HIPAA May Have a Privacy Loophole

Privacy rules don’t always cover popular personal health records.

In 1999, WebMD started offering an online “personal health record,” or PHR, to help consumers record, store and transport their medical information to any doctor or hospital. Today, the $168 million provider of online healthcare information works with clients such as Microsoft, Starbucks and health benefits company Wellpoint to gather employee health information and import insurance claim data into the personal digital records.

PHRs offer numerous advantages. For example, Microsoft employees can go to their company’s healthcare portal to conduct online health risk assessments and create personal health records. They can also find healthcare providers in their area and some even have the ability to incorporate information from labs and other sources into their record. Over the past several years, smaller companies including FollowMe, Laxor and Medem have sprung up to offer similar services. PHRs are not replacing EMRs but they are growing in popularity, especially since large corporations have started offering them to employees.

As interest in PHRs grows, however, some doctors and privacy advocates question whether such digital repositories are covered by federal privacy regulations. “Organizations that operate the PHR may not be covered by HIPAA,” says Paul Tang, VP chief medical information officer at Palo Alto Medical Foundation. “The people who own the databases that hold your medical records are not regulated by HIPAA in terms of what they do with the data.” Tang’s concern is that third-party PHR providers are not technically governed by HIPAA so they don’t have to comply with it, even though many say they do.

A spokesman for the Department of Health and Human Services acknowledges that PHRs are not technically covered by HIPAA. However, organizations that maintain PHRs and are themselves covered under HIPAA (health plans and healthcare providers, for example) are subject to compliance. But certain types of entities that provide PHRs may not be covered by HIPAA. HHS is examining privacy and security issues related to PHRs, and considering what steps need to be taken.

Craig Froude, WebMD’s executive vice president of health services, says PHRs are private and secure because the companies that WebMD works with are covered under HIPAA. “We’re compliant and our clients are compliant,” he says. WebMD’s privacy policy states that it abides by HIPAA guidelines, even though it is not technically covered by the regulation. This means that WebMD agrees not to sell or release personal healthcare information.

However, other PHR providers may not have such stringent privacy guidelines. “As a consumer, you will need to read the privacy policy of any group providing a PHR,” Froude says.

There needs to be greater legal protection of patient data in PHRs, says Dan Rode, vice president of policy and government relations for the American Health Information Management Association, a professional organization. Now, he says, it’s not always clear whether the data is protected under HIPAA.

“People need to have clear rights as to who has access to their medical records,” Rode says. His organization is finishing a position statement calling on providers of PHRs to make it clear who has access to their data.