The Mayo Clinic announced it had finally posted to the Web a personal health-record system in collaboration with Microsoft Corp.s HealthVault PHR platform.
The clinic, which has an electronic health-record system but not a so-called tethered PHR connected to it, will be offering the branded PHR called the Mayo Clinic Health Manager with no data connectivity to the Mayo enterprise clinical EHR system, according to a spokeswoman for the Rochester, Minn.-based healthcare system.
Meanwhile, the legal framework between providers, PHR vendors and the federal government remains highly fluid.
Microsoft launched HealthVault in the fall of 2007 and, with much fanfare a few months later announced it had entered in a joint development relationship with the high-profile Mayo Clinic organization.
Rival IT giant Google followed in short order with the launch of its Google Health PHR in February 2008 along with the announcement that it had its own marquee provider partner, the Cleveland Clinic.
At the time, spokespersons for both Microsoft and Google said their companies had not entered into business associate agreements with their provider organizations. And yet, such agreements are commonly required between provider organizations and their IT service providers under the privacy rule of the Health Insurance Portability and Accountability Act. Providers are included in a group called covered entities in HIPAA language.
Two provisions of the recently signed American Recovery and Reinvestment Act of 2009 took dead aim at regulating the heretofore largely unregulated PHR market with tougher privacy and security rules.
One of those provisions attempted to regulate PHR vendors that enter into HIPAA-covered business contracts with provider organizations and other covered groups. But the language of the provision was, to some minds, less than straightforward. It said, each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record shall be required to enter into a written, business associate agreement with that covered group and shall be treated as a business associate of the covered entity for purposes of the privacy and security provisions of HIPAA.
Whether Congress was aiming that language at Google, a company spokesman claimed that Congress missed the mark, and the law doesnt apply to Google Health. A Microsoft spokesman said his company was still studying the law and would wait for HHS to issue rules to accompany the law before making a decision.
On April 16, the Federal Trade Commission issued an interim proposed rule under the authority of the law regulating PHR vendors and a host of businesses and service providers associated with them. These are organizations that are not covered groups or their business associates under HIPAA.
The FTC interim proposed rule is limited to breach notification in the event that personally identifiable data held by a PHR or its related entities are accessed by an unauthorized person. The FTC rule includes language that says it is implicated by companies or other organizations "that are not covered entities, and that offer products or services through the Web sites of covered entities that offer individuals personal health records."
The new FTC rule, then, appears to apply to the Mayo relationship with Microsoft.
We do promote Mayo Clinic Health Manager on both MayoClinic.org and MayoClinic.com, said clinic spokeswoman Ginger Plumbo in an e-mail about the Mayo/Microsoft relationship.
Mayo Clinic does not operate a tethered PHR, nor is Mayo Clinic Health Manager being offered to Mayo patients as a way to access their clinical records from Mayo Clinic, Plumbo said, adding, Theres no linkage to the Mayo EMR.
That probably wont always be the case, however, Plumbo said.
With regards to Mayo Clinic's plans to allow patients to copy their records into HealthVault, or to promote Mayo Clinic Health Manager to Mayo Clinic patients, we are working toward that goal, Plumbo said.