The PHR Privacy Loophole: Closing Fast?

June 24, 2011
Last week, Modern Healthcare reported that the Mayo Clinic has rolled out a personal health record system using Microsoft's Health Vault PHR

Last week, Modern Healthcare reported that the Mayo Clinic has rolled out a personal health record system using Microsoft's Health Vault PHR platform. In a move that was reported to have "saved a whole lot of HIPAA hassles," the new PHR was not connected to the Mayo Clinic's existing electronic health record system. Instead, the PHR will be branded as the Mayo Clinic Health Manager.

It is true that PHR products are generally subject to far less rigorous HIPAA privacy requirements than EHR products. An EHR product is usually maintained by a hospital, medical group or other healthcare provider and is subject to all of the HIPAA Privacy Rule and Security Rule requirements applicable to covered entities because it is an extension of the traditional paper medical record.

A PHR, however, is typically under the ultimate control of the patient and, because patients are not HIPAA covered entities, the Privacy and Security Rule requirements do not apply. PHR vendors have begun to dispute whether they are required to sign business associate agreements with HIPAA covered entities when the covered entity sponsors or facilitates the provision of the PHR to its patients. The answer to that question will depend upon the facts and circumstances of the arrangement between a covered entity and a PHR vendor.

One thing that is not in question is that this will be a continuing source of tension. The HITECH Act imposes new security breach notification obligations on PHR vendors and related entities. In addition, the HITECH Act requires HHS to conduct a study and issue a report to Congress by February 18, 2010 on the applicability of privacy and security requirements to non-HIPAA covered entities, including PHR vendors. The report is required to include recommendations for (i) privacy and security requirements, (ii) the federal agency best equipped to enforce the requirements, and (iii) a timeline for implementing the regulations.

While PHR vendors may be able to escape a wide range of privacy and security legal obligations today, that time may be coming to an end soon.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?