Legal and Clinical Regulation of PHRs –
The Current FrameworkTom Jones, M.D.
Chief Medical Officer, Tolven, Inc.
Richard MarksPresident, Patient Command, Inc.
Why the focus on PHRs? PHR market development
Tethered PHRs Retail PHRs
Political support for PHRs Political concern for a comprehensive
legal framework to govern PHRs Bills introduced last session of Congress Activity this session Obama Administration initiatives
What do regulators want? Privacy advocates: concern about
consumer access and control Consumer advocates: poor service,
misleading advertising HIPAA covered entities: a level
playing field (or at least a consistent one)
Congress: a new, unregulated industry where misconduct is likely
What are the myths? PHRs today are presently
unregulated. HIPAA applies to PHRs. No laws apply to PHRs – they are the
Wild West. Congress must fashion a
comprehensive new regulatory framework, else PHRs will go unregulated and unsupervised.
PHR reality PHRs presently are subject to many
federal and state laws. These laws govern security, privacy, and
consumer protection. In many ways, these laws offer consumers
more sensible, more effective protection than HIPAA does for EHRs.
Congress can update and supplement existing law rather than trying to enact a whole new framework for an emerging industry that it doesn’t yet understand.
Laws governing PHRs today 1986 Stored Communications Act
(SCA), part of the Electronic Communications Privacy Act (ECPA)
Federal Trade Commission Act Computer Fraud and Abuse Act 1974 Privacy Act State privacy, consumer protection,
and data breach notification laws
Stored Communications Act Written for the world in 1986 Electronic communications services (ECS)
and remote computing service (RCS) – different protections – needs updating
Health record banks and most other PHRs fall within ECS, so consumers get strong protection – no disclosure without consumer consent
Problem of compelled disclosure to government remains
HIPAA and PHRs Myth: HIPAA governs PHRs. Fact: HIPAA governs doctors, hospitals,
health plans, drug plans (HIPAA “covered entities”).
HIPAA does NOT control what patients can do with copies of their records (eg, copies in a HRB).
Extending HIPAA – designed for “covered entities,” not patient-controlled records – beyond its present scope would be a big mistake.
Federal Trade Commission Act
Directed at deceptive trade practices including
Deceptive advertising Deceptive contracting practices
Regulates HRBs’ contractual promises to consumers
Computer Fraud and Abuse Act Applies to any computer used in
interstate or foreign commerce that affects interstate or foreign commerce or a communication of the U.S.
Punishes access or use that’s unauthorized or that exceeds authorization
Criminal: fines and imprisonment
Computer Fraud and Abuse Act Important to consumers who use their
PHRs in social networks (eg, disease channels) and to HRBs that facilitate social networking
U.S. v. Drew (C.D. Cal. 2008) Woman created fictitious MySpace page Teenager committed suicide Held: woman criminally liable for
violating MySpace terms of service
Considerations for legislation Important for Obama Administration
and for Congress. Is a new, comprehensive statutory
framework necessary for PHRs? How much does Congress know
about regulating the PHR industry? Is updating the existing statutory
framework more effective, and necessary in any event?
Issues that bother clinicians The topic of PHRs often generates controversy
among clinicians The main areas of concern are:
Control of information Completeness of information Validity of information Integration of Information Litigation risks Affordability
Will I lose control? I created the information, why can’t I keep it? You can keep it, you just need to give the patient
an accurate copy
Is the information complete? What is the patient hiding from me? The patient is undoubtedly hiding the same
things that he/she has always been hiding.
How can I trust the information? If the information comes from a PHR, how can I
know if it is accurate? Systems must provide authentication of
information if it originates elsewhere and then is transmitted through a PHR
How does this affect my EMR? If the patient sends me electronic information,
how can I see it in my EMR? The whole notion of an interoperable healthcare
information infrastructure depends upon standards for representing and exchanging information
Am I going to get sued? What happens if the patient sends me
information from his/her PHR and I don’t read it and then the patient has a problem that could have been prevented if I had read the PHR?
The same thing will happen as when you ignore a letter, phone message, or verbal information transcribed in your paper record
How can I afford this? I would like to be able to offer a PHR to my
patients; how can I afford to do so when I cannot even afford an EMR for my office?
Affordability can be achieved with new technology and new business models
Aspects of proposed legislation In order to explore the clinical information
landscape of PHRs, we will look at key aspects some existing legislative initiatives
We will relate sections of those initiatives to the clinical concerns mentioned earlier
Defining PHR The term ‘‘personal health record’’ means an
electronic record of individually identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual.
Stark
Preparing for regulation Not later than one year after the date of the
enactment of this Act, the Secretary, in consultation with the Federal Trade Commission, shall conduct a study on privacy and security requirements …that should be applied to
(A) vendors of personal health records; (B) entities that offer products or services through the website of a vendor of
personal health records; (C) entities that are not covered entities and that offer products or services
through the websites of covered entities that offer individuals personal health records;
(D) entities that are not covered entities and that access information in a personal health record or send information to a personal health record
Stark
Information integration The National Coordinator shall perform the
duties under subsection (c) in a manner consistent with the development of a nationwide
interoperable health information technology infrastructure… (Dingell-Barton)
health information technology infrastructure that allows for the electronic use and exchange of information…(Stark)
Interoperability has yet to be adequately addressed by CCHIT
Levels of interoperability Key to making health care information
electronically available is the ability to share that data among health care providers—that is, interoperability.
Interoperability is the ability for different information systems or components to exchange information and to use the information that has been exchanged.
This capability is important because it allows patients’ electronic health information to move with them from provider to provider, regardless of where the information originated.
GAO report 08-954‘Electronic Health Records: DOD and VA Have Increased Sharing of Health Information, but More Work Remains’
Privacy A substantial number of patients will not make
use of PHRs if their healthcare information is not protected
If patients will not use PHRs, sharing information with clinicians is more difficult
All of the pending legislation acknowledges the need for privacy
Protecting privacy Patient control of access to information should
be a critical feature of PHRs Patient access control does not imply loss of
“information ownership” Provider acquiescence should not be necessary Privacy violations need to be taken as seriously as home
invasions; judgments about the potential for harm should not create exceptions
Patient control of information flow Sensitive protected health information may be
segmented, with the goal of minimizing the reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns involving sensitive protected health information, while maximizing patient safety and clinical utility of the information.
Stark
Non-care information access Clinicians have obligations to report certain data
to public health organizations Participation in research activities may require
additional reporting The role of PHRs in such activities has yet to be
determined but must soon be articulated Patients must have control over information re-
use that is not legally required
Timeliness If providers cannot get information to and from
PHRs, their usefulness will be diminished There are multiple attempts to address this issue
in pending legislation
Affordability NEW YORK (CNNMoney.com) -- President-elect
Barack Obama, as part of the effort to revive the economy, has proposed a massive effort to modernize health care by making all health records standardized and electronic.
Here's the audacious plan: Computerize all health records within five years. The quality of health care for all Americans gets a big boost, and costs decline. President-elect wants to computerize the nation's health care records in five years. But the plan comes with a hefty price tag, and specialized labor is scarce.
CNN 1/12/09
Conclusions Practitioners and patients alike will be better
served by interoperable electronic health record systems that include PHRs that permit the patient to control the flow of his/her health information across clinical care settings
Attempts to craft further regulation of already protected healthcare information may prove to be counter-productive for PHR development and deployment