In one of those classic if I had a nickel things ... you have no idea how many times I get asked if HealthVault is "covered" under HIPAA.
The short answer to that question is, very simply, NO. HealthVault is neither a covered entity or business associate as defined by HIPAA. But the more complete answer requires a few more words.
HIPAA was designed to regulate the flow of health information when it is out of the patient's direct control -- for example, when it is forwarded to third-party billing services by a provider. At the same time, the HIPAA authors recognized clearly that patients have a right to a copy of their own information, and they built into the legislation an explicit mechanism that allows for patients to request and receive that copy.
The obligations that HIPAA places on covered entities and business associates do not apply to the copy under the patient's control, because the patient is in the best position to decide which parts of their information they want to share, and with whom they want to share it.
HealthVault is, very simply, a tool for individual patients to manage health information that is under their control. The rules and choices around how that information is shared are under the exclusive control of the patient. When information is sent from a covered entity into a HealthVault record, it is done at the explicit request of the individual.
We believe strongly that not only is this approach completely in line with the intent of HIPAA regulation, but it is essential in order for patients to truly be empowered with their own information.
So is this a "get out of jail free" card for HealthVault? No way -- the obligations we have taken on around patient privacy, data security and third party audits are frankly far more stringent than those that HIPAA-covered entities are required to adhere to. And if we don't deliver on those obligations -- we're out of business. That's a pretty strong motivation for us to do a good job.
Together with our legal team, we finally got our act together to publish a position paper that describes in detail why our assessment here is correct. If patient privacy is your thing, I encourage you to check it out.
Once again, our cards are on the table -- and we are confident we are doing the right thing. If you have any questions, ask them here and I will do my best to get a clear answer.
Thanks...this is a very helpful clarification. Many indeed are confused.
I'm also glad to see you write: "Microsoft supports a comprehensive federal approach to privacy legislation."
This also is wise.
...and I think it's in our collective interests to be PROACTIVE in spelling out what that comprehensive federal approach should look like, rather than passively waiting around to see what others might think is appropriate.
Sean has written a nice explanation about how HIPPA relates to HealthVault. In case you missed the link
I agree with your legal assessment (and the white paper) as far as a PHR not being covered under HIPAA. However, your comments and the white paper miss the point in my opinion.
People are asking about HIPAA because they want to have some assurance that the systems and processes that hold their data will conform to the highest standards possible and if not the company and individuals will be held accountable.
I have no doubt that Microsoft has an excellent track record in protecting data in its hosted solutions. However, from my own experience in Healthcare IT I can tell you it made a very big difference when companies knew they would be held accountable as well as the employees. We now spend a lot of effort being very careful about even internal communication of data not to mention the top to bottom security audits that the company must pay for to ensure compliance.
Without this type of industry wide scrutiny of Health related procedures around patient data I am not convinced it would have been something on the top of everyones mind but I can assure you in Healthcare (which you should already know) the concept of HIPAA is very much on everyone's mind and that fact is largely responsible for the gains.
When a company (rightly so) declares they are not covered under HIPAA it should send warning bells because that company is most likely not configured to create a company-wide sense of urgency around patient privacy. Sometimes the worst cases aren't a break in of your servers but instead a curious support person with access to data that just happens to look up their neighbor's record.
If your company is not spending an enormous amount of energy (like all covered entities do) stressing and training everyone from low level staff to the CEO on the importance and specific policies then you probably aren't really getting the point. It isn't just about the declared "disclosures" but it is also about avoiding the mistaken disclosures or inappropriate use of the data even internally.
So yes I agree Microsoft (and Google) are not covered under HIPAA but I think it may actually mean that you need to prove what SPECIFIC processes and policies Microsoft is doing to ensure privacy since the covered entities already have to make that fairly clear. So far the terms seem quite open ended in this regard; that coupled with the declaration of not being a covered entity is not very comforting.
Patients have been educated to expect some specific behaviors from the HIPAA entities so what should they now expect from the PHR vendors? I think the Microsoft HIPAA white paper is mostly looking at it from the legal perspective and that just isn't the main issue IMO. People are looking for a common standard of behavior which without HIPAA they have no point of reference. The one provided thus far isn't as rigorous or open as the standards that the HIPAA entities have been acting on.
I do think the Healthvault solution has excellent support for lots of controls over the declared "sharing" scenarios to allow patients to control their own records. It is the unintended "sharing", both internal to Microsoft or with its partners, where there seems to be a need for more open expectation setting about how this data will really be protected.
Thanks for taking the time to so clearly state the concern --- completely agree with your assessment that, especially without the "air cover" of HIPAA, there is a real burden on us not only to in fact protect the privacy of our users, but to "prove" our competence at doing so.
The first step in proving that commitment is simply to state it so publically and openly. The market pressure on us to deliver on that promise is extraordinarily high. Realize that if we were to fail, we would not simply destroy credibility for HealthVault. The damage would extend far beyond to our other Microsoft properties and products as well. Do not think for a moment that this responsibility is lost on me or anybody on our team.
Of course, we are doing far more.
We are working with leading consumer privacy advocates to develop certification processes for the PHR industry as a whole, and have committed to both submit the HealthVault infrastructure to that certification and to highlight which of our partners have gone through the process.
We work daily with policy makers at the federal and state levels to help ensure that appropriate legislation is drafted and passed that does provide assurances applicable to personal records. In fact we have specifically called on Congress to pass comprehensive consumer privacy legislation.
In the few months that we have been live, we have undergone two external penetration tests run by respected security firms, and have committed to continue testing using new vendors on a regular basis to ensure we stay solid. This is in addition to developing and operating HealthVault under Microsoft's Secure Development Lifecycle -- a process that has been widely regarded as state of the art with regards to delivering on security and privacy commitments.
We have a full team devoted to developing "trust interfaces" that users can actually use when granting rights to view or modify their data. Because these interfaces are some of the most complex of all usability challenges, we are also funding additional research within the Microsoft Research division to test our existing experiences and develop new ideas in this area.
I hope these few examples give you a flavor of how seriously we take our responsibilities in this area. It is my sincere hope that other personal health systems in the market do the same -- a breach at any one would be detrimental to the growth of a market I believe can really help people.
Within the sphere of consumer control -- HIPAA simply apply. That's not a knock against HIPAA -- it just wasn't built to protect data when it is within the control of an individual. In this environment, hiding behind HIPAA would be nothing more than looking for easy air cover ... and that would not get us where we need to be.
Thanks again for your comments --- I appreciate the opportunity to have this discussion in a public forum where others can join in as well.
Who are the author/s of HIPPA legislation...I need to write them
John, the original 1996 HIPAA legislation was sponsored by senators Ted Kennedy and Nancy Kassebaum. The privacy rule itself was written by HHS as directed by the legislature; details on that rule can be found at http://www.hhs.gov/ocr/hipaa/finalreg.html. That page also has a link to submit questions about the Privacy Rule, so may be the best place for you to start.
Hope that helps ... good luck!
Early last May, I posted an entry that described our position regarding the relationship of HealthVault