In February, President Barack Obama signed into law the stimulus bill, which, among its many healthcare IT and privacy components, included language that seemed aimed at bringing certain PHR systems providers under the privacy and security provisions of HIPAA.
Since the signing, however, a Google official indicated that the pertinent language on PHRs in the stimulus package missed the mark and doesn’t apply to Google Health.
A few days later, a Microsoft official said the company wasn’t sure whether the law applied to Microsoft’s PHR, since administrative rulemaking by HHS regarding the recovery act hasn’t been completed. The official said that Microsoft is studying the matter and the applicability of the new law to its HealthVault PHR.
Of the two giant PHR rivals, Microsoft was first out of the gate, launching HealthVault in late October 2007. In early 2008, Microsoft announced it had entered into a joint development agreement on the PHR with Mayo.
In February 2008, Google unsheathed its Google Health entry and gave it some added healthcare industry panache by also announcing it was entering into a pilot program on the PHR with the Cleveland Clinic.
Spokespersons for both the Mayo Clinic and the Cleveland Clinic initially said that they had not entered into “business associates” agreements under HIPAA, although the Cleveland Clinic’s chief information officer, C. Martin Harris, a physician, said that if the pilot project goes forward, its intention would be to have a business associate agreement in place with Google.
Section 13408 of the 785-page stimulus bill—in addition to roping in under the HIPAA privacy and security rules regional health organizations and prescription drug exchanges—includes language that takes aim at PHR vendors as well. The new law says “each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record” is also required to enter into a written, business associate agreement and “shall be treated as a business associate of the covered entity for purposes of” the privacy and security provisions of HIPAA. The statute also places business associates on equal footing with HIPAA “covered entities”—providers, health plans and claims clearinghouses—in terms of being responsible for complying with HIPAA privacy and security provisions and being subject to the penalty provisions of the law.
Language elsewhere in the legislation summarizing the work of the House/Senate conference committee that produced the final wording of the bill before it became law provides an even clearer summary of the legislative intent of Section 13408.
The conference summary describes the House version of the section, saying it “requires organizations that contract with covered entities for the purpose of exchanging electronic health information, for example, health information exchanges, regional health information organizations (RHIOs), and PHR vendors that offer their products through or for a provider or health plan, to have business associate contracts with those providers or health plans.” The House/Senate conferees adopted this language in the final bill.
Finally, David Brailer, the first head of the Office of the National Coordinator for Health Information Technology at HHS, wrote a column titled, “Presidential leadership and health information technology,” published online in the March-April edition of the policy journal Health Affairs. Brailer notes, critically, that “Congress has used the stimulus to legislate privacy changes without regard for the implications on information portability.” But Brailer conceded, “Some of the changes are good, such as bringing online information services such as Google Health and Microsoft HealthVault under the requirements of the HIPAA regulations to create a level playing field for all information intermediaries.”
For now, according to Mayo's Oestreich, at least as far as the clinic is concerned, the issue over whether Microsoft will become its business associate is still a hypothetical question.
“One kind of important point is: Yes, we had discussions with Microsoft when they announced (HealthVault), but we haven’t transferred any patient data into Microsoft,” Oestreich said. “We haven’t done anything further with Microsoft.”
“We are looking at ways where we can work together,” Oestreich said. “When we look at the privacy and security of personal health information, we want standards to be stringent. With these new privacy provisions, we’re looking to see how they impact our business. If the new law changes the nature of any of our business relationships, we will comply.”
But again, Oestreich said, “We haven’t transferred any data at this point.”
Cleveland Clinic spokeswoman Erinne Dyer in e-mail statement, said: "In evaluating the stimulus language, Cleveland Clinic is actively reviewing all of our relationships and determining requirements and next steps relative to business associate agreements. We will adjust those agreements accordingly."
What do you think? Submit a letter to Your Views. Please include your name, title, company and hometown. Health IT Strategist reserves the right to edit all submissions.
Also, please share your thoughts by taking our latest HITS reader poll.
