personal health records & hipaa
DESCRIPTION
While this presentation offers a rudimentary understanding of HIPAA as it relates to PHRs, its primary objective is to highlight key aspects of PHR privacy policies provided by non-covered entities (Microsoft & Google) and argue that HIPAA, after significant amendments, should be extended to them.TRANSCRIPT
Thinking Beyond HIPAA: PHRs and Privacy
Out
line
✓ HIPAA Privacy Rule and “covered entities”
✓ PHRs
✓ Google Health’s privacy policy vs. HealthVault’s
✓ Arguments for/against extending HIPAA coverage
✓ Author’s recommendation
What you need to know about HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 Privacy Rule governs covered entities use and disclosure of individual’s
protected health information (PHI) in any form. It has built-in standards for privacy and security, including
standards governing disclosure, access, and correction.
HIP
AA
Source: EPIC.org Source: Office for Civil Rights
PHI is a subset of individually identifiable health information that is maintained or transmitted in any form (including oral) and is created or received by a health care provider.
It relates to the past, present or future physical or mental condition of an individual; provision of health care to an individual; or payment for that health care; and identifies or could be used to identify the individual.
The HIPAA Privacy Rule gives you a right to privacy for those people (covered entities) you HAVE to share
your health secrets, not those you CHOOSE.
HIP
AA
A “Covered Entity” Is:
A health planProvides insurance
A healthcare clearinghouseConverts health data into or out of standard formats
A healthcare providerProvides healthcare or services as defined under HIPAA.
A sponsorProvides Medicare prescription drug cards
HIP
AA
Or
Or
Or
A “Non-Covered Entity” Is Everything Else. Including:
EmployersInternet Companies
HIP
AA
&
This is why HIPAA non-covered entities are not necessarily in
defiance of HIPAA.
HIP
AA
Because HIPAA gives patients the right to access, inspect, and copy PHI held by covered entities,
patients are able to manually input their health information into PHRs offered by non-covered entities.
Covered Entity Non-Covered Entity
=Most Control
HIPAA still regulates how information from a covered entity
enters a PHR.
HIP
AA
Source: Office for Civil Rights
HIPAA Privacy Shortcomings
HIP
AA
✓ Large degree of sharing information without consent
- Loophole in “health care operations” category
- Loophole in usage of limited data sets
Source: Office for Civil Rights
Source: Modern Healthcare
In a limited data set only 16 specified identifiers are removed, which is 2 identifiers short of fully de-identified data:
1) Dates: including those for the patient’s birth, admissions, treatment, discharge, and payment history 2) Geographical locators: such as city, state, and ZIP codes to stay with the patients records.”
“Just giving a date of birth, gender and ZIP code can identify 86% of people in the United
States by name.” - Paul Tang, Chief Medical Information Officer of Palo Alto Medical Foundation
Modern Healthcare, 01607480, September 29, 2008, Vol. 38, Issue 39
Lim
ited
Dat
a
Source: EPIC.org
“A drug manufacturer can pay a physician or a pharmacy to send refill
reminders to patients, or to send information about a drug to all
patients identified with a particular conditions or taking particular
medications. Although the drug manufacturer would not get the PHI from the physician or pharmacy, it
would accomplish the same marketing goals by paying someone
else to promote its products.”
Ex.
Loo
phol
es
“Health care entities are allowed, for fundraising activities, to release to
business associates - without explicit individual authorization - limited
patient information...This clause was responsible for the data breached at UCLA Medical Center when they hired an outside firm to do a fund
raising program.”
Source: Chilmark Research
Loophole Ex. Loophole Ex.
What you need to know about PHRs
PHR
s
“A personal health record (PHR) is an electronic record of an individual’s health information by which the individual controls access to the information and
may have the ability to manage, track, and participate in his or her own health care.”
Source: Office for Civil Rights
Not to be confused with PHR, EHR stands for electronic health record and refers to a system
that collects patient medical data from multiple sources exclusively for health care providers.
EH
Rs
The House just passed the American Recovery & Reinvestment Act (ARRA) of 2009, in part to
incentivize healthcare providers to migrate to EHRs.
EH
Rs
& A
RR
A
Source: American Medical Association & Health Data Management Magazine
Sequentially this legislation may increase the availability and
reliability of PHRs.
Source: AMA
Health Information Technology Provision:Provides $19 billion of financial incentives to help physicians purchase and implement HIT, specifically for the development of uniform electronic standards.
Privacy Provision:Expands the current HIPAA privacy & security protections around the e-transfer of patient health info through Health
Information Technology systems. And, proposes temporary breach notification requirements for
previously unregulated entities.
Source: American Medical Association & Health Data Management Magazine
AR
RA
NOTE: The Privacy Provision is a “Draft Rule,” meaning that it is a temporary requirement that will remain in effect until Congress passes new legislation based on a report currently in development by the Health & Human Services and the Federal Trade Commission.
Source: info.rmatics.org
“A breach of security is defined as the acquisition of identifiable health information of an individual, from a PHR, without authorization. De-identified information fall outside the scope of the rule.
The FTC staff estimates that PHR related companies would on average experience 11 data breaches a
year, with the associated breach notification costs averaging $1M a year for each company.
AR
RA
Source: Modern Healthcare. April 20, 2009 v39 i16 p10.
Things to look for in privacy policies
Privacy policies vary widely among PHRs offered by HIPAA non-covered entities. Even the top two
Internet company’s PHR privacy policies have discrepancies, which makes informed consent less likely.
NC
Priv
acy
Polic
ies
NOTE: The following slides represent privacy policy information I found posted on the websites of Google Health and Microsoft HealthVault.
Shar
ing
Info
Shar
ing
Info
“We do not sell user health information, and we do not share it with other individuals or services unless a user explicitly authorizes us to do so, or in the limited
circumstances described in our privacy policy.”
“If you share your information with others, you can view a list of who has access to your information and
you can revoke sharing privileges at any time.”
“You can approve access for some websites to view your health information. If a website accesses your health information and stores a copy of your info,
that copy will be governed by that site’s privacy policy...Google is not responsible for the content,
performance, or privacy policy of third-party websites.”
Source: Google Health Privacy Policy & HealthVault Privacy Policy
“No Program or individual has access to your info through the Service unless and until an authorized
user opts-in.”
Shar
ing
Info “Service users with whom you have shared your
records can also give a Program access to those records. You can see a complete history of how Programs have accessed the information in your
records.”
You can decide which Programs you want to use. You must approve (or deny) the Program’s access. The access request will include (a) the type of info the Program will
access and (b) what the Program wants to do with the info (view, add, modify). The Service [also] provides links to
each Program’s privacy statements at the time the Service asks you to authorize the Program’s access.”
Non
PII
PII
Em
ploy
ees
Source: Google Health Privacy Policy & HealthVault Privacy Policy
“Aggregate, de-identified user information can be used to publish trends.”
“A limited number of employees in particular job functions may have access to user information in order to operate and improve Google Health.”
“We use personal information collected through the Service, including health info, to provide you with important info about the Service; to send you the HealthVault e-mail newsletter if you opt-in; & to
determine your age and location to help determine whether you qualify for an account.”
“Microsoft may use aggregated info from the Service to improve the quality of the Service and for
marketing of the Service...Microsoft does not use your individual account and record information from the Service for marketing without first asking for and
receiving your opt-in consent.”
“Microsoft occasionally hires other companies to provide limited services on our behalf, such as
answering customer questions about products. We give those companies only the personal information
they need to deliver the service.”
Directed to another privacy policy provided by Google.
Secu
rity
Del
etin
g In
foC
ompl
ianc
e
“You can completely delete your info at any time. Such deletions will take immediate effect in your
account, and backup copies may persist for a short time.”
“You can close your account at any time. We will wait 90 days before permanently deleting
your account.”
“Google Health secures information by using SSL encryption, back up systems, and other cutting-
edge information security technology.”
“Google adheres to the US Safe Harbor privacy principles.”
“HealthVault complies with the HONcode (Health On The Net Foundation) standard for trustworthy
health information.”
“Microsoft is a member of the TRUSTe Privacy Program.”
Source: Google Health Privacy Policy & HealthVault Privacy Policy
“We use a variety of security technologies and procedures...we store the personal information you provide on computer servers w/ limited access that are located in controlled facilities (in the U.S.A.)...the
Service sends all communications (except e-mail) using SSL.”
Com
mC
omm
Rea
dabi
lity
“For material changes, changes to the privacy policy, we will notify you either by placing a
notice on the home page of the HealthVault Web sit or by sending you a notification directly...Your
continued use of the service constitutes your agreement to this privacy statement and any
updates.”
NO mention of a notification if the privacy policy is changed or a stipulation necessitating opt-in
consent to new changes.
3 different sites you have to refer to for complete privacy policy coverage:Google Health Developer Policies,
Department of Commerce for Safe Harbor Framework, Google Privacy Policy
3 different sites you have to refer to for complete privacy policy coverage:
Service Agreement, Code of Conduct, Health on the Net Foundation
Source: Google Health Privacy Policy & HealthVault Privacy Policy
Overall, the GH policy is conversational, concise with little to no industry jargon. Note: Only those privacy issues specific to the Google
Health Product were listed (to learn about the more generic, applicable policies, users are
directed to the Google company privacy policy).
Comprehensive policy, some industry jargon, sufficient level of detail.
Stre
ngth
sW
eakn
esse
s
The strengths of the Google Health Privacy Policy are: readability & opt-in standards.
The weaknesses of the Google Health Privacy Policy are: defining key terms (like PII), no granular control of personal health
data when sharing with 3rd parties, communication with subscribers.
The strengths of the Microsoft HealthVault Privacy Policy are: communication with
subscribers, opt-in standards & granular control of personal health data when sharing with 3rd parties.
The weaknesses of the Google Health Privacy Policy is: defining key terms (like PII) &
readability.
“Among experts, Microsoft earns generally high
marks for its promise not to divulge information without a user’s say so.
HealthVault lets patients search for health information without leaving the site - so other sites can’t access users
IP address or other identifying data. And before connecting to a patient to a partner’s or advertiser’s site,
it posts that site’s privacy policy.” - Deborah Peel, Founder of Patient Privacy Rights
NC
Priv
acy
Polic
ies
Source: The Washington Post. March 11, 2008. Page HE01.
Arguments for and against extending HIPAA
Pro
HIP
AA
✓ Minimum necessary clause
✓ Consistency among privacy coverage
✓ Strong security provisions
✓ Strong consumer coverage when enforced by HHS
✓ Less burden on individual consent
“Practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.”
Source: HHS.org
✓ Insufficient rules to address issues unique to PHRs
- Ex. risks & penalties for data re-identification
✓ Not enforced unless patient recognized
✓ Limited data set is outdated standards for de-identifying
✓ Loopholes that allow for disclosure without consent
Aga
inst
HIP
AA
“Bringing third-party PHRs under the scope of HIPAA authorizes the disclosure of highly sensitive data outside the health care system, with each such disclosure subject
only to patient authorization.”
Aga
inst
HIP
AA
Source: Center for Democracy & Technology
Meaning the burden of protecting healthcare privacy would be more on the patients
themselves if HIPAA was extended to non-covered entities, which could offer more
bargaining power to PHR providers.
Opinion: Revise HIPAA before extending it
Opi
nion
: Rev
ise
✓ Restrict PHR vendors from engaging in certain practices, alleviating some of the burden from the patient
✓ Necessitate opt-ins for all personal information shared
✓ Revoke the health care operations clause from PHR coverage
✓ Enact stricter rules on limited data sets (i.e. removing birth year)
✓ Standardize key terms, like personal health information
Appendix
Strength
ThreatOpportunity
Weakness
Patient controlLittle to no fiscal costPortabilityPromotes preventative medicineEasier to manage chronic diseasesEasier to manage health of others
PrivacyData LiquidityAccuracy of dataAbundance of unhelpful data
Revisions to HIPAA Granular control of 3rd-party accessPartnershipsInteroperabilityImproved research Counter healthcare costs
Current HIPAA Privacy Rule extendedSecurity Doctor LiabilityAccuracy of data
PHR
SW
OT
Category Criteria HV GH
Communication w/ vendor
Contact Info
Effective Date
Notification of change in policy
Opt-in to changes
ReadabilityAlternative language
Readability (1-3) 1 being best 2 1
FAQ
CoverageDe-activated accounts
Buy/sell company
Gathering non-personal data
Cookies
Solicit voluntary participation
Web-service logs
Opt-out options
Detail how/if information is shared
Different policy for identifiable & de-identified
Business Associates
Family members
Clinical trials
Research
Marketing
Law Enforcement
Other
Consent Prior to Sharing
Definition of critical termsPersonal Health Information
De-identified
Data guidelines compliant w/ privacy codes
HIPAA
URAC
Safe Harbor Guidelines
American Medical Association
Health on the Net Foundation
Security provisionsSSL Encryption
Location of servers
Alta
rum
Crit
eria
Def
initi
ons
Privacy: An individual’s right to control the acquisition, uses, or disclosures of his or her identifiable data
Confidentiality: Refers to the obligations of those who receive information to respect the privacy interests of those to who the data relate
Security: Refers to the physical, technological, or administrative safeguards or tools used to protect identifiable health data from unwarranted access or disclosure
Source: Altarum
Bib
liogr
aphyAnderson, Howard J. “PHRs: Where Are We Headed?; Cutting through the hype about personal health
records to assess their long-term viability.” Health Data Management. May 2008. Retrieved 27th May 2009. Lexis Nexis.
Armijo, D. S Chin . J Christensen. J Desper. A Hong. K Knewale. R Lecker. Altarum. “Review of the Personal Health Record (PHR) Service Provider Market: Privacy and Security.” January 5, 2007. Retrieved 26 May 2009. Google.
Center for Democracy and Technology. “Why the HIPAA Privacy Rules Would Not Adequately Protect Personal Health Records.” September 2008. Retrieved 26 May 2009. Lexis Nexis.
Chilmark Research, “iPHR Market Report: Analysis & Trends of Internet-based Personal Health Records Market.: May 2008. Retrieved 27 May 2009. Google.
Conn, Joseph. “Safe and secure?; Data encryption just one option under security law.” Modern Healthcare. May 11, 2009. Retrieved 28 May 2009. Lexis Nexis.
Cushman, Reid. “PHRs and the Next HIPAA.” Retrieved 28 May 2009. Lexis Nexis.
Gerber, Michael S. “New Ways to Manage Health Data.” The Washington Post. March 11, 2008. Retrieved 28th May 2009. Google.
More, John. “Why Extending HIPAA to PHRs is NOT a Good Idea.” May 5, 2008. Chilmark Research blog. Retrieved 26 May 2009.
Robeznieks, Andis. “Getting personal; Legal Liability, patient- data overload among issues making physicians uneasy over emergence of personal health records.” Modern Healthcare. May 12, 2007. Retrieved 27 May 2009. Lexis Nexis.
American Medical Association: http://www.ama-assn.org/
Electronic Privacy Center: http://epic.org/
Fierce Health IT: http://www.fiercehealthit.com/search?cx=011289095233894766042%3Ac5fapsqk1gy&cof=FORID%3A9&as_q=PHR&sa=Go#1226
Google Health Privacy Policy: http://www.google.com/intl/en-US/health/privacy.html
Government Health IT: http://govhealthit.com/portals/electronic-health-records.aspx
Microsoft HealthVault Privacy Policy: http://healthvault.com/privacy-policy.html
Office for Civil Rights. “Personal Health Records and the HIPAA Privacy Rule.” Retrieved 26 May 2009. Google. http://209.85.173.132/search?q=cache:hvTysWy8IfsJ:www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf+Personal+Health+Records+and+the+HIPAA+privacy+rule&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a
Privacy Rights Clearinghouse: http://www.privacyrights.org/
U.S. Department of Health & Human Services: http://www.hhs.gov/ocr/privacy/index.html
Bib
liogr
aphy