Skip to content Skip to navigation

The PHR Privacy Loophole: Closing Fast?

Printer-friendly version

Last week, Modern Healthcare reported that the Mayo Clinic has rolled out a personal health record system using Microsoft's Health Vault PHR platform. In a move that was reported to have "saved a whole lot of HIPAA hassles," the new PHR was not connected to the Mayo Clinic's existing electronic health record system. Instead, the PHR will be branded as the Mayo Clinic Health Manager.

It is true that PHR products are generally subject to far less rigorous HIPAA privacy requirements than EHR products. An EHR product is usually maintained by a hospital, medical group or other healthcare provider and is subject to all of the HIPAA Privacy Rule and Security Rule requirements applicable to covered entities because it is an extension of the traditional paper medical record.

A PHR, however, is typically under the ultimate control of the patient and, because patients are not HIPAA covered entities, the Privacy and Security Rule requirements do not apply. PHR vendors have begun to dispute whether they are required to sign business associate agreements with HIPAA covered entities when the covered entity sponsors or facilitates the provision of the PHR to its patients. The answer to that question will depend upon the facts and circumstances of the arrangement between a covered entity and a PHR vendor.

One thing that is not in question is that this will be a continuing source of tension. The HITECH Act imposes new security breach notification obligations on PHR vendors and related entities. In addition, the HITECH Act requires HHS to conduct a study and issue a report to Congress by February 18, 2010 on the applicability of privacy and security requirements to non-HIPAA covered entities, including PHR vendors. The report is required to include recommendations for (i) privacy and security requirements, (ii) the federal agency best equipped to enforce the requirements, and (iii) a timeline for implementing the regulations.

While PHR vendors may be able to escape a wide range of privacy and security legal obligations today, that time may be coming to an end soon.

Last week, Modern Healthcare reported that the Mayo Clinic has rolled out a personal health record system using Microsoft's Health Vault PHR

Comments

Great post Reece. I wonder if the PHR vendors are doing themselves a major PR disservice. It's not comforting as a prospective customer to know they are doing everything possible to skirt privacy laws.