Personal Health Records & HIPAA


Published on

While this presentation offers a rudimentary understanding of HIPAA as it relates to PHRs, its primary objective is to highlight key aspects of PHR privacy policies provided by non-covered entities (Microsoft & Google) and argue that HIPAA, after significant amendments, should be extended to them.

Published in: Health & Medicine, Technology
  • is a link to a reality check on patient health records, it doesn’t look good for it to ever happen.
    Are you sure you want to  Yes  No
    Your message goes here
  • Fioricet is often prescribed for tension headaches caused by contractions of the muscles in the neck and shoulder area. Buy now from and make a deal for you.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Personal Health Records & HIPAA

  1. 1. Thinking Beyond HIPAA: PHRs and Privacy
  2. 2. Outline ✓ HIPAA Privacy Rule and “covered entities” ✓ PHRs ✓ Google Health’s privacy policy vs. HealthVault’s ✓ Arguments for/against extending HIPAA coverage ✓ Author’s recommendation
  3. 3. What you need to know about HIPAA
  4. 4. HIPAA The Health Insurance Portability and Accountability Act (HIPAA) of 1996 Privacy Rule governs covered entities use and disclosure of individual’s protected health information (PHI) in any form. It has built-in standards for privacy and security, including standards governing disclosure, access, and correction. PHI is a subset of individually identifiable health information that is maintained or transmitted in any form (including oral) and is created or received by a health care provider. It relates to the past, present or future physical or mental condition of an individual; provision of health care to an individual; or payment for that health care; and identifies or could be used to identify the individual. Source: Source: Office for Civil Rights
  5. 5. HIPAA The HIPAA Privacy Rule gives you a right to privacy for those people (covered entities) you HAVE to share your health secrets, not those you CHOOSE.
  6. 6. A “Covered Entity” Is: HIPAA A healthcare clearinghouse Converts health data into or out of standard formats Or A sponsor Provides Medicare prescription drug cards Or A healthcare provider Provides healthcare or services as defined under HIPAA. Or A health plan Provides insurance
  7. 7. A “Non-Covered Entity” Is Everything Else. Including: HIPAA Internet Companies Employers &
  8. 8. HIPAA Because HIPAA gives patients the right to access, inspect, and copy PHI held by covered entities, patients are able to manually input their health information into PHRs offered by non-covered entities. This is why HIPAA non-covered entities are not necessarily in defiance of HIPAA.
  9. 9. Covered Entity Non-Covered Entity HIPAA HIPAA still regulates how information from a covered entity enters a PHR. =Most Control Source: Office for Civil Rights
  10. 10. HIPAA Privacy Shortcomings HIPAA ✓ Large degree of sharing information without consent - Loophole in “health care operations” category - Loophole in usage of limited data sets In a limited data set only 16 specified identifiers are removed, which is 2 identifiers short of fully de-identified data: 1) Dates: including those for the patient’s birth, admissions, treatment, discharge, and payment history 2) Geographical locators: such as city, state, and ZIP codes to stay with the patients records.” Source: Modern Healthcare Source: Office for Civil Rights
  11. 11. Limited Data “Just giving a date of birth, gender and ZIP code can identify 86% of people in the United States by name.” - Paul Tang, Chief Medical Information Officer of Palo Alto Medical Foundation Modern Healthcare, 01607480, September 29, 2008, Vol. 38, Issue 39
  12. 12. Ex. Loopholes Loophole Ex. Loophole Ex. “A drug manufacturer can pay a physician or a pharmacy to send refill “Health care entities are allowed, for reminders to patients, or to send fundraising activities, to release to information about a drug to all business associates - without explicit patients identified with a particular individual authorization - limited conditions or taking particular patient information...This clause was medications. Although the drug responsible for the data breached at manufacturer would not get the PHI UCLA Medical Center when they from the physician or pharmacy, it hired an outside firm to do a fund would accomplish the same raising program.” marketing goals by paying someone else to promote its products.” Source: Source: Chilmark Research
  13. 13. What you need to know about PHRs
  14. 14. PHRs “A personal health record (PHR) is an electronic record of an individual’s health information by which the individual controls access to the information and may have the ability to manage, track, and participate in his or her own health care.” Source: Office for Civil Rights
  15. 15. EHRs Not to be confused with PHR, EHR stands for electronic health record and refers to a system that collects patient medical data from multiple sources exclusively for health care providers.
  16. 16. EHRs & ARRA The House just passed the American Recovery & Reinvestment Act (ARRA) of 2009, in part to incentivize healthcare providers to migrate to EHRs. Sequentially this legislation may increase the availability and reliability of PHRs. Health Information Technology Provision: Provides $19 billion of financial incentives to help physicians purchase and implement HIT, specifically for the development of uniform electronic standards. Source: AMA Source: American Medical Association & Health Data Management Magazine
  17. 17. ARRA Privacy Provision: Expands the current HIPAA privacy & security protections around the e-transfer of patient health info through Health Information Technology systems. And, proposes temporary breach notification requirements for previously unregulated entities. NOTE: The Privacy Provision is a “Draft Rule,” meaning that it is a temporary requirement that will remain in effect until Congress passes new legislation based on a “A breach of security is defined as the acquisition of identifiable health report currently in development by the Health & Human information of an individual, from a PHR, Services and the Federal Trade Commission. without authorization. De-identified information fall outside the scope of the rule. Source: Source: American Medical Association & Health Data Management Magazine
  18. 18. ARRA The FTC staff estimates that PHR related companies would on average experience 11 data breaches a year, with the associated breach notification costs averaging $1M a year for each company. Source: Modern Healthcare. April 20, 2009 v39 i16 p10.
  19. 19. Things to look for in privacy policies
  20. 20. NC Privacy Policies Privacy policies vary widely among PHRs offered by HIPAA non-covered entities. Even the top two Internet company’s PHR privacy policies have discrepancies, which makes informed consent less likely. NOTE: The following slides represent privacy policy information I found posted on the websites of Google Health and Microsoft HealthVault.
  21. 21. Sharing Info Sharing Info Sharing Info “We do not sell user health information, and we do “No Program or individual has access to your info not share it with other individuals or services unless a through the Service unless and until an authorized user explicitly authorizes us to do so, or in the limited user opts-in.” circumstances described in our privacy policy.” “Service users with whom you have shared your “If you share your information with others, you can records can also give a Program access to those view a list of who has access to your information and records. You can see a complete history of how you can revoke sharing privileges at any time.” Programs have accessed the information in your records.” “You can approve access for some websites to view You can decide which Programs you want to use. You your health information. If a website accesses your must approve (or deny) the Program’s access. The access health information and stores a copy of your info, request will include (a) the type of info the Program will that copy will be governed by that site’s privacy access and (b) what the Program wants to do with the info policy...Google is not responsible for the content, (view, add, modify). The Service [also] provides links to performance, or privacy policy of third-party each Program’s privacy statements at the time the Service websites.” asks you to authorize the Program’s access.” Source: Google Health Privacy Policy & HealthVault Privacy Policy
  22. 22. “Microsoft may use aggregated info from the Service to improve the quality of the Service and for Non PII “Aggregate, de-identified user information can be marketing of the Service...Microsoft does not use used to publish trends.” your individual account and record information from the Service for marketing without first asking for and receiving your opt-in consent.” “We use personal information collected through the Service, including health info, to provide you with important info about the Service; to send you the PII Directed to another privacy policy provided by Google. HealthVault e-mail newsletter if you opt-in; & to determine your age and location to help determine whether you qualify for an account.” Employees “Microsoft occasionally hires other companies to “A limited number of employees in particular job provide limited services on our behalf, such as functions may have access to user information in answering customer questions about products. We order to operate and improve Google Health.” give those companies only the personal information they need to deliver the service.” Source: Google Health Privacy Policy & HealthVault Privacy Policy
  23. 23. “We use a variety of security technologies and procedures...we store the personal information you Security “Google Health secures information by using SSL encryption, back up systems, and other cutting- provide on computer servers w/ limited access that edge information security technology.” are located in controlled facilities (in the U.S.A.)...the Service sends all communications (except e-mail) using SSL.” Compliance Deleting Info “You can completely delete your info at any time. “You can close your account at any time. We Such deletions will take immediate effect in your will wait 90 days before permanently deleting account, and backup copies may persist for a your account.” short time.” “HealthVault complies with the HONcode (Health On The Net Foundation) standard for trustworthy “Google adheres to the US Safe Harbor privacy health information.” principles.” “Microsoft is a member of the TRUSTe Privacy Program.” Source: Google Health Privacy Policy & HealthVault Privacy Policy
  24. 24. “For material changes, changes to the privacy policy, we will notify you either by placing a NO mention of a notification if the privacy policy notice on the home page of the HealthVault Web Comm is changed or a stipulation necessitating opt-in sit or by sending you a notification directly...Your consent to new changes. continued use of the service constitutes your agreement to this privacy statement and any updates.” 3 different sites you have to refer to for 3 different sites you have to refer to for complete privacy policy coverage: Comm complete privacy policy coverage: Google Health Developer Policies, Service Agreement, Code of Conduct, Health Department of Commerce for Safe Harbor on the Net Foundation Framework, Google Privacy Policy Overall, the GH policy is conversational, concise Readability with little to no industry jargon. Note: Only those privacy issues specific to the Google Comprehensive policy, some industry jargon, Health Product were listed (to learn about the sufficient level of detail. more generic, applicable policies, users are directed to the Google company privacy policy). Source: Google Health Privacy Policy & HealthVault Privacy Policy
  25. 25. The strengths of the Microsoft HealthVault Privacy Strengths Policy are: communication with The strengths of the Google Health Privacy Policy subscribers, opt-in standards & are: readability & opt-in standards. granular control of personal health data when sharing with 3rd parties. The weaknesses of the Google Health Privacy Weaknesses Policy are: defining key terms (like PII), The weaknesses of the Google Health Privacy no granular control of personal health Policy is: defining key terms (like PII) & data when sharing with 3rd parties, readability. communication with subscribers.
  26. 26. NC Privacy Policies “Among experts, Microsoft earns generally high marks for its promise not to divulge information without a user’s say so. HealthVault lets patients search for health information without leaving the site - so other sites can’t access users IP address or other identifying data. And before connecting to a patient to a partner’s or advertiser’s site, it posts that site’s privacy policy.” - Deborah Peel, Founder of Patient Privacy Rights Source: The Washington Post. March 11, 2008. Page HE01.
  27. 27. Arguments for and against extending HIPAA
  28. 28. Pro HIPAA ✓ Minimum necessary clause ✓ Consistency among privacy coverage ✓ Strong security provisions ✓ Strong consumer coverage when enforced by HHS ✓ Less burden on individual consent “Practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.” Source:
  29. 29. Against HIPAA ✓ Insufficient rules to address issues unique to PHRs - Ex. risks & penalties for data re-identification ✓ Not enforced unless patient recognized ✓ Limited data set is outdated standards for de-identifying ✓ Loopholes that allow for disclosure without consent
  30. 30. Against HIPAA “Bringing third-party PHRs under the scope of HIPAA authorizes the disclosure of highly sensitive data outside the health care system, with each such disclosure subject only to patient authorization.” Meaning the burden of protecting healthcare privacy would be more on the patients themselves if HIPAA was extended to non- covered entities, which could offer more bargaining power to PHR providers. Source: Center for Democracy & Technology
  31. 31. Opinion: Revise HIPAA before extending it
  32. 32. Opinion: Revise ✓ Restrict PHR vendors from engaging in certain practices, alleviating some of the burden from the patient ✓ Necessitate opt-ins for all personal information shared ✓ Revoke the health care operations clause from PHR coverage ✓ Enact stricter rules on limited data sets (i.e. removing birth year) ✓ Standardize key terms, like personal health information
  33. 33. Appendix
  34. 34. Strength Weakness PHR SWOT Patient control Little to no fiscal cost Privacy Portability Data Liquidity Promotes preventative medicine Accuracy of data Easier to manage chronic diseases Abundance of unhelpful data Easier to manage health of others Opportunity Threat Revisions to HIPAA Current HIPAA Privacy Rule extended Granular control of 3rd-party access Partnerships Security Interoperability Doctor Liability Improved research Accuracy of data Counter healthcare costs
  35. 35. Category Criteria HV GH Contact Info Altarum Criteria Effective Date Communication w/ vendor Notification of change in policy Opt-in to changes Alternative language Readability Readability (1-3) 1 being best 2 1 FAQ De-activated accounts Coverage Buy/sell company Cookies Solicit voluntary participation Gathering non-personal data Web-service logs Opt-out options Different policy for identifiable & de-identified Business Associates Family members Clinical trials Detail how/if information is Research shared Marketing Law Enforcement Other Consent Prior to Sharing Personal Health Information Definition of critical terms De-identified HIPAA URAC Data guidelines compliant w/ Safe Harbor Guidelines privacy codes American Medical Association Health on the Net Foundation SSL Encryption Security provisions Location of servers
  36. 36. Definitions Privacy: An individual’s right to control the acquisition, uses, or disclosures of his or her identifiable data Confidentiality: Refers to the obligations of those who receive information to respect the privacy interests of those to who the data relate Security: Refers to the physical, technological, or administrative safeguards or tools used to protect identifiable health data from unwarranted access or disclosure Source: Altarum
  37. 37. Bibliography Anderson, Howard J. “PHRs: Where Are We Headed?; Cutting through the hype about personal health records to assess their long-term viability.” Health Data Management. May 2008. Retrieved 27th May 2009. Lexis Nexis. Armijo, D. S Chin . J Christensen. J Desper. A Hong. K Knewale. R Lecker. Altarum. “Review of the Personal Health Record (PHR) Service Provider Market: Privacy and Security.” January 5, 2007. Retrieved 26 May 2009. Google. Center for Democracy and Technology. “Why the HIPAA Privacy Rules Would Not Adequately Protect Personal Health Records.” September 2008. Retrieved 26 May 2009. Lexis Nexis. Chilmark Research, “iPHR Market Report: Analysis & Trends of Internet-based Personal Health Records Market.: May 2008. Retrieved 27 May 2009. Google. Conn, Joseph. “Safe and secure?; Data encryption just one option under security law.” Modern Healthcare. May 11, 2009. Retrieved 28 May 2009. Lexis Nexis. Cushman, Reid. “PHRs and the Next HIPAA.” Retrieved 28 May 2009. Lexis Nexis. Gerber, Michael S. “New Ways to Manage Health Data.” The Washington Post. March 11, 2008. Retrieved 28th May 2009. Google. More, John. “Why Extending HIPAA to PHRs is NOT a Good Idea.” May 5, 2008. Chilmark Research blog. Retrieved 26 May 2009. Robeznieks, Andis. “Getting personal; Legal Liability, patient- data overload among issues making physicians uneasy over emergence of personal health records.” Modern Healthcare. May 12, 2007. Retrieved 27 May 2009. Lexis Nexis.
  38. 38. Bibliography American Medical Association: Electronic Privacy Center: Fierce Health IT: cx=011289095233894766042%3Ac5fapsqk1gy&cof=FORID%3A9&as_q=PHR&sa=Go#1226 Google Health Privacy Policy: Government Health IT: Microsoft HealthVault Privacy Policy: Office for Civil Rights. “Personal Health Records and the HIPAA Privacy Rule.” Retrieved 26 May 2009. Google. understanding/special/healthit/phrs.pdf+Personal+Health+Records+and+the+HIPAA+privacy +rule&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a Privacy Rights Clearinghouse: U.S. Department of Health & Human Services: