Microsoft Corp. is not saying the recent congressional attempt to bring personal health-record vendors under the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 doesnt apply to its HealthVault PHR, at least not yet.
But the software giant wont say for sure either, that, yes, the privacy provisions of the new American Recovery and Reinvestment Act of 2009 do cover its PHR offering.
If this changes the nature of our relationships with covered entities, then well comply, said George Scriban, senior product manager for the Health Solutions Group at Microsoft.
In the meantime, We havent changed any of our existing agreements with any of our partners, but we are studying the impact of the act, Scriban said.
Asked if the company believes the PHR provisions of the new law apply to its PHR, Scriban said, We dont really know yet. It may or it may not.
Microsoft says it is still studying the effects of the law on its agreements with various healthcare providers, and health plans, both of which are so-called covered entities along with claims clearinghouses, and are thus fully liable under the privacy and security rules of HIPAA.
In February, President Barack Obama signed into law the 700-plus page American Recovery and Reinvestment Act, which included $19.2 billion for healthcare information technology funding and a 22-page section updating the privacy and security measures of HIPAA. Section 13408 requires that business associate agreements be written between covered entities and providers of data transmission services, specifically regional health information organizations, health information exchange organizations, electronic-prescribing gateways, and each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as a part of its electronic health record. Another section of the law said that business associates must fully comply with HIPAA and are liable under the law on the same basis as covered entities.