Thinking Beyond HIPAA: PHRs and Privacy

Out

line

✓ HIPAA Privacy Rule and “covered entities”

✓ PHRs

✓ Google Health’s privacy policy vs. HealthVault’s

✓ Arguments for/against extending HIPAA coverage

✓ Author’s recommendation

What you need to know about HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 Privacy Rule governs covered entities use and disclosure of individual’s

protected health information (PHI) in any form. It has built-in standards for privacy and security, including

standards governing disclosure, access, and correction.

HIP

AA

Source: EPIC.org Source: Office for Civil Rights

PHI is a subset of individually identifiable health information that is maintained or transmitted in any form (including oral) and is created or received by a health care provider.

It relates to the past, present or future physical or mental condition of an individual; provision of health care to an individual; or payment for that health care; and identifies or could be used to identify the individual.

The HIPAA Privacy Rule gives you a right to privacy for those people (covered entities) you HAVE to share

your health secrets, not those you CHOOSE.

HIP

AA

A “Covered Entity” Is:

A health planProvides insurance

A healthcare clearinghouseConverts health data into or out of standard formats

A healthcare providerProvides healthcare or services as defined under HIPAA.

A sponsorProvides Medicare prescription drug cards

HIP

AA

Or

Or

Or

A “Non-Covered Entity” Is Everything Else. Including:

EmployersInternet Companies

HIP

AA

&

This is why HIPAA non-covered entities are not necessarily in

defiance of HIPAA.

HIP

AA

Because HIPAA gives patients the right to access, inspect, and copy PHI held by covered entities,

patients are able to manually input their health information into PHRs offered by non-covered entities.

Covered Entity Non-Covered Entity

=Most Control

HIPAA still regulates how information from a covered entity

enters a PHR.

HIP

AA

Source: Office for Civil Rights

HIPAA Privacy Shortcomings

HIP

AA

✓ Large degree of sharing information without consent

- Loophole in “health care operations” category

- Loophole in usage of limited data sets

Source: Office for Civil Rights

Source: Modern Healthcare

In a limited data set only 16 specified identifiers are removed, which is 2 identifiers short of fully de-identified data:

1) Dates: including those for the patient’s birth, admissions, treatment, discharge, and payment history 2) Geographical locators: such as city, state, and ZIP codes to stay with the patients records.”

“Just giving a date of birth, gender and ZIP code can identify 86% of people in the United

States by name.” - Paul Tang, Chief Medical Information Officer of Palo Alto Medical Foundation

Modern Healthcare, 01607480, September 29, 2008, Vol. 38, Issue 39

Lim

ited

Dat

a

Source: EPIC.org

“A drug manufacturer can pay a physician or a pharmacy to send refill

reminders to patients, or to send information about a drug to all

patients identified with a particular conditions or taking particular

medications. Although the drug manufacturer would not get the PHI from the physician or pharmacy, it

would accomplish the same marketing goals by paying someone

else to promote its products.”

Ex.

Loo

phol

es

“Health care entities are allowed, for fundraising activities, to release to

business associates - without explicit individual authorization - limited

patient information...This clause was responsible for the data breached at UCLA Medical Center when they hired an outside firm to do a fund

raising program.”

Source: Chilmark Research

Loophole Ex. Loophole Ex.

What you need to know about PHRs

PHR

s

“A personal health record (PHR) is an electronic record of an individual’s health information by which the individual controls access to the information and

may have the ability to manage, track, and participate in his or her own health care.”

Source: Office for Civil Rights

Not to be confused with PHR, EHR stands for electronic health record and refers to a system

that collects patient medical data from multiple sources exclusively for health care providers.

EH

Rs

The House just passed the American Recovery & Reinvestment Act (ARRA) of 2009, in part to

incentivize healthcare providers to migrate to EHRs.

EH

Rs

& A

RR

A

Source: American Medical Association & Health Data Management Magazine

Sequentially this legislation may increase the availability and

reliability of PHRs.

Source: AMA

Health Information Technology Provision:Provides $19 billion of financial incentives to help physicians purchase and implement HIT, specifically for the development of uniform electronic standards.

Privacy Provision:Expands the current HIPAA privacy & security protections around the e-transfer of patient health info through Health

Information Technology systems. And, proposes temporary breach notification requirements for

previously unregulated entities.

Source: American Medical Association & Health Data Management Magazine

AR

RA

NOTE: The Privacy Provision is a “Draft Rule,” meaning that it is a temporary requirement that will remain in effect until Congress passes new legislation based on a report currently in development by the Health & Human Services and the Federal Trade Commission.

Source: info.rmatics.org

“A breach of security is defined as the acquisition of identifiable health information of an individual, from a PHR, without authorization. De-identified information fall outside the scope of the rule.

The FTC staff estimates that PHR related companies would on average experience 11 data breaches a

year, with the associated breach notification costs averaging $1M a year for each company.

AR

RA

Source: Modern Healthcare. April 20, 2009 v39 i16 p10.

Things to look for in privacy policies

Privacy policies vary widely among PHRs offered by HIPAA non-covered entities. Even the top two

Internet company’s PHR privacy policies have discrepancies, which makes informed consent less likely.

NC

Priv

acy

Polic

ies

NOTE: The following slides represent privacy policy information I found posted on the websites of Google Health and Microsoft HealthVault.

Shar

ing

Info

Shar

ing

Info

“We do not sell user health information, and we do not share it with other individuals or services unless a user explicitly authorizes us to do so, or in the limited

circumstances described in our privacy policy.”

“If you share your information with others, you can view a list of who has access to your information and

you can revoke sharing privileges at any time.”

“You can approve access for some websites to view your health information. If a website accesses your health information and stores a copy of your info,

that copy will be governed by that site’s privacy policy...Google is not responsible for the content,

performance, or privacy policy of third-party websites.”

Source: Google Health Privacy Policy & HealthVault Privacy Policy

“No Program or individual has access to your info through the Service unless and until an authorized

user opts-in.”

Shar

ing

Info “Service users with whom you have shared your

records can also give a Program access to those records. You can see a complete history of how Programs have accessed the information in your

records.”

You can decide which Programs you want to use. You must approve (or deny) the Program’s access. The access request will include (a) the type of info the Program will

access and (b) what the Program wants to do with the info (view, add, modify). The Service [also] provides links to

each Program’s privacy statements at the time the Service asks you to authorize the Program’s access.”

Non

PII

PII

Em

ploy

ees

Source: Google Health Privacy Policy & HealthVault Privacy Policy

“Aggregate, de-identified user information can be used to publish trends.”

“A limited number of employees in particular job functions may have access to user information in order to operate and improve Google Health.”

“We use personal information collected through the Service, including health info, to provide you with important info about the Service; to send you the HealthVault e-mail newsletter if you opt-in; & to

determine your age and location to help determine whether you qualify for an account.”

“Microsoft may use aggregated info from the Service to improve the quality of the Service and for

marketing of the Service...Microsoft does not use your individual account and record information from the Service for marketing without first asking for and

receiving your opt-in consent.”

“Microsoft occasionally hires other companies to provide limited services on our behalf, such as

answering customer questions about products. We give those companies only the personal information

they need to deliver the service.”

Directed to another privacy policy provided by Google.

Secu

rity

Del

etin

g In

foC

ompl

ianc

e

“You can completely delete your info at any time. Such deletions will take immediate effect in your

account, and backup copies may persist for a short time.”

“You can close your account at any time. We will wait 90 days before permanently deleting

your account.”

“Google Health secures information by using SSL encryption, back up systems, and other cutting-

edge information security technology.”

“Google adheres to the US Safe Harbor privacy principles.”

“HealthVault complies with the HONcode (Health On The Net Foundation) standard for trustworthy

health information.”

“Microsoft is a member of the TRUSTe Privacy Program.”

Source: Google Health Privacy Policy & HealthVault Privacy Policy

“We use a variety of security technologies and procedures...we store the personal information you provide on computer servers w/ limited access that are located in controlled facilities (in the U.S.A.)...the

Service sends all communications (except e-mail) using SSL.”

Com

mC

omm

Rea

dabi

lity

“For material changes, changes to the privacy policy, we will notify you either by placing a

notice on the home page of the HealthVault Web sit or by sending you a notification directly...Your

continued use of the service constitutes your agreement to this privacy statement and any

updates.”

NO mention of a notification if the privacy policy is changed or a stipulation necessitating opt-in

consent to new changes.

3 different sites you have to refer to for complete privacy policy coverage:Google Health Developer Policies,

Department of Commerce for Safe Harbor Framework, Google Privacy Policy

3 different sites you have to refer to for complete privacy policy coverage:

Service Agreement, Code of Conduct, Health on the Net Foundation

Source: Google Health Privacy Policy & HealthVault Privacy Policy

Overall, the GH policy is conversational, concise with little to no industry jargon. Note: Only those privacy issues specific to the Google

Health Product were listed (to learn about the more generic, applicable policies, users are

directed to the Google company privacy policy).

Comprehensive policy, some industry jargon, sufficient level of detail.

Stre

ngth

sW

eakn

esse

s

The strengths of the Google Health Privacy Policy are: readability & opt-in standards.

The weaknesses of the Google Health Privacy Policy are: defining key terms (like PII), no granular control of personal health

data when sharing with 3rd parties, communication with subscribers.

The strengths of the Microsoft HealthVault Privacy Policy are: communication with

subscribers, opt-in standards & granular control of personal health data when sharing with 3rd parties.

The weaknesses of the Google Health Privacy Policy is: defining key terms (like PII) &

readability.

“Among experts, Microsoft earns generally high

marks for its promise not to divulge information without a user’s say so.

HealthVault lets patients search for health information without leaving the site - so other sites can’t access users

IP address or other identifying data. And before connecting to a patient to a partner’s or advertiser’s site,

it posts that site’s privacy policy.” - Deborah Peel, Founder of Patient Privacy Rights

NC

Priv

acy

Polic

ies

Source: The Washington Post. March 11, 2008. Page HE01.

Arguments for and against extending HIPAA

Pro

HIP

AA

✓ Minimum necessary clause

✓ Consistency among privacy coverage

✓ Strong security provisions

✓ Strong consumer coverage when enforced by HHS

✓ Less burden on individual consent

“Practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.”

Source: HHS.org

✓ Insufficient rules to address issues unique to PHRs

- Ex. risks & penalties for data re-identification

✓ Not enforced unless patient recognized

✓ Limited data set is outdated standards for de-identifying

✓ Loopholes that allow for disclosure without consent

Aga

inst

HIP

AA

“Bringing third-party PHRs under the scope of HIPAA authorizes the disclosure of highly sensitive data outside the health care system, with each such disclosure subject

only to patient authorization.”

Aga

inst

HIP

AA

Source: Center for Democracy & Technology

Meaning the burden of protecting healthcare privacy would be more on the patients

themselves if HIPAA was extended to non-covered entities, which could offer more

bargaining power to PHR providers.

Opinion: Revise HIPAA before extending it

Opi

nion

: Rev

ise

✓ Restrict PHR vendors from engaging in certain practices, alleviating some of the burden from the patient

✓ Necessitate opt-ins for all personal information shared

✓ Revoke the health care operations clause from PHR coverage

✓ Enact stricter rules on limited data sets (i.e. removing birth year)

✓ Standardize key terms, like personal health information

Appendix

Strength

ThreatOpportunity

Weakness

Patient controlLittle to no fiscal costPortabilityPromotes preventative medicineEasier to manage chronic diseasesEasier to manage health of others

PrivacyData LiquidityAccuracy of dataAbundance of unhelpful data

Revisions to HIPAA Granular control of 3rd-party accessPartnershipsInteroperabilityImproved research Counter healthcare costs

Current HIPAA Privacy Rule extendedSecurity Doctor LiabilityAccuracy of data

PHR

SW

OT

Category Criteria HV GH

Communication w/ vendor

Contact Info

Effective Date

Notification of change in policy

Opt-in to changes

ReadabilityAlternative language

Readability (1-3) 1 being best 2 1

FAQ

CoverageDe-activated accounts

Buy/sell company

Gathering non-personal data

Cookies

Solicit voluntary participation

Web-service logs

Opt-out options

Detail how/if information is shared

Different policy for identifiable & de-identified

Business Associates

Family members

Clinical trials

Research

Marketing

Law Enforcement

Other

Consent Prior to Sharing

Definition of critical termsPersonal Health Information

De-identified

Data guidelines compliant w/ privacy codes

HIPAA

URAC

Safe Harbor Guidelines

American Medical Association

Health on the Net Foundation

Security provisionsSSL Encryption

Location of servers

Alta

rum

Crit

eria

Def

initi

ons

Privacy: An individual’s right to control the acquisition, uses, or disclosures of his or her identifiable data

Confidentiality: Refers to the obligations of those who receive information to respect the privacy interests of those to who the data relate

Security: Refers to the physical, technological, or administrative safeguards or tools used to protect identifiable health data from unwarranted access or disclosure

Source: Altarum

Bib

liogr

aphyAnderson, Howard J. “PHRs: Where Are We Headed?; Cutting through the hype about personal health

records to assess their long-term viability.” Health Data Management. May 2008. Retrieved 27th May 2009. Lexis Nexis.

Armijo, D. S Chin . J Christensen. J Desper. A Hong. K Knewale. R Lecker. Altarum. “Review of the Personal Health Record (PHR) Service Provider Market: Privacy and Security.” January 5, 2007. Retrieved 26 May 2009. Google.

Center for Democracy and Technology. “Why the HIPAA Privacy Rules Would Not Adequately Protect Personal Health Records.” September 2008. Retrieved 26 May 2009. Lexis Nexis.

Chilmark Research, “iPHR Market Report: Analysis & Trends of Internet-based Personal Health Records Market.: May 2008. Retrieved 27 May 2009. Google.

Conn, Joseph. “Safe and secure?; Data encryption just one option under security law.” Modern Healthcare. May 11, 2009. Retrieved 28 May 2009. Lexis Nexis.

Cushman, Reid. “PHRs and the Next HIPAA.” Retrieved 28 May 2009. Lexis Nexis.

Gerber, Michael S. “New Ways to Manage Health Data.” The Washington Post. March 11, 2008. Retrieved 28th May 2009. Google.

More, John. “Why Extending HIPAA to PHRs is NOT a Good Idea.” May 5, 2008. Chilmark Research blog. Retrieved 26 May 2009.

Robeznieks, Andis. “Getting personal; Legal Liability, patient- data overload among issues making physicians uneasy over emergence of personal health records.” Modern Healthcare. May 12, 2007. Retrieved 27 May 2009. Lexis Nexis.

American Medical Association: http://www.ama-assn.org/

Electronic Privacy Center: http://epic.org/

Fierce Health IT: http://www.fiercehealthit.com/search?cx=011289095233894766042%3Ac5fapsqk1gy&cof=FORID%3A9&as_q=PHR&sa=Go#1226

Google Health Privacy Policy: http://www.google.com/intl/en-US/health/privacy.html

Government Health IT: http://govhealthit.com/portals/electronic-health-records.aspx

Microsoft HealthVault Privacy Policy: http://healthvault.com/privacy-policy.html

Office for Civil Rights. “Personal Health Records and the HIPAA Privacy Rule.” Retrieved 26 May 2009. Google. http://209.85.173.132/search?q=cache:hvTysWy8IfsJ:www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf+Personal+Health+Records+and+the+HIPAA+privacy+rule&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a

Privacy Rights Clearinghouse: http://www.privacyrights.org/

U.S. Department of Health & Human Services: http://www.hhs.gov/ocr/privacy/index.html

Bib

liogr

aphy