The principles incorporate many of the elements already available under current federal and state privacy laws, such as an expectation of data security and prompt notification if information is lost, stolen or improperly accessed. But they also include a pair of patient consent provisions that were abridged in 2002 by HHS in a rewrite of the chief federal privacy rule under the Health Insurance Portability and Accountability Act. Specifically, those provisions are that individuals should be “able to decide who can access information” and “able to decide how and if sensitive information is shared.”
The framework was tested on Microsoft's HealthVault personal health record system, according to Dr. Deborah Peel, the Austin, Texas, psychiatrist and Patient Privacy Rights founder, whose organization also leads the Coalition for Patient Privacy.
“This comes from what the American public wants and was devised by Microsoft and PricewaterhouseCoopers,” Peel said. “Some of the bigger corporations see the future as the public controlling things. Microsoft wanted to distinguish itself from Google Health (its one-time rival as a developer of PHR platforms) and wanted HealthVault to be the privacy place and wanted to compete in that way.” PricewaterhouseCoopers saw a future auditing opportunity, she said. “We're now moving with the Blue Button where patients can access their information and control it. The ultimate consumer is the patient.”
Blue Button is a federal initiative, first developed by the Veterans Affairs Department three years ago, to use simple technologies to provide patients with copies of their medical records in formats they can use, and its roll has since been expanded to other federal health programs and to the private sector.