In response to the Health IT Strategist reader poll: "Should HHS in its rulemaking force Microsoft Corp., Google and other personal health-record providers to abide by the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996?":
The HIPAA standards were not designed for the privacy requirements of patient-controlled PHRs. HIPAA provides for a covered organization, such as a PHR record bank or HealthVault, to divulge personal health information, or PHI, to a business associate based on written assurances that the PHI will be appropriately used to carry out a business function with the covered organization. That is not tight enough privacy reassurance for PHRs since the individual is not the final authority on who sees what under HIPAA.