In my last posting, I explained why the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule does not really assure our privacy. This time I want to address another widespread myth – namely, that personal health records (PHRs) have no privacy protection. The news here (thankfully) is good – it turns out that publicly-available PHRs are in fact subject to quite stringent privacy protections under Federal law. In view of this, the frequent calls that are heard to extend HIPAA privacy “protections” to PHRs are misguided at best. HIPAA does not protect privacy and, as you will soon see, extending that “non-protection” to PHRs would actually eliminate our existing protections.
In 1986, the Electronic Communications Privacy Act (ECPA) was enacted (also known as the Stored Communications Act or SCA). The purpose of this law was to protect the privacy of electronic communications (primarily e-mail) and also data stored by a remote computing service. Specifically, ECPA prohibits the operator of a publicly-available remote computing service (such as a PHR) from releasing any information to any private party for any reason without the consent of the subscriber. Unlike HIPAA, there are no exceptions for treatment, payment, health care operations, or anything else. Therefore, at least for publicly-available PHRs, such as Microsoft HealthVault or Google Health, the organization holding the information MUST GET YOUR PERMISSION before releasing any of your data to any private party. The law is not long or complicated – I urge you to read it yourself if you have any doubts.
While the ECPA law was not expressly directed to PHRs (which were not really contemplated in 1986), or the Internet (which had yet to gain widespread attention and use), Congress did specifically consider the issue of health records in its deliberations. Senate Report No. 99-541, (1986), said “[t]he Committee also recognizes that computers are used extensively today for the storage and processing of information. With the advent of computerized recordkeeping systems, Americans have lost the ability to lock away a great deal of personal and business information. For example, physicians and hospitals maintain medical files in offsite data banks, …” (emphasis added, quoted from page 7013 of this recent Federal Appeals Court decision) Therefore, it was clearly the intent of Congress to protect our electronic medical records with this law.
Unfortunately, this does NOT mean that all PHRs are protected by Federal law. Only those that are “publicly-available” are included. While this clearly would apply to generally available web-based PHRs, systems provided only to specific individuals by employers, insurers, and even healthcare providers are less likely to be considered “publicly-available.” Therefore, ECPA protection is limited. So you are only covered if you use a PHR that is available to anyone. Clearly, it would be good to extend this strong Federal protection to all PHRs.
Another reason for concern if you use a PHR that is supplied by a HIPAA “covered entity,” (which would include physicians, hospitals, employers, and health insurers) is that HIPAA, as explained before, does not protect your privacy. The holder of the information is allowed to release your data WITHOUT your consent for “treatment, payment, or health care operations” (TPO) without the necessity of keeping any records of such disclosures to prove their legitimacy after-the-fact. And even if a PHR from a HIPAA covered entity were to somehow be considered “publicly-available” and therefore be subject to ECPA, the legal argument is that HIPAA provides the consent required under ECPA for TPO uses (and therefore your information could still be released without your consent).
Having read this far, it should now be quite clear to you that extending HIPAA “protections” to PHRs makes no sense and would actually have the effect of making these systems just as unaccountable as everything else covered by HIPAA. On the other hand, extending the EPCA law to all PHRs (not just those that are “publicly-available”) would truly give us all strong Federal privacy protections (at least for our PHRs).