HIPAA, The HITECH Act, and How Google May Still Be Able to Distribute, and Profit From, Your Personal Health Info
Photo by Jonathunder
Below I will explore what seems to be a gaping hole in the HITECH Act. However, as with any new legislation, it is often necessary to reexamine the laws that preceded it, which in this case is HIPAA. This is particularly true given that the HITECH Act does not replace HIPAA. Rather, it provides–amongst other things–additional security and privacy safeguards with respect to health information. To that extent, at least a cursory reexamination of HIPAA is required before understanding HITECH and the importance of comprehensive legislation.
HIPAA was a product of the 1990’s–an era triggering nostalgic memories of grunge music for some, and the (in)famous Macarena dance for others. For a large part of this period, the Internet was accessed by a handful of tech savvy individuals who dialed into services like CompuServ, Prodigy, and AOL. It was during this transition that Congress felt the need to make health insurance more portable, as well as standardize the variegated electronic systems that were conducting nonstandard healthcare-related transactions. There was a concomitant concern that health information needed better protection. Thus, in 1996 Congress adopted the Health Insurance Portability and Accountability Act (HIPAA), providing HHS with the responsibility to enforce it. However, the regulation enforcing privacy and security of health information would not be implemented until years later.
HIPAA’s Privacy Rule, which describes the appropriate use and disclosure of certain health information, came into force on April 14th, 2001, updated in 2002, with compliance required by April of 2003. The Security Rule, which establishes the policies and best practices for securing health information, came into force in 2003. Thus, the Privacy and Security Rules (referred to below as HIPAA) came to life in a period of technological transition. New technologies like residential broadband Internet access and Wi-Fi networks were becoming the norm. Electronic Health Record (EHR) systems had been developed, but had only marginal penetration within certain academic medical centers and government entities. Consequently, the threats to patient privacy from early EHRs was much smaller than it is today, since these systems were not widespread and did not often share data over disparate regions. Thus, access to the systems was not necessarily available outside of the intranets where the servers were located.
Acronyms of HIPAA & HITECH
Acronym |
Phrase |
General Definition
|
PHI |
Protected Health Information |
Any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual. |
CE |
Covered Entity |
A group of entities whose use, disclosure, and protection of PHI is regulated by HIPAA and HITECH. CEs are comprised of:
|
BA |
Business Associate |
Individuals or organizations performing an activity involving the use or disclosure of PHI on behalf of the CE. BAs can include attorneys, accountants, shredding companies, billing companies, or any other person or organization that is not a CE but which is accessing a CE’s PHI. |
EHR |
Electronic Health Record |
An electronic record of patient care comprised of information about the delivery of care, including demographic information, medications, diagnoses, etc. |
PHR |
Personal Health Record |
An electronic record of patient care comprised of much of the same information that an EHR is comprised of, but which is created and maintained by the individual (usually a patient) as opposed to a provider. Prominent examples are Google Health and Microsoft HealthVault |
d
Given the historical context of HIPAA’s passage, it is easy to appreciate HIPAA’s missteps in not specifically focusing on EHRs or PHRs. Rather, HIPAA regulates protected health information at a broader level, focusing primarily on the “use and disclosure” of PHI by CEs, and the best practices and policies for securing the PHI itself. To be fair, the Security Rule does focus on PHI that is stored and transmitted electronically. However, even the most stringent best practices and policies are useless if the corresponding privacy regulations are inadequate.
But the times they are a-changin’–sort of.
Buried on page 112 of the American Recovery and Reinvestment Act (ARRA)–also known as the Stimulus Bill–is Title VIII of the bill, known as the Health Information Technology for Economic and Clinical Health Act, or more commonly, the HITECH Act. One (of the many) purposes of the HITECH Act is to fill in the gaps that have emerged since the Privacy and Security rules came into force. But like before, we are in a transition period. Whereas HIPAA’s passage coincided with a period of generalized transition towards digital information, HITECH has coincided with its own transition: the implementation of personal health records (PHRs). Unfortunately, the current HITECH Bill and regulations have serious flaws in how they protect patient information stored in PHRs. However, before discussing the problems, it is only fair to discuss the benefits to privacy and security that HITECH’s passage has provided.
Specifically, HITECH introduces breach notification requirements. HITECH’s provisions govern the procedures which CEs and BAs must follow if health information has been compromised. HITECH also empowers the FTC to promulgate regulations pertaining to the notification procedures of PHR vendors (as well as those who offer services to PHR vendors). The FTC’s proposed breach notification requirements can be found here. Thus, CEs, BAs, and PHR vendors are, for the first time, required by law to notify individuals if their unsecured PHI has been accessed by unauthorized individuals. Surprisingly, this was not required under HIPAA. CEs were obligated to notify individuals only insofar as the CEs were required by HIPAA to mitigate damages. But now, with the passage of HITECH, breach notification is no longer amorphous, but is spelled out in detail in HITECH’s regulations.
Additionally, HITECH requires BAs to abide by many of the same privacy and security requirements that CEs have had to abide by. Before HITECH, a BA, such as an attorney reviewing the PHI of a CE, was required to sign an agreement promising to protect the PHI that they were accessing, but were not themselves regulated by HIPAA. Thus, BAs had only contractual liability to the CE if the BA violated the rules of the agreement. On the other hand, if a CE violated HIPAA, it was subject to specific penalties and fines by the government.
Under HITECH, BAs must now comply with much of the Privacy and Security Rule, and face many of the same penalties and fines if they violate HIPAA regulations. That is, BAs are now accountable to the government if they improperly use or disclose PHI, or fail to adequately secure PHI.
HITECH also offers other benefits, such as increased enforcement of violations, a strengthening of the requirement that only the minimum necessary information is disclosed to other CEs or BAs, a more thorough framework of accounting for uses and disclosures, as well as a certain prohibitions on the sale of PHI.
The last benefit of HITECH–the prohibition on the sale of PHI–is a perfect springboard for discussing the potential pitfalls of HITECH. The benefits of HITECH may well be sufficient to shore up HIPAA’s gaps when it comes to regulating CEs and BAs. However, as HITECH’s regulatory language makes clear, there remains a gaping hole:
(d) Prohibition on Sale of Electronic Health Records or Protected Health Information-(1) IN GENERAL- Except as provided in paragraph (2), a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization
The emphasis is added to underscore that PHRs are not included in this provision. There is no corresponding provisions in the FTC’s proposed regulations which concern breach notification. The upshot of this is that, as of the date of this posting, PHR services like Google Health and Microsoft HealthVault are not subject to this prohibition, nor is there a provision in HITECH mandating that PHRs comply with HIPAA’s Privacy and Security Rule. Therefore, PHR vendors can use, disclose–and possibly even sell–an individual’s health information outside of the HIPAA and HITECH regulations. This problem underscores a larger issue: PHRs are not regulated by HIPAA, and only regulated by HITECH insofar as the FTC’s interim rule requires certain breach notification procedures. However, the interim rule does not define the appropriate use or disclosure of health information by PHR vendors. The only exception to this is when the PHR vendor offers PHR services to patients through the patient’s relationship with a CE, as is the case in Google Health’s partnership with the Cleveland Clinic. However, Google Health and Microsoft HealthVault have been courting individuals–outside of their relationship with providers or health plans–to sign up and upload information to their servers.
Therefore, it presently appears that most individuals desiring the advantages of PHRs must take Google and Microsoft at their word when they promise to protect an individual’s health information. As the publication Wired noted over a year ago:
The obvious objection to the initiative [Google Health] is that it would be a potential disaster if users’ medical records get into the wrong hands. Google has responded to skepticism by repeating — over and over again — that user privacy is of tremendous concern.
“Privacy is in the control of each user,” said Roni Zeiger, the Google Health Product Manager. “We will not sell users’ data, and we will not share it unless the user has asked us to.”
Individuals would have little reason to worry if Zeiger’s statement was not subject to doubt. However, as of the writing of this post, Google Health’s privacy policy states that:
Google will not sell, rent, or share your information (identified or de-identified) without your explicit consent, except in the limited situations described in the Google Privacy Policy, such as when Google believes it is required to do so by law.
The emphasis is to underscore that Google maintains exceptions to Zeiger’s statement, and it would seem that there is good reason to believe that there are additional exceptions for sharing PHI outside of those times when it is “required to do so by law”. The key terms are “situations” which is decidedly plural, and “such as” instead of “only,” which renders the “required to do so by law” language into a mere example of one of the instances in which Google, according to its Privacy Policy, may part with the information. More specifically, Zeiger’s reference to the Google Privacy Policy appears to allow Google to preserve their ability to use an individual’s health information in the same way it reserves the right to use the information stored by individuals on other Google’s services such as Gmail and Google Documents.
Google’s privacy policy which contains the law enforcement exception states that:
Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:
- We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
- We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures.
- We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.
Google also compares their privacy policy to HIPAA, and in their comparison appears to reserve even greater latitude by retaining the ability to work with a host of possible third parties:
Google Health may share information with explicit user authorization, and may share without authorization in certain limited circumstances, such as:
- With contractors and vendors operating solely on Google’s behalf (subject to security and confidentiality requirements)
The “security and confidentiality requirements” are, to be sure, not a reference to HIPAA but to Google’s internal requirements. Thus, as it currently stands before the final regulations come into force, Google can pass an individual’s health information to a subsidiary, affiliated company, contractor, or vendor, under the condition that those third parties comply with Google’s privacy and security requirements.
Worth noting, according to PatientPrivacyRights.org “Ryan Howard, the CEO of Practice Fusion, [a company which offers a free, web-based Electronic Health Record to physicians ] is quoted [in Healthcare IT News] as saying, ”Every healthcare vendor is selling data. Everyone has this data, but we’ll have more of it and it will be real-time and aggregated.” Practice Fusion subsidizes its free EMRs by selling de-identified data to insurance groups, clinical researchers and pharmaceutical companies and by placing medically relevant ads within the EMRs, Howard said.”
Also worth noting, is that according to The Health Care Blog, Practice Fusion just received an investment from Salesforce.com.
Currently, no regulations exist that would require PHR vendors to, for example, deidentify data. This creates a regulatory gap that forces consumers to rely on the privacy policies of the PHR vendors, as well as the strength of the contracts that these vendors have with those who access their sensitive health information.
Importantly, this gap (i.e. the regulatory gap created if Google is not considered a CE or BA) is quite similar to the gap that HITECH has filled with regards to the purely contractual relationship that existed between CEs and BAs under HIPAA. That is, the government learned that purely contractual liability between CEs and BAs was not enough to prevent inappropriate uses and disclosures, and has thus made BAs subject to the same restrictions governing the use and disclosure of PHI that CEs had been subject to under HIPAA. As it stands now under HITECH, Google (and any PHR vendor for that matter) is only subject to the breach notification requirements in the interim FTC rule (assuming, as discussed earlier, that they are not offering the PHR to patients of a provider as part of their EHR, which would make them a business associate–see HITECH Section 13408.)
The FTC and HHS are required by HITECH (Section 13424(b)) to develop more specific recommendations, and report their findings to members of Congress by February 17, 2010. One of the issues that the FTC and HHS are required to address is the security and privacy requirements applied to PHR vendors. If Congress fails to enact legislation to regulate the use and disclosure of PHI by PHR vendors, or HHS fails to do the same through regulation, it could spell disaster for the adoption of PHRs. If such a scenario were to occur, the Obama administration’s multi-billion dollar health IT vision would be forced to either ignore the privacy issues of a Wild West-style PHR marketplace, abandon the patient-centered approach to care offered by PHRs, or rectify the mistakes of HITECH in much the same way that HITECH rectified the short-sightedness of HIPAA–by waiting years to pass additional legislation that is–at least in its protection of privacy–more hi-tech.
Not quite so bad as you make it out to be.
1. Google Health is turning out to be an also-ran, but back in June, the MSFT HealthVault folks (in the person of Sean Nolan) publicly committed to signing BAAs and bringing themselves under the big HIPAA tent. See http://blogs.msdn.com/familyhealthguy/archive/2009/06/03/you-put-your-right-hipaa-in.aspx
2. HITECH Act in ARRA (Son of HIPAA) provides for parties other than BAs to sign BAAs:
SEC. 13408. BUSINESS ASSOCIATE CONTRACTS REQUIRED FOR CERTAIN ENTITIES.
Each organization, with respect to a covered entity, that provides data transmission of protected health information to such entity (or its business associate) and that requires access on a routine basis to such protected health information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, is required to enter into a [Business Associate Agreement]
David, I wish I could share your sense of optimism. Here is why I do not:
Your first point is that MSFT has agreed to sign BAAs. I am aware that Microsoft recently bowed to the constant nagging of providers and firms by agreeing to sign BAAs. I applaud MSFT on making that choice. However, I believe there is a substantial difference between a legal system which relies on corporations like MSFT to make that decision, and a system that regulates privacy in a robust manner. I am not an expert in the niceties of contract law, but I am not sure that MSFT voluntary signing a BAA has the same legal status as MSFT being required by law to sign a BAA. Nothing is stopping Microsoft from not signing BAA’s in the future when they partner with new providers, or from attenuating the privacy protections in their BAA. If they were required to sign a BAA, then as is the practice now, there would be minimum requirements for the BAA contract that they were required by law to incorporate. More simply, if HITECH considered them to be a business associate, then there would be greater certainty as to the legal status of the information stored on their servers.
This leads me to your second point where you discuss 13408. I believe I discussed this in my post, but as I read that section, the section only applies to PHR vendors that provide their services through a covered entity–hence the “with respect to a covered entity” part of the first sentence of the section. This means that if you or I sign up on our own for Google Health and, to be sure, MSFT HealthVault, their is no meaningful federal regulation of the data. Note that the BAA is an agreement that MSFT has with a covered entity–not with the individual. So if you or I sign up and upload our information to MSFT (or Google’s) servers outside of our relationship with a hospital or health plan, they have the freedom to disseminate that information. Furthermore, the ban on the sale of PHI in HITECH does not include the data of individual PHR users that are not receiving PHR access through a hospital or plan. Thus, Microsoft and Google can disseminate and sell this information without the oversight of HIPAA/HITECH. What is more troubling is that there is no statutory requirement in this scenario for the PHR vendor to keep an accounting of disclosures. So if I sign up for MSFT HealthVault or Google Health, there is no legal right (in contrast to uses/disclosures of a CE or BA under HIPAA) for me to find out who they gave the info to. As far as I can tell, there are no individual rights that I have as an individual PHR user.
Sure, MSFT and Google may say that they won’t distribute or sell it, but one must ask whether taking for-profit corporations at their word when they promise to protect privacy is a prudent strategy. Personally, I do not believe it is prudent, and hope that future HITECH regulations will require all PHR data to be regulated under the full force of HIPAA/HITECH. This distinction between PHR data created “with respect to a covered entity” is a weak protection of privacy and just plain confusing.
The beauty of (parts of) HITECH is that it strengthened privacy protections by requiring traditional business associates to protect the information in much the same way that covered entities have had to protect it under HIPAA. It is troubling that those extensions of HIPAA to business associates do not always reach PHR data.
No argument with your response; we read this stuff the same way. I just think the real-world effects are a little more far-reaching/persistent.
First, just because GOOG and MSFT have said that they are not subject to HIPAA as BAs doesn’t mean that they aren’t. Also, MSFT would be hard-pressed to back off its current position of agreeing to sign BAAs.
Re: PHRs: As I understand it, the majority of folks using PHRs are using tethered PHRs, such as branded portals associated with a hospital or health plan, often powered on the back end by GOOG Health or MSFT HealthVault. Those folks are covered by the BAA requirement.
Is this perfect? No. But I think it’s somewhat shy of the total wild west scenario you’ve laid out.
What is the HIPPA impact to privacy and security? Was HIPPA updated to correlate with this mandate and its associated changes?