Companies in the Buzz
Recommended Sources
About Health Care Industry

BNET Healthcare provides daily industry trends and news coverage with insights for managers and executives, focusing on major health care providers, hospitals and facilities, insurance companies, and medical device manufacturers. In addition to detailed company profiles, you will find detailed industry analysis on new alliances and partnerships, healthcare products, medical patents, health care cost control, lawsuits, management and board changes, and all other important business issues.

HIPAA Expands to Personal Health Records — Just Not Google's or Microsoft's, If You Ask Them

By Neil Versel | Apr 7, 2009

Although Google and Microsoft have gotten plenty of attention for their Web-based personal health records, both companies have long maintained that they’re not bound by the privacy protections of a 1996 federal law known as HIPAA. And despite a recent HIPAA change — one intended to extend its privacy provisions to services like Google Health and Microsoft’s HealthVault — both companies still insist they’re not bound by the law.

Those HIPAA changes came courtesy of the American Recovery and Reinvestment Act of 2009, also known as the economic stimulus law. One provision ostensibly makes third-party data repositories, personal health records and health information networks into business partners of care providers and health plans, requiring them to follow the same rules as everyone else.

David Brailer, the former national coordinator for health IT, calls this move a “technical fix” to HIPAA designed to extend HIPAA to third-party data repositories like Google Health and HealthVault and e-prescribing networks like Surescripts. That’s an important step toward creating the kind of public trust needed for widespread adoption and interoperability of electronic health records.

Section 13408 of the law specifically states that any organization involved in electronic transmission of “protected health information” to any entity already covered by HIPAA or to any business partner of a covered entity becomes what HIPAA calls a “business associate.” Business associates are subject to the same privacy and security rules as those they contract with.

This section of the law lists examples of those now brought under HIPAA:

Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record ….

Google has deals with the Cleveland Clinic and Beth Israel Deaconess Medical Center in Boston that seem to put it in exactly that position. Patients at both facilities can opt to transfer their electronic records from the hospital to Google Health upon request. Microsoft has similar arrangements with Cleveland and the Mayo Clinic.

The only problem is, the two companies continue to take the position that they’re not subject to HIPAA. “Our understanding is that HITECH, which is the jargon for [the health IT] part of the legislation, did not change the definition for a covered entity or a business associate, so our service is offered directly to the consumer,” Google Health Product Manager Roni Zeiger told Modern Healthcare last month. “[O]ur understanding is that we are neither a covered entity nor a business associate,” he continued. “We’re providing a service directly to the consumer or a patient.”

Microsoft offered a similar assessment at the annual Healthcare Information and Management Systems Society conference in Chicago. “We’re still outside [of HIPAA],” said David Cerino, general manager of Microsoft’s Health Solutions Group.

Digest that thought for a moment. Key people at both Microsoft and Google actually said that their health offerings, as services offered directly to consumers, are neither covered entities nor business associates under the new law.

Interestingly, Modern Healthcare also reported that Mayo has delayed the launch of its HealthVault partnership because it needs to figure out if it has to treat Microsoft as a HIPAA business associate. The Cleveland Clinic also has its legal team on the case regarding its partnership with Google.

Brailer, who advised Congress extensively in the crafting of the legislation, is a little dumbfounded by Zeiger’s statement. “I think the intent of the law is clear. It is a fundamental principle of health IT that consumers must trust the stewards of their data,” he says.

If a company wants to act like the law doesn’t apply to its stewardship of patient data, why exactly would anyone entrust that companies with their personal health information?

Tags: Google Inc., Health Care, Microsoft Corp., Personal Health Record, Hipaa, Regulatory Compliance, Vertical Industries, Benefits, Healthcare, Regulations, Government, Human Resources, Policies And Procedures, Enterprise Software, Software, Neil Versel

Neil Versel is a freelance healthcare journalist based in Chicago.

BNET User Analysis

Voice your 2cents
Web Buzz:

  • Microsoft HealthVault: You put your right HIPAA in . . .

    Health Care Law Blog - 157 days 6 hours 28 minutes ago

    In a post today, Sean Nolan , Chief Architect of Microsoft Health Solutions and blogger at Family Health Guy explains Microsoft's position regarding whether

  • Mayo rolls out PHR with Microsoft platform

    FierceMarkets - 194 days 19 hours 17 minutes ago

    The Mayo Clinic has rolled out out a personal health records system using Microsoft#039s HealthVault PHR platform. And in a trick that could save it a whole lot of HIPAA hassles, the new PHR will not be connected to the Mayo#039s existing electronic health record system. Instead, the new PHR will be branded as the Mayo Clinic Health Manager....

  • Mayo Clinic, Microsoft deepen health record ties

    CNET News - 200 days 7 hours 38 minutes ago

    A screenshot of the Mayo Clinic Health Manager, which uses Microsoft's HealthVault technology.(Credit: Microsoft)The Mayo Clinic said on Tuesday that it will build a personal health record service based on Microsoft's HealthVault technology.The product, Mayo Clinic Health Manager, will initially focus on general pediatric and adult health...

  • Microsoft HealthVault Deal Puts EHRs Overseas

    Information Week - 10 days 2 hours 32 minutes ago

    A new pact between Microsoft and Bumrungrad International Hospital has the Bangkok, Thailand hospital rolling out Microsoft HealthVault personal e-health records next year for patients who live locally as well as for "medical travelers" who venture overseas for care. Bumrungrad has 1.5 million patients, and about 45,000 of those annually are...

  • Department Of Defense Pushes Ahead With E-Health System

    Information Week - 109 days 44 minutes ago

    The service, called MiCare, is still in pilot mode at Madigan Army Medical Center in Tacoma, Wash. Plans call for it to be expanded to the Hampton Roads, Va., area and then beyond. Defense is also working with the Department of Veterans Affairs to determine how the two agencies can collaborate on the initiative. "We want to make sure functional...

 

BNET TalkbackShare your ideas and expertise on this topic

Please add your comment:
  1. You are currently: a Guest |
  4.  

Basic HTML tags that work in comments are: bold (<b></b>), italic (<i></i>), underline (<u></u>), and hyperlink (<a href></a)

Ken Terry

Health Care Analysis

Ken Terry

More Posts
advertisement
Click Here
Industry Transcripts by Seeking Alpha
advertisement
  • Click Here
  • Click Here
  • Click Here
advertisement
Click Here

Archives