the information in your
records.”
“You can approve access for some websites to view You can decide which Programs you want to use. You
your health information. If a website accesses your must approve (or deny) the Program’s access. The access
health information and stores a copy of your info, request will include (a) the type of info the Program will
that copy will be governed by that site’s privacy access and (b) what the Program wants to do with the info
policy...Google is not responsible for the content, (view, add, modify). The Service [also] provides links to
performance, or privacy policy of third-party each Program’s privacy statements at the time the Service
websites.” asks you to authorize the Program’s access.”
Source: Google Health Privacy Policy &
HealthVault Privacy Policy

“Microsoft may use aggregated info from the Service
to improve the quality of the Service and for
Non PII
“Aggregate, de-identified user information can be marketing of the Service...Microsoft does not use
used to publish trends.” your individual account and record information from
the Service for marketing without first asking for and
receiving your opt-in consent.”
“We use personal information collected through the
Service, including health info, to provide you with
important info about the Service; to send you the
PII
Directed to another privacy policy provided by Google.
HealthVault e-mail newsletter if you opt-in; & to
determine your age and location to help determine
whether you qualify for an account.”
Employees
“Microsoft occasionally hires other companies to
“A limited number of employees in particular job provide limited services on our behalf, such as
functions may have access to user information in answering customer questions about products. We
order to operate and improve Google Health.” give those companies only the personal information
they need to deliver the service.”
Source: Google Health Privacy Policy &
HealthVault Privacy Policy

“We use a variety of security technologies and
procedures...we store the personal information you
Security
“Google Health secures information by using SSL
encryption, back up systems, and other cutting- provide on computer servers w/ limited access that
edge information security technology.” are located in controlled facilities (in the U.S.A.)...the
Service sends all communications (except e-mail)
using SSL.”
Compliance Deleting Info
“You can completely delete your info at any time. “You can close your account at any time. We
Such deletions will take immediate effect in your will wait 90 days before permanently deleting
account, and backup copies may persist for a your account.”
short time.”
“HealthVault complies with the HONcode (Health
On The Net Foundation) standard for trustworthy
“Google adheres to the US Safe Harbor privacy health information.”
principles.”
“Microsoft is a member of the TRUSTe Privacy
Program.”
Source: Google Health Privacy Policy &
HealthVault Privacy Policy

“For material changes, changes to the privacy
policy, we will notify you either by placing a
NO mention of a notification if the privacy policy notice on the home page of the HealthVault Web
Comm
is changed or a stipulation necessitating opt-in sit or by sending you a notification directly...Your
consent to new changes. continued use of the service constitutes your
agreement to this privacy statement and any
updates.”
3 different sites you have to refer to for
3 different sites you have to refer to for
complete privacy policy coverage:
Comm
complete privacy policy coverage:
Google Health Developer Policies,
Service Agreement, Code of Conduct, Health
Department of Commerce for Safe Harbor
on the Net Foundation
Framework, Google Privacy Policy
Overall, the GH policy is conversational, concise
Readability
with little to no industry jargon. Note: Only
those privacy issues specific to the Google Comprehensive policy, some industry jargon,
Health Product were listed (to learn about the sufficient level of detail.
more generic, applicable policies, users are
directed to the Google company privacy policy).
Source: Google Health Privacy Policy &
HealthVault Privacy Policy

The strengths of the Microsoft HealthVault Privacy
Strengths
Policy are: communication with
The strengths of the Google Health Privacy Policy
subscribers, opt-in standards &
are: readability & opt-in standards.
granular control of personal health
data when sharing with 3rd parties.
The weaknesses of the Google Health Privacy
Weaknesses
Policy are: defining key terms (like PII), The weaknesses of the Google Health Privacy
no granular control of personal health Policy is: defining key terms (like PII) &
data when sharing with 3rd parties, readability.
communication with subscribers.

NC Privacy Policies
“Among experts, Microsoft earns generally high
marks for its promise not to divulge
information without a user’s say so.
HealthVault lets patients search for health information
without leaving the site - so other sites can’t access users
IP address or other identifying data. And before
connecting to a patient to a partner’s or advertiser’s site,
it posts that site’s privacy policy.”
- Deborah Peel, Founder of Patient Privacy Rights
Source: The Washington Post. March 11, 2008. Page HE01.

Arguments for and against extending HIPAA

Pro HIPAA
✓ Minimum necessary clause
✓ Consistency among privacy coverage
✓ Strong security provisions
✓ Strong consumer coverage when enforced by HHS
✓ Less burden on individual consent
“Practice that protected health information
should not be used or disclosed when it is not
necessary to satisfy a particular purpose or
carry out a function. The minimum necessary
standard requires covered entities to evaluate
their practices and enhance safeguards as
needed to limit unnecessary or
inappropriate access to and disclosure of
protected health information.”
Source: HHS.org

Against HIPAA
✓ Insufficient rules to address issues unique to PHRs
- Ex. risks & penalties for data re-identification
✓ Not enforced unless patient recognized
✓ Limited data set is outdated standards for de-identifying
✓ Loopholes that allow for disclosure without consent

Against HIPAA
“Bringing third-party PHRs under the scope of HIPAA
authorizes the disclosure of highly sensitive data outside
the health care system, with each such disclosure subject
only to patient authorization.”
Meaning the burden of protecting healthcare
privacy would be more on the patients
themselves if HIPAA was extended to non-
covered entities, which could offer more
bargaining power to PHR providers.
Source: Center for Democracy & Technology

Opinion: Revise HIPAA before extending it

Opinion: Revise
✓ Restrict PHR vendors from engaging in certain practices,
alleviating some of the burden from the patient
✓ Necessitate opt-ins for all personal information shared
✓ Revoke the health care operations clause from PHR
coverage
✓ Enact stricter rules on limited data sets (i.e. removing
birth year)
✓ Standardize key terms, like personal health information

Appendix

Strength Weakness
PHR SWOT
Patient control
Little to no fiscal cost Privacy
Portability Data Liquidity
Promotes preventative medicine Accuracy of data
Easier to manage chronic diseases Abundance of unhelpful data
Easier to manage health of others
Opportunity Threat
Revisions to HIPAA
Current HIPAA Privacy Rule extended
Granular control of 3rd-party access
Partnerships Security
Interoperability Doctor Liability
Improved research Accuracy of data
Counter healthcare costs

Category Criteria HV GH
Contact Info
Altarum Criteria
Effective Date
Communication w/ vendor Notification of change in policy
Opt-in to changes
Alternative language
Readability Readability (1-3) 1 being best 2 1
FAQ
De-activated accounts
Coverage Buy/sell company
Cookies
Solicit voluntary participation
Gathering non-personal data Web-service logs
Opt-out options
Different policy for identifiable & de-identified
Business Associates
Family members
Clinical trials
Detail how/if information is Research
shared Marketing
Law Enforcement
Other
Consent Prior to Sharing
Personal Health Information
Definition of critical terms De-identified
HIPAA
URAC
Data guidelines compliant w/ Safe Harbor Guidelines
privacy codes American Medical Association
Health on the Net Foundation
SSL Encryption
Security provisions Location of servers

Definitions
Privacy: An individual’s right to control the acquisition, uses, or
disclosures of his or her identifiable data
Confidentiality: Refers to the obligations of those who
receive information to respect the privacy interests of those to
who the data relate
Security: Refers to the physical, technological, or administrative
safeguards or tools used to protect identifiable health data from
unwarranted access or disclosure
Source: Altarum

Bibliography
Anderson, Howard J. “PHRs: Where Are We Headed?; Cutting through the hype about personal health
records to assess their long-term viability.” Health Data Management. May 2008. Retrieved 27th May
2009. Lexis Nexis.
Armijo, D. S Chin . J Christensen. J Desper. A Hong. K Knewale. R Lecker. Altarum. “Review of the
Personal Health Record (PHR) Service Provider Market: Privacy and Security.” January 5, 2007.
Retrieved 26 May 2009. Google.
Center for Democracy and Technology. “Why the HIPAA Privacy Rules Would Not Adequately Protect
Personal Health Records.” September 2008. Retrieved 26 May 2009. Lexis Nexis.
Chilmark Research, “iPHR Market Report: Analysis & Trends of Internet-based Personal Health Records
Market.: May 2008. Retrieved 27 May 2009. Google.
Conn, Joseph. “Safe and secure?; Data encryption just one option under security law.” Modern Healthcare.
May 11, 2009. Retrieved 28 May 2009. Lexis Nexis.
Cushman, Reid. “PHRs and the Next HIPAA.” Retrieved 28 May 2009. Lexis Nexis.
Gerber, Michael S. “New Ways to Manage Health Data.” The Washington Post. March 11, 2008. Retrieved
28th May 2009. Google.
More, John. “Why Extending HIPAA to PHRs is NOT a Good Idea.” May 5, 2008. Chilmark Research blog.
Retrieved 26 May 2009.
Robeznieks, Andis. “Getting personal; Legal Liability, patient- data overload among issues making physicians
uneasy over emergence of personal health records.” Modern Healthcare. May 12, 2007. Retrieved 27
May 2009. Lexis Nexis.

Bibliography
American Medical Association: http://www.ama-assn.org/
Electronic Privacy Center: http://epic.org/
Fierce Health IT: http://www.fiercehealthit.com/search?
cx=011289095233894766042%3Ac5fapsqk1gy&cof=FORID%3A9&as_q=PHR&sa=Go#1226
Google Health Privacy Policy: http://www.google.com/intl/en-US/health/privacy.html
Government Health IT: http://govhealthit.com/portals/electronic-health-records.aspx
Microsoft HealthVault Privacy Policy: http://healthvault.com/privacy-policy.html
Office for Civil Rights. “Personal Health Records and the HIPAA Privacy Rule.” Retrieved 26 May 2009.
Google. http://209.85.173.132/search?q=cache:hvTysWy8IfsJ:www.hhs.gov/ocr/privacy/hipaa/
understanding/special/healthit/phrs.pdf+Personal+Health+Records+and+the+HIPAA+privacy
+rule&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a
Privacy Rights Clearinghouse: http://www.privacyrights.org/
U.S. Department of Health & Human Services: http://www.hhs.gov/ocr/privacy/index.html