Family Health Guy

In which Sean talks about HealthVault and other cool ideas in Personal Health

You put your right HIPAA in…

You put your right HIPAA in…

  • Comments 5

Early last May, I posted an entry that described our position regarding the relationship of HealthVault to HIPAA. In short, our interpretation was that HealthVault did not fall under the definition of a Covered Entity or a Business Associate as defined by the legislation. Further, it seemed clear that HIPAA was simply not intended to cover services like HealthVault that provide tools to help individuals manage copies of their own health information. Pretty simple, really.

Fast forward about a year, and "pretty simple" just wasn't good enough for the well-meaning folks in Washington, DC. When they sat down to reform healthcare with the ARRA bill, things got a bit muddled up. Did anything really change that would affect our position? Unfortunately, the answer is really "nobody knows."

You simply cannot imagine how many hours I have spent in small conference rooms with no windows listening to experts argue this back and forth. Really.

Here's the thing:  this renewed atmosphere of ambiguity and uncertainty risks slowing down the important work we all are trying to get done - helping individuals get and stay healthier by collecting, sharing and leveraging their own personal health information - connected to their trusted providers.

So we decided to take a new look at the legislation. And when we did that, we realized that it really didn't matter how we are technically defined. As we have said from day one, we operate the HealthVault systems far beyond the baseline privacy and security measures required by HIPAA anyways. And further, we can sign "Business Associate Agreements" with covered entities that want to interact with HealthVault, without in any way restricting our ability to put consumers in control of their information. To be clear --- we can and will, without modification or compromise, continue to stand behind our privacy statement and service agreement.

Which brings me to the real point here. We are now prepared to sign a Business Associate Agreement with any covered entity that feels it is an important part of their responsibility under the HIPAA legislation. We have worked hard to create the text of that BAA, and are committed to being open and transparent about exactly what it contains. In fact, it is posted online for anybody to review here.

To date we have spent far too much time explaining to covered entities why we did not need a BAA between us. Going forward, we just don't need to have that discussion. This is a really, really Good Thing.


Leave a Comment
  • Please add 1 and 3 and type the answer here:
  • Post
  • That's awesome. I've been working with a number of organizations that have been trying to skirt the boundaries of HIPAA but with the line moving and blurring lately it's almost impossible.

    Just recently a few have decided, similar to you, that they already go beyond HIPAA requirements for security and privacy it's time to stop playing games and just accept being BAAs.

    While it would be nice for the government to get its act together and make the HIPAA rules clear and permanent, we can't wait for that. We've got important work to do.

  • That's great to hear, Sean. It certainly reduces the risks for organizations partnering with you.  I think it will also increase consumer confidence in connected solutions.

  • Glad to see this development.  While there is no reason to doubt the good faith behind the TOS which you say go above and beyond HIPAA requirements, many partners (and their lawyers -- since we have the occupational disability of assuming that things like the TOS will change and everyone who meant what they said will no longer be around) will feel much more comfortable with the BAA in hand.  Are you taking an expansive view with respect to BAA's called for by ARRA? (i.e. will you count yourselves among the non-business-associates-who-are-supposed-to-sign-BAA's-anyway?)

  • In a post today, Sean Nolan, Chief Architect of Microsoft Health Solutions and blogger at Family Health Guy explains Microsoft's position regarding whether Microsoft HealthVault is required to comply with the privacy standards under the Health Insuranc

  • Good move, Sean and team.  Painful yes, but definitely the right thing to do.  This will significantly help provider organizations and others that are being held back by uncertainty around HIPAA and the BAA.

    Bill Crounse, MD

Page 1 of 1 (5 items)