Legal and Clinical Regulation of PHRs –

The Current FrameworkTom Jones, M.D.

Chief Medical Officer, Tolven, Inc.

Richard MarksPresident, Patient Command, Inc.

Why the focus on PHRs? PHR market development

Tethered PHRs Retail PHRs

Political support for PHRs Political concern for a comprehensive

legal framework to govern PHRs Bills introduced last session of Congress Activity this session Obama Administration initiatives

What do regulators want? Privacy advocates: concern about

consumer access and control Consumer advocates: poor service,

misleading advertising HIPAA covered entities: a level

playing field (or at least a consistent one)

Congress: a new, unregulated industry where misconduct is likely

What are the myths? PHRs today are presently

unregulated. HIPAA applies to PHRs. No laws apply to PHRs – they are the

Wild West. Congress must fashion a

comprehensive new regulatory framework, else PHRs will go unregulated and unsupervised.

PHR reality PHRs presently are subject to many

federal and state laws. These laws govern security, privacy, and

consumer protection. In many ways, these laws offer consumers

more sensible, more effective protection than HIPAA does for EHRs.

Congress can update and supplement existing law rather than trying to enact a whole new framework for an emerging industry that it doesn’t yet understand.

Laws governing PHRs today 1986 Stored Communications Act

(SCA), part of the Electronic Communications Privacy Act (ECPA)

Federal Trade Commission Act Computer Fraud and Abuse Act 1974 Privacy Act State privacy, consumer protection,

and data breach notification laws

Stored Communications Act Written for the world in 1986 Electronic communications services (ECS)

and remote computing service (RCS) – different protections – needs updating

Health record banks and most other PHRs fall within ECS, so consumers get strong protection – no disclosure without consumer consent

Problem of compelled disclosure to government remains

HIPAA and PHRs Myth: HIPAA governs PHRs. Fact: HIPAA governs doctors, hospitals,

health plans, drug plans (HIPAA “covered entities”).

HIPAA does NOT control what patients can do with copies of their records (eg, copies in a HRB).

Extending HIPAA – designed for “covered entities,” not patient-controlled records – beyond its present scope would be a big mistake.

Federal Trade Commission Act

Directed at deceptive trade practices including

Deceptive advertising Deceptive contracting practices

Regulates HRBs’ contractual promises to consumers

Computer Fraud and Abuse Act Applies to any computer used in

interstate or foreign commerce that affects interstate or foreign commerce or a communication of the U.S.

Punishes access or use that’s unauthorized or that exceeds authorization

Criminal: fines and imprisonment

Computer Fraud and Abuse Act Important to consumers who use their

PHRs in social networks (eg, disease channels) and to HRBs that facilitate social networking

U.S. v. Drew (C.D. Cal. 2008) Woman created fictitious MySpace page Teenager committed suicide Held: woman criminally liable for

violating MySpace terms of service

Considerations for legislation Important for Obama Administration

and for Congress. Is a new, comprehensive statutory

framework necessary for PHRs? How much does Congress know

about regulating the PHR industry? Is updating the existing statutory

framework more effective, and necessary in any event?

Issues that bother clinicians The topic of PHRs often generates controversy

among clinicians The main areas of concern are:

Control of information Completeness of information Validity of information Integration of Information Litigation risks Affordability

Will I lose control? I created the information, why can’t I keep it? You can keep it, you just need to give the patient

an accurate copy

Is the information complete? What is the patient hiding from me? The patient is undoubtedly hiding the same

things that he/she has always been hiding.

How can I trust the information? If the information comes from a PHR, how can I

know if it is accurate? Systems must provide authentication of

information if it originates elsewhere and then is transmitted through a PHR

How does this affect my EMR? If the patient sends me electronic information,

how can I see it in my EMR? The whole notion of an interoperable healthcare

information infrastructure depends upon standards for representing and exchanging information

Am I going to get sued? What happens if the patient sends me

information from his/her PHR and I don’t read it and then the patient has a problem that could have been prevented if I had read the PHR?

The same thing will happen as when you ignore a letter, phone message, or verbal information transcribed in your paper record

How can I afford this? I would like to be able to offer a PHR to my

patients; how can I afford to do so when I cannot even afford an EMR for my office?

Affordability can be achieved with new technology and new business models

Aspects of proposed legislation In order to explore the clinical information

landscape of PHRs, we will look at key aspects some existing legislative initiatives

We will relate sections of those initiatives to the clinical concerns mentioned earlier

Defining PHR The term ‘‘personal health record’’ means an

electronic record of individually identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual.

Stark

Preparing for regulation Not later than one year after the date of the

enactment of this Act, the Secretary, in consultation with the Federal Trade Commission, shall conduct a study on privacy and security requirements …that should be applied to

(A) vendors of personal health records; (B) entities that offer products or services through the website of a vendor of

personal health records; (C) entities that are not covered entities and that offer products or services

through the websites of covered entities that offer individuals personal health records;

(D) entities that are not covered entities and that access information in a personal health record or send information to a personal health record

Stark

Information integration The National Coordinator shall perform the

duties under subsection (c) in a manner consistent with the development of a nationwide

interoperable health information technology infrastructure… (Dingell-Barton)

health information technology infrastructure that allows for the electronic use and exchange of information…(Stark)

Interoperability has yet to be adequately addressed by CCHIT

Levels of interoperability Key to making health care information

electronically available is the ability to share that data among health care providers—that is, interoperability.

Interoperability is the ability for different information systems or components to exchange information and to use the information that has been exchanged.

This capability is important because it allows patients’ electronic health information to move with them from provider to provider, regardless of where the information originated.

GAO report 08-954‘Electronic Health Records: DOD and VA Have Increased Sharing of Health Information, but More Work Remains’

Privacy A substantial number of patients will not make

use of PHRs if their healthcare information is not protected

If patients will not use PHRs, sharing information with clinicians is more difficult

All of the pending legislation acknowledges the need for privacy

Protecting privacy Patient control of access to information should

be a critical feature of PHRs Patient access control does not imply loss of

“information ownership” Provider acquiescence should not be necessary Privacy violations need to be taken as seriously as home

invasions; judgments about the potential for harm should not create exceptions

Patient control of information flow Sensitive protected health information may be

segmented, with the goal of minimizing the reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns involving sensitive protected health information, while maximizing patient safety and clinical utility of the information.

Stark

Non-care information access Clinicians have obligations to report certain data

to public health organizations Participation in research activities may require

additional reporting The role of PHRs in such activities has yet to be

determined but must soon be articulated Patients must have control over information re-

use that is not legally required

Timeliness If providers cannot get information to and from

PHRs, their usefulness will be diminished There are multiple attempts to address this issue

in pending legislation

Affordability NEW YORK (CNNMoney.com) -- President-elect

Barack Obama, as part of the effort to revive the economy, has proposed a massive effort to modernize health care by making all health records standardized and electronic.

Here's the audacious plan: Computerize all health records within five years. The quality of health care for all Americans gets a big boost, and costs decline. President-elect wants to computerize the nation's health care records in five years. But the plan comes with a hefty price tag, and specialized labor is scarce.

CNN 1/12/09

Conclusions Practitioners and patients alike will be better

served by interoperable electronic health record systems that include PHRs that permit the patient to control the flow of his/her health information across clinical care settings

Attempts to craft further regulation of already protected healthcare information may prove to be counter-productive for PHR development and deployment