HIPAA Expands to Personal Health Records — Just Not Google's or Microsoft's, If You Ask Them

Although Google and Microsoft have gotten plenty of attention for their Web-based personal health records, both companies have long maintained that they’re not bound by the privacy protections of a 1996 federal law known as HIPAA. And despite a recent HIPAA change — one intended to extend its privacy provisions to services like Google Health and Microsoft’s HealthVault — both companies still insist they’re not bound by the law.

Those HIPAA changes came courtesy of the American Recovery and Reinvestment Act of 2009, also known as the economic stimulus law. One provision ostensibly makes third-party data repositories, personal health records and health information networks into business partners of care providers and health plans, requiring them to follow the same rules as everyone else.

David Brailer, the former national coordinator for health IT, calls this move a “technical fix” to HIPAA designed to extend HIPAA to third-party data repositories like Google Health and HealthVault and e-prescribing networks like Surescripts. That’s an important step toward creating the kind of public trust needed for widespread adoption and interoperability of electronic health records.

Section 13408 of the law specifically states that any organization involved in electronic transmission of “protected health information” to any entity already covered by HIPAA or to any business partner of a covered entity becomes what HIPAA calls a “business associate.” Business associates are subject to the same privacy and security rules as those they contract with.

This section of the law lists examples of those now brought under HIPAA:

Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record ….

Google has deals with the Cleveland Clinic and Beth Israel Deaconess Medical Center in Boston that seem to put it in exactly that position. Patients at both facilities can opt to transfer their electronic records from the hospital to Google Health upon request. Microsoft has similar arrangements with Cleveland and the Mayo Clinic.

The only problem is, the two companies continue to take the position that they’re not subject to HIPAA. “Our understanding is that HITECH, which is the jargon for [the health IT] part of the legislation, did not change the definition for a covered entity or a business associate, so our service is offered directly to the consumer,” Google Health Product Manager Roni Zeiger told Modern Healthcare last month. “[O]ur understanding is that we are neither a covered entity nor a business associate,” he continued. “We’re providing a service directly to the consumer or a patient.”

Microsoft offered a similar assessment at the annual Healthcare Information and Management Systems Society conference in Chicago. “We’re still outside [of HIPAA],” said David Cerino, general manager of Microsoft’s Health Solutions Group.

Digest that thought for a moment. Key people at both Microsoft and Google actually said that their health offerings, as services offered directly to consumers, are neither covered entities nor business associates under the new law.

Interestingly, Modern Healthcare also reported that Mayo has delayed the launch of its HealthVault partnership because it needs to figure out if it has to treat Microsoft as a HIPAA business associate. The Cleveland Clinic also has its legal team on the case regarding its partnership with Google.

Brailer, who advised Congress extensively in the crafting of the legislation, is a little dumbfounded by Zeiger’s statement. “I think the intent of the law is clear. It is a fundamental principle of health IT that consumers must trust the stewards of their data,” he says.

If a company wants to act like the law doesn’t apply to its stewardship of patient data, why exactly would anyone entrust that companies with their personal health information?