The PHR Privacy Loophole: Closing Fast? | [node:field-byline] | Healthcare Blogs Skip to content Skip to navigation

The PHR Privacy Loophole: Closing Fast?

May 3, 2009
by Reece Hirsch
| Reprints

Last week, Modern Healthcare reported that the Mayo Clinic has rolled out a personal health record system using Microsoft's Health Vault PHR platform. In a move that was reported to have "saved a whole lot of HIPAA hassles," the new PHR was not connected to the Mayo Clinic's existing electronic health record system. Instead, the PHR will be branded as the Mayo Clinic Health Manager.

It is true that PHR products are generally subject to far less rigorous HIPAA privacy requirements than EHR products. An EHR product is usually maintained by a hospital, medical group or other healthcare provider and is subject to all of the HIPAA Privacy Rule and Security Rule requirements applicable to covered entities because it is an extension of the traditional paper medical record.

A PHR, however, is typically under the ultimate control of the patient and, because patients are not HIPAA covered entities, the Privacy and Security Rule requirements do not apply. PHR vendors have begun to dispute whether they are required to sign business associate agreements with HIPAA covered entities when the covered entity sponsors or facilitates the provision of the PHR to its patients. The answer to that question will depend upon the facts and circumstances of the arrangement between a covered entity and a PHR vendor.

One thing that is not in question is that this will be a continuing source of tension. The HITECH Act imposes new security breach notification obligations on PHR vendors and related entities. In addition, the HITECH Act requires HHS to conduct a study and issue a report to Congress by February 18, 2010 on the applicability of privacy and security requirements to non-HIPAA covered entities, including PHR vendors. The report is required to include recommendations for (i) privacy and security requirements, (ii) the federal agency best equipped to enforce the requirements, and (iii) a timeline for implementing the regulations.

While PHR vendors may be able to escape a wide range of privacy and security legal obligations today, that time may be coming to an end soon.

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


See more on