PHRs and HIPAA
PHRs and HIPAA
HIPAA protections apply to providers, health plans, and clearinghouses (and as part of the 2009 American Recovery and Reinvestment Act - ARRA), Business Associates of these three organizations also fall under HIPAA law. Because there are different types and sources of PHRs, HIPAA cannot be applied to all PHRs across the board. PHRs are either tethered (created and compiled for the person by a healthcare entity, such as their provider, health plan, or employer) or untethered (may be created by a third party company or vender , with control of what is input into their PHR by the person; usually input of records is done it personally using supplied documents or templates)(1).
There are five basic PHR models, based on who offers them and their connection to the supplier –
1. Providers (tethered)
2. Health Plans (tethered)
3. Employers (may be tethered or untethered)
4. Vendors (retail sales or free offerings to consumers) – (untethered)
5. Personal devices (such as a portable USB stick with a word file stored electronically by the consumer)- (untethered)
Personal devices are excluded from HIPAA, because the safety of the protected health information is controlled completely by the person. Privacy and security are their own responsibility.
PHRs that are offered by Providers and Health Plans are always held to HIPAA standards, and protected health information that these organizations send to any type of patient PHR is also required to be compliant with HIPAA. (2, 3)
The applicability of HIPAA to employer- and vendor-sponsored PHRs is dependent on additional factors. If an employer or vendor simply offer the PHR as a repository, untethered, with no control or use of the Protected Health Information (PHI), with the control of PHI completely in the hands of the person themselves, HIPAA does not apply. PHR vendors or suppliers such as Microsoft Health Vault and Google Health (which was discontinued 12-31-11, due to low user volume (4)) when used by the consumer, are not considered covered entities under HIPPA (5). If the employer PHR is tethered, and is maintained and controlled by the employer or an employer-sponsored vendor, HIPAA compliance is mandatory.
The interpretation of The Business Associate (BA) Rule has not been clearly given. Since 2009, BAs fall under HIPAA requirements, and must sign Business Associate contracts with covered entities. The BA rule comes into question when a company provides and manages a tethered PHR for companies (such as a doctor’s office or an employer) that ARE covered entities. Are the PHR suppliers deemed BAs, even if they do not have control over the PHI, and are acting as simply a repository site between the covered entity and the person? This has not been clarified.
Microsoft has a BA agreement for use with covered entities, while maintaining that they are voluntarily doing so and do not believe it is required. Their contract language makes their position clear…
“WHEREAS, HealthVault is operated as a consumer service and is not offered as an electronic medical record or Designated Record Set… the purpose of the HealthVault Agreement is to enable End-Users to access, use and disclose Protected Health Information; however, the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5, includes provisions expanding the scope of entities considered to be Business Associates, which provisions could be interpreted to apply to Microsoft’s arrangements with a covered entity under the HealthVault Agreement; and …without having concluded that either Microsoft or Covered Entity would violate any legal or regulatory requirement or be subject to sanction under applicable law for failing to do so, Microsoft nonetheless is willing to agree to the business associate terms…” (6)
A more definitive definition of HIPAA is required as we move forward with EHR acquisition across the country. The Health and Human Services (HHS) department understands this. Kathleen Sebelius, the HHS Secretary, stated that “While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.” (7)
1. Fahrenholz, C. G. (2007, 4). PHRs and Physician Practices. Retrieved from AHIMA: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_033817.hcsp?dDocName=bok1_033817
2. Susan McAndrew, J. (2008, 4 24). Personal Health Records & HIPAA:HIPAA Privacy Rule - Helps Now, and into the Future. Retrieved from Department of Health and Human Services - OCR: http://www.ftc.gov/bc/healthcare/hcd/docs/mcandrew.pd
3. Health and Human Services. (n.d.). PERSONAL HEALTH RECORDS AND THE HIPAA PRIVACY RULE. Retrieved from Office of Civil Rights: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf
4. McGee. (2011, 6 29). Microsoft Reaps Spoils Of Google Health's Demise. Retrieved from Information Week: Health Care: http://www.informationweek.com/news/healthcare/interoperability/231000712
5. HRSA. (2009). Health IT Adoption Toolbox. Retrieved from Health Resources and Services Administration, H R S A: http://www.himss.org/ASP/topics_phr_toolkit.asp?faid=288&tid=34
6. Microsoft. (2009, June). Microsoft HealthVault and HIPAA. Retrieved from Microsoft: http://msdn.microsoft.com/en-us/healthvault/cc507320
7. Sternstein, A. (2010, 7 9). HIPAA Rules Now Apply to PHRs. Retrieved from Next.gov: http://healthitupdate.nextgov.com/2010/07/hipaa_rules_now_apply_to_phrs.php
Submitted by Leeann Stahn