Freigeben über

HIPAA-potamus

  • Artikel

In one of those classic if I had a nickel things ... you have no idea how many times I get asked if HealthVault is "covered" under HIPAA.

The short answer to that question is, very simply, NO. HealthVault is neither a covered entity or business associate as defined by HIPAA. But the more complete answer requires a few more words.

HIPAA was designed to regulate the flow of health information when it is out of the patient's direct control -- for example, when it is forwarded to third-party billing services by a provider. At the same time, the HIPAA authors recognized clearly that patients have a right to a copy of their own information, and they built into the legislation an explicit mechanism that allows for patients to request and receive that copy.

The obligations that HIPAA places on covered entities and business associates do not apply to the copy under the patient's control, because the patient is in the best position to decide which parts of their information they want to share, and with whom they want to share it.

HealthVault is, very simply, a tool for individual patients to manage health information that is under their control. The rules and choices around how that information is shared are under the exclusive control of the patient. When information is sent from a covered entity into a HealthVault record, it is done at the explicit request of the individual.

We believe strongly that not only is this approach completely in line with the intent of HIPAA regulation, but it is essential in order for patients to truly be empowered with their own information.

So is this a "get out of jail free" card for HealthVault? No way -- the obligations we have taken on around patient privacy, data security and third party audits are frankly far more stringent than those that HIPAA-covered entities are required to adhere to. And if we don't deliver on those obligations -- we're out of business. That's a pretty strong motivation for us to do a good job.

Together with our legal team, we finally got our act together to publish a position paper that describes in detail why our assessment here is correct. If patient privacy is your thing, I encourage you to check it out.

Once again, our cards are on the table -- and we are confident we are doing the right thing. If you have any questions, ask them here and I will do my best to get a clear answer.

Comments

  • Anonymous
    May 03, 2008
    Sean, Thanks...this is a very helpful clarification.  Many indeed are confused. I'm also glad to see you write: "Microsoft supports a comprehensive federal approach to privacy legislation." This also is wise. ...and I think it's in our collective interests to be PROACTIVE in spelling out what that comprehensive federal approach should look like, rather than passively waiting around to see what others might think is appropriate. Vince

  • Anonymous
    May 05, 2008
    Sean has written a nice explanation about how HIPPA relates to HealthVault. In case you missed the link

  • Anonymous
    May 19, 2008
    I agree with your legal assessment (and the white paper) as far as a PHR not being covered under HIPAA.  However, your comments and the white paper miss the point in my opinion. People are asking about HIPAA because they want to have some assurance that the systems and processes that hold their data will conform to the highest standards possible and if not the company and individuals will be held accountable. I have no doubt that Microsoft has an excellent track record in protecting data in its hosted solutions.  However, from my own experience in Healthcare IT I can tell you it made a very big difference when companies knew they would be held accountable as well as the employees.  We now spend a lot of effort being very careful about even internal communication of data not to mention the top to bottom security audits that the company must pay for to ensure compliance. Without this type of industry wide scrutiny of Health related procedures around patient data I am not convinced it would have been something on the top of everyones mind but I can assure you in Healthcare (which you should already know) the concept of HIPAA is very much on everyone's mind and that fact is largely responsible for the gains. When a company (rightly so) declares they are not covered under HIPAA it should send warning bells because that company is most likely not configured to create a company-wide sense of urgency around patient privacy.  Sometimes the worst cases aren't a break in of your servers but instead a curious support person with access to data that just happens to look up their neighbor's record.   If your company is not spending an enormous amount of energy (like all covered entities do) stressing and training everyone from low level staff to the CEO on the importance and specific policies then you probably aren't really getting the point.  It isn't just about the declared "disclosures" but it is also about avoiding the mistaken disclosures or inappropriate use of the data even internally. So yes I agree Microsoft (and Google) are not covered under HIPAA but I think it may actually mean that you need to prove what SPECIFIC processes and policies Microsoft is doing to ensure privacy since the covered entities already have to make that fairly clear.  So far the terms seem quite open ended in this regard; that coupled with the declaration of not being a covered entity is not very comforting. Patients have been educated to expect some specific behaviors from the HIPAA entities so what should they now expect from the PHR vendors?  I think the Microsoft HIPAA white paper is mostly looking at it from the legal perspective and that just isn't the main issue IMO.  People are looking for a common standard of behavior which without HIPAA they have no point of reference.  The one provided thus far isn't as rigorous or open as the standards that the HIPAA entities have been acting on. I do think the Healthvault solution has excellent support for lots of controls over the declared "sharing" scenarios to allow patients to control their own records.  It is the unintended "sharing", both internal to Microsoft or with its partners, where there seems to be a need for more open expectation setting about how this data will really be protected.

  • Anonymous
    May 19, 2008
    The comment has been removed

  • Anonymous
    August 15, 2008
    Who are the author/s of HIPPA legislation...I need to write them

  • Anonymous
    August 15, 2008
    The comment has been removed

  • Anonymous
    June 02, 2009
    Early last May, I posted an entry that described our position regarding the relationship of HealthVault

  • Anonymous
    March 11, 2014
    Can the Security breaches ( published in Microsoft bullitins ) adversly affect HIPAA protected medical records in HealthVault and EHR companies like Allscripts etc ( Microsoft "Partners") ?

  • Anonymous
    March 11, 2014
    Our HITECH obligation as a PHR is to report on actual breaches involving HealthVault; so not everything involving HealthVault is relevant. But in all cases, HealthVault activity does not impact the source EHRs like Allscripts. HV records may include copies of data from those systems, but there is no "live" or HIPAA-relevant connection between them. I hope that answer makes sense; if not feel free to follow up directly via the contact form here and happy to dig more deeply into your question.