New HHS Guidance States HIPAA Does Not Apply To PHRs

I hope you are all having a wonderful holiday season! I hadn’t planned to take the past few days off from blogging, but something like the flu (probably the flu) hit me like a bag of bricks on Christmas day and I’ve been curled in a fetal position in my bed for the past few days. Oddly enough while laying there feeling like my bones were all slowly dissolving (and thinking about the types of body braces you’d need to create to deal with something like that!) I was also thinking about how silly it was for the Health Insurance Portability and Accountability Act (HIPAA; and any industry-specific data protection law) to define that the only organization’s that would legally need to safeguard protected health information (PHI) are the narrowly defined covered entities (CEs); healthcare providers, healthcare insurers and healthcare clearinghouses.

It is the PHI that the Privacy Rule and Security Rule are trying to protect, so why didn’t they make the law apply to any organization who handled or otherwise accessed or possessed those 18 defined PHI items?
I know, I know…because 1) that makes too much sense, and 2) because lobbyists have historically had way too much influence and say over what our laws and regulations cover, along with all the way too many exemptions.
Ah, well, perhaps things will improve with the new administration…
Which reminds me of the new guidance I saw that the Department of Health and Human Services (HHS) put out on December 15 about how HIPAA applies to health information networks and organizations, such as Microsoft’s Healthvault and Google’s Health; in addition to those other organizations that have been around much longer, such as MedicAlert (which I’m so very happy my 84-year-old father, who lives alone, has…it has saved his life upon at least 3 occasions).
The new OCR guidance, “Personal Health Records (PHRs) and the HIPAA Privacy Rule,” describes how health information organizations (HIOs) are generally not covered by HIPAA, but can operate as business associates under contract with one or more CE.
There is a lot of information in the report, but much is extraneous and not directly applicable to the main question of how an HIO must (or has no legal obligation to) protect PHI.
Possibly the most telling paragraph is the last one:

PHRs are a mechanism for individuals to engage in their own health care by being able to access and control their health information potentially at any time and from any computer at any location. The Privacy Rule applies directly to some PHRs and in other cases, will govern the flow of PHI from a covered entity into a PHR. In either situation, the Privacy Rule supports individuals’ use of PHRs as a mechanism to facilitate access to, and control over, their health information. Additionally, the use of PHRs can ensure that healt are providers and health plans provide an individual with access to the individual’s health information, so that this information can be used by the individual in his or her PHR.”

A protected health record (PHR) is what the HIOs gather and store.
So, HIOs may be business associates, and possibly play by the associated CEs’ rules, but HIPAA provides no direct protection for PHI entrusted to PHRs.
Which circles back to the argument that data protection laws should be written to protect specific types of information regardless of the organization; they should not be written based upon industry.
Not only would personal information be more secure, it would also make the work of information security and privacy officers much easier as well…one data protection law to follow for a well-defined set of information items.

Tags: , , , , , , , , , , , , , , , ,

Leave a Reply