Some PHRs Already Have Strong Federal Privacy Protection

In my last posting, I explained why the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule does not really assure our privacy. This time I want to address another widespread myth – namely, that personal health records (PHRs) have no privacy protection. The news here (thankfully) is good – it turns out that publicly-available PHRs are in fact subject to quite stringent privacy protections under Federal law. In view of this, the frequent calls that are heard to extend HIPAA privacy “protections” to PHRs are misguided at best. HIPAA does not protect privacy and, as you will soon see, extending that “non-protection” to PHRs would actually eliminate our existing protections.

In 1986, the Electronic Communications Privacy Act (ECPA) was enacted (also known as the Stored Communications Act or SCA). The purpose of this law was to protect the privacy of electronic communications (primarily e-mail) and also data stored by a remote computing service. Specifically, ECPA prohibits the operator of a publicly-available remote computing service (such as a PHR) from releasing any information to any private party for any reason without the consent of the subscriber. Unlike HIPAA, there are no exceptions for treatment, payment, health care operations, or anything else. Therefore, at least for publicly-available PHRs, such as Microsoft HealthVault or Google Health, the organization holding the information MUST GET YOUR PERMISSION before releasing any of your data to any private party. The law is not long or complicated – I urge you to read it yourself if you have any doubts.

While the ECPA law was not expressly directed to PHRs (which were not really contemplated in 1986), or the Internet (which had yet to gain widespread attention and use), Congress did specifically consider the issue of health records in its deliberations. Senate Report No. 99-541, (1986), said “[t]he Committee also recognizes that computers are used extensively today for the storage and processing of information. With the advent of computerized recordkeeping systems, Americans have lost the ability to lock away a great deal of personal and business information. For example, physicians and hospitals maintain medical files in offsite data banks, …” (emphasis added, quoted from page 7013 of this recent Federal Appeals Court decision) Therefore, it was clearly the intent of Congress to protect our electronic medical records with this law.

Unfortunately, this does NOT mean that all PHRs are protected by Federal law. Only those that are “publicly-available” are included. While this clearly would apply to generally available web-based PHRs, systems provided only to specific individuals by employers, insurers, and even healthcare providers are less likely to be considered “publicly-available.” Therefore, ECPA protection is limited. So you are only covered if you use a PHR that is available to anyone. Clearly, it would be good to extend this strong Federal protection to all PHRs.

Another reason for concern if you use a PHR that is supplied by a HIPAA “covered entity,” (which would include physicians, hospitals, employers, and health insurers) is that HIPAA, as explained before, does not protect your privacy. The holder of the information is allowed to release your data WITHOUT your consent for “treatment, payment, or health care operations” (TPO) without the necessity of keeping any records of such disclosures to prove their legitimacy after-the-fact. And even if a PHR from a HIPAA covered entity were to somehow be considered “publicly-available” and therefore be subject to ECPA, the legal argument is that HIPAA provides the consent required under ECPA for TPO uses (and therefore your information could still be released without your consent).

Having read this far, it should now be quite clear to you that extending HIPAA “protections” to PHRs makes no sense and would actually have the effect of making these systems just as unaccountable as everything else covered by HIPAA. On the other hand, extending the EPCA law to all PHRs (not just those that are “publicly-available”) would truly give us all strong Federal privacy protections (at least for our PHRs).

4 Responses to “Some PHRs Already Have Strong Federal Privacy Protection”

  1. dleyva08 says:

    Your comments regarding privacy of protected health information and Personal Health Records (PHRs) are right on point.

    There has been much discourse online about issues related to privacy and security of protected health information for not only PHRs but also for EHRs and health information data exchanges. As an RN, I can appreciate some of the apprehension regarding provisions for the privacy of protected health information, but as a former technology executive they may be unfounded.

    Technology standards and best practices exist today that can relieve these concerns, in addition to enacted privacy & security rules, if technology is implemented appropriately. Consider advances in technology used for online banking..

    In addition, education for healthcare professionals in the use of the technology is of paramount importance to ensure privacy. This means things like: don’t put your ID and password on a post-it note attached to the monitor (Yes, I have really seen this), log off the computer when you are finished or need to walk away. These situations are simply basic computer use knowledge; there are likely others.

    As you clearly stated, concerns about privacy and its enforcement exist.

    “extending the EPCA law to all PHRs (not just those that are “publicly-available”) would truly give us all strong Federal privacy protections (at least for our PHRs)”

    Recent legislation enacted as part of the HITECH Act can address some of these concerns. Beyond that, it is the responsibility of every user, software developer, facility, and provider to ensure they can use the technology in an appropriate, safe, and private manner.

  2. Carla says:

    In five years, the privacy debate over personal health records will be over, and you and I will be storing our medical records at a central location. Why? Because the benefits of better care and less paperwork will outweigh our current fears about breaches and inappropriate data-sharing. Whether that central location is Redmond, Mountain View or Boston will depend on whom we trust most with our medical information.

  3. Carla says:

    “MEANINGFUL USE” SHOULD ALSO INCLUDE A STANDARD FOR ACCURACY OF WHAT IS INCLUDED IN THE EHR. IT SEEMS THERE IS A LOT OF FOCUS ON PRIVACY AND SECURITY, BUT WHAT IS BEING DONE TO ENSURE ACCURACY OF WHAT GOES IN THE EHR? SHARED INFORMATION WILL DEFINITELY HAVE A POSITIVE EFFECT ON PATIENT OUTCOMES, BUT IF THE INFORMATION IS GARBAGE, HOW WILL THE OUTCOME IMPROVE? THIS IS AN AREA AHDI/MTIA IS WORKING ON.

  4. Georgeweme says:

    At this point in the convoluted development of medical information privacy, it might be best if the government or industry adopted guidelines for building security into PHRs and their add-on applications and into the mobile devices that are likely to become indispensible to health care. Thoughtful and strong security offers better hopes for protecting privacy than hundreds of pages of privacy regulations.

Leave a Reply