Microsoft Corp. is not saying the recent congressional attempt to bring personal health-record vendors under the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 doesn’t apply to its HealthVault PHR, at least not yet.
But the software giant won’t say for sure either, that, yes, the privacy provisions of the new American Recovery and Reinvestment Act of 2009 do cover its PHR offering.
“If this changes the nature of our relationships with covered entities, then we’ll comply,” said George Scriban, senior product manager for the Health Solutions Group at Microsoft.
In the meantime, “We haven’t changed any of our existing agreements with any of our partners, but we are studying the impact” of the act, Scriban said.
Asked if the company believes the PHR provisions of the new law apply to its PHR, Scriban said, “We don’t really know yet. It may or it may not.”
Microsoft says it is “still studying the effects” of the law on its agreements with various healthcare providers, and health plans, both of which are so-called “covered entities” along with claims clearinghouses, and are thus fully liable under the privacy and security rules of HIPAA.
Last week, Roni Zeiger, an official with the giant search engine provider Google, said the new law did not apply to its Google Health PHR
In February, President Barack Obama signed into law the 700-plus page American Recovery and Reinvestment Act, which included $19.2 billion for healthcare information technology funding and a 22-page section updating the privacy and security measures of HIPAA. Section 13408 requires that business associate agreements be written between covered entities and providers of “data transmission” services, specifically regional health information organizations, health information exchange organizations, electronic-prescribing gateways, and “each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as a part of its electronic health record.” Another section of the law said that business associates must fully comply with HIPAA and are liable under the law on the same basis as covered entities.
Yet another section of the law contains a summary of the actions of the conference committee that reconciled variations between the House and Senate versions of the legislation. The summary for Section 13408 explains that, “Current law does not explicitly include or exclude regional health information exchanges, regional health information organizations, and others offering personal health records for a covered entity from regulation under the privacy rule promulgated under HIPAA.”
The conference committee summary continues by saying, “The House bill requires organizations that contract with covered entities for the purpose of exchanging electronic health information, for example, health information exchanges, regional health information organizations (RHIOs), and PHR vendors that offer their products through or for a provider or health plan, to have business associate contracts with those providers or health plans.”
Scriban said that the privacy protections Microsoft has put in place and communicated to HealthVault users “have been very clear.”
“The record that our customers create is controlled by them,” Scriban said, adding that Microsoft considers itself not as an owner of a customers’ health information, but as “steward” of that information. “We won’t data-mine it or make commercial use of the information unless we explicitly ask them and they explicitly give consent,” he said.
Further, the healthcare providers and payers who have entered into agreements with Microsoft to equip their EHR systems so that they can transfer the medical records of their patients and members to HealthVault “feel confident that we are giving their members the appropriate level of privacy protections and control.”
Scriban said, looking at the law, coupled with comments and opinions he has heard on the subject, it seems as if Congress didn’t want companies or consumers to simply decide for themselves what level of privacy and security protection was adequate, and that leaving it up to them “might not be the wisest thing.”
As to the divining legislative intent from the language of the new law, “Until the rulemaking comes down from HHS, I’m not entirely sure we know what the definitive intent” is, Scriban said.
What do you think? To submit a letter to YOUR VIEWS, click here. Please include your name, title, company and hometown. Health IT Strategist reserves the right to edit all submissions.
Also, please share your thoughts by taking our latest HITS reader poll.