There has been a lot of talk about extending current HIPAA regulations to address non-covered entities, particularly PHR vendors. Many (and here) believe that this is what is needed to preserve consumer privacy. There was even an article last month in the New England Journal of Medicine by the creators of the Dossia platform, Indivo that unfortunately was taken out of context by some, including the New York Times, (but not all) which continued to fan the flames for an extension of HIPAA. And of course, as long as those flames keep burning brightly, the traditional stakeholders in the healthcare market (especially providers, and health plans) who are loathed to have the consumer take more direct, personal control of their records, can sit back and continue to directly manage the consumer relationship without any pesky intermediaries (e.g., independent PHR vendors).
But HIPAA really doesn’t provide the protection that many of the press, privacy pundits and others claim. For example how many consumers know that under HIPAA…
Health care entities are allowed, for fundraising activities, to release to business associates – without explicit individual authorization – certain demographic information, such as names, addresses and dates of treatment, but not information about health or health care.
Sure, they are not sharing medical records, but they could be sharing information that I happened to be admitted to their psychiatric clinic, (e.g., I went to MGH and ended up at McLeans) which I’m sure most would rather not share.
This clause was responsible for the data breached at UCLA Medical Center when they hired an outside firm to do a fund raising program. While having over 6,300 records exposed on the Internet was bad enough, what is even worse is that the breach was discovered on Oct. 9th but it was not until mid-April that UCLA thought: Hmmm, maybe we should contact all those people effected.
Six months to let someone know that their privacy has been breached! What’s up with that?
As I have written several times before, I am a strong advocate of consumer privacy of virtually any information that is personal, including medical records. I have also taken to task the PHR industry for their extremely poor record, as an industry, to develop clear standards (shall we even suggest a certification process) that will bring some consistency on privacy policies across this industry sector. So far, it seems to having fallen on deaf ears as the research we conducted for our upcoming PHR Report found consistency across the industry to be nonexistent.
With no prompting of my own, at least that I am aware, Microsoft’s HealthVault Group has been very clear on its privacy policies. They even went so far as to extend these privacy policies to all partners of HealthVault via their Terms & Conditions sheet. With some prompting, I was able to get Microsoft to go public with these terms. Recently, Sean Nolan, chief architect for HealthVault put up a post further defining Microsoft’s perspective/policy as it pertains to HIPAA. He also provides a link to a very good overview of HIPAA and HealthVault that was put together by the HealthVault team and Microsoft’s legal team for the development community. All, very good proactive moves. Now, if I could only start seeing Google making similar pronouncements/announcements, and while I’m at it, how about Dossia as well. Neither of these two has been as proactive as Microsoft on the issue of privacy and the market really needs more unity here.
Getting back to HIPAA.
First-off, I am not against some federal oversight and policy direction as it pertains to personal health records. Right now, it is a bit of the Wild West as consumer’s take on more responsibility for managing their records and turn to PHR solutions. What I fear though is that taking a simplistic aproach, “let’s extend HIPAA to cover PHRs” will not solve the problem and truly protect the consumer. As the UCLA case above so clearly demonstrates, HIPAA does not provide the privacy that most consumers will want for their PHRs. Also, numerous reports and surveys have shown, that while consumers are concerned with privacy, they believe that benefits of digital records outweigh the risks.
So we are left with a situation where first, HIPAA clearly does not provide the type of protection that most consumers believe they are receiving and secondly, consumers are not adverse to sharing information, but it is they who wish to choose who sees such information and not some third party entity that makes that choice for them.
Simply extended existing HIPAA regulations to non-covered entities will not provide consumers with a sufficient level of privacy protection. In fact, it may have the perverse effect of giving a consumer a false sense of security.
Extending HIPAA is NOT the answer.
The answer will lie outside of HIPAA in a new policy construct that puts the consumer in more direct control of how their information is used via an “opt-in” process, e.g., “I chose who I wish to see my data and to what degree of granularity that data is shared.” Yes, it will make many in the healthcare sector nervous, but they are going to have to get used to it as this market will increasingly become consumer-driven and those consumer’s will want more control.
On last point (minor detail)…
While I may wish to chose to whom I share my records with and at what level of granularity – that granularity issue is a sticky one. You see, most vendors’ PHR solutions do not have the data management capabilities built-in to allow data tagging for sharing or sequestering record information at a granular level. For most, you either share all the data in your PHR, or none of it. PHR vendors need to “get-on-the-ball” and start building this capability into their solution. And consumers, you need to start asking PHR vendors if their platform supports such capabilities.