The Mayo Clinic, Rochester, Minn., does not have a business associate agreement signed with software and search engine giant Microsoft Corp., its partner in a healthcare information technology development effort that will be based on Microsoft's personal health-record platform, HealthVault, said Mayo spokeswoman Ginger Plumbo.
A business associate agreement would bind Microsoft to comply with the same privacy rules as the Mayo Clinic and other so-called "covered entities" under the Health Insurance Portability and Accountability Act of 1996.
"We are just in the infancy of that relationship, and so we certainly have not agreed to, nor would we agree to, exchange any protected health information without, at a minimum, having that type of agreement in place, but we're not there yet," said Plumbo. She said Mayo is still in the "concept and vision and strategy" phase.
But asked specifically if Mayo had entered into a business associate agreement with Microsoft as defined under the HIPAA privacy rule that would cover any future collaboration with the software company, Plumbo balked. "I certainly cannot speculate on that. I can't say for sure what the agreement might look like." But, Plumbo reiterated, "We hold patient privacy very dear."
There has been no target date set for a rollout of a product under the collaboration, Plumbo said.
Last week, the Cleveland Clinic announced it had launched a joint PHR development effort with Google. The search engine giant also does not have a business associate agreement under HIPAA signed with Cleveland Clinic, sources at both organizations said, but Cleveland Clinic Chief Information Officer C. Martin Harris said that is because the program is still in its pilot stage. If the arrangement goes forward, Harris said, Cleveland Clinic intends to have a business associate agreement in place as it does with other organizations with which it shares patient data.
According to Harris, the pilot program began Feb. 18. Cleveland Clinic, in a news release announcing the plan, said it would invite 1,500 to 10,000 patients to join in the pilot program.
Washington lawyer and privacy consultant Robert Gellman is the author of a 16-page report Personal Health Records: Why Many PHRs Threaten Privacy, one of two issued last week on PHRs by the World Privacy Forum, a San Diego-based not-for-profit organization. The report singled out PHR systems developed by vendors that are not covered organizations and have advertising as their chief revenue source as the most problematic in terms of lack of privacy protection. Gellman said that he doubts that either Google or Microsoft will ever sign HIPAA business associate agreements with the clinics.
"If you said to Google, sign a business associate agreement, they would go screaming from the room," Gellman said. "They don't want a business associate agreement, because they want to market with the data."
But with the Google/Cleveland Clinic model, which involves inviting patients to participate, "They've got consent, so you don't need a business associate agreement."
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.