HIPAA-potamus

re: HIPAA-potamus

Vince Kuraitis — Sat, 03 May 2008 20:38:58 GMT

Sean,

Thanks...this is a very helpful clarification. Many indeed are confused.

I'm also glad to see you write: "Microsoft supports a comprehensive federal approach to privacy legislation."

This also is wise.

...and I think it's in our collective interests to be PROACTIVE in spelling out what that comprehensive federal approach should look like, rather than passively waiting around to see what others might think is appropriate.

Vince

HealthVault and HIPAA

HealthVault — Mon, 05 May 2008 19:58:37 GMT

Sean has written a nice explanation about how HIPPA relates to HealthVault. In case you missed the link

re: HIPAA-potamus

jkoehl — Tue, 20 May 2008 07:11:31 GMT

I agree with your legal assessment (and the white paper) as far as a PHR not being covered under HIPAA. However, your comments and the white paper miss the point in my opinion.

People are asking about HIPAA because they want to have some assurance that the systems and processes that hold their data will conform to the highest standards possible and if not the company and individuals will be held accountable.

I have no doubt that Microsoft has an excellent track record in protecting data in its hosted solutions. However, from my own experience in Healthcare IT I can tell you it made a very big difference when companies knew they would be held accountable as well as the employees. We now spend a lot of effort being very careful about even internal communication of data not to mention the top to bottom security audits that the company must pay for to ensure compliance.

Without this type of industry wide scrutiny of Health related procedures around patient data I am not convinced it would have been something on the top of everyones mind but I can assure you in Healthcare (which you should already know) the concept of HIPAA is very much on everyone's mind and that fact is largely responsible for the gains.

When a company (rightly so) declares they are not covered under HIPAA it should send warning bells because that company is most likely not configured to create a company-wide sense of urgency around patient privacy. Sometimes the worst cases aren't a break in of your servers but instead a curious support person with access to data that just happens to look up their neighbor's record.

If your company is not spending an enormous amount of energy (like all covered entities do) stressing and training everyone from low level staff to the CEO on the importance and specific policies then you probably aren't really getting the point. It isn't just about the declared "disclosures" but it is also about avoiding the mistaken disclosures or inappropriate use of the data even internally.

So yes I agree Microsoft (and Google) are not covered under HIPAA but I think it may actually mean that you need to prove what SPECIFIC processes and policies Microsoft is doing to ensure privacy since the covered entities already have to make that fairly clear. So far the terms seem quite open ended in this regard; that coupled with the declaration of not being a covered entity is not very comforting.

Patients have been educated to expect some specific behaviors from the HIPAA entities so what should they now expect from the PHR vendors? I think the Microsoft HIPAA white paper is mostly looking at it from the legal perspective and that just isn't the main issue IMO. People are looking for a common standard of behavior which without HIPAA they have no point of reference. The one provided thus far isn't as rigorous or open as the standards that the HIPAA entities have been acting on.

I do think the Healthvault solution has excellent support for lots of controls over the declared "sharing" scenarios to allow patients to control their own records. It is the unintended "sharing", both internal to Microsoft or with its partners, where there seems to be a need for more open expectation setting about how this data will really be protected.

re: jkoehl's remarks

seannol — Tue, 20 May 2008 07:45:46 GMT

Thanks for taking the time to so clearly state the concern --- completely agree with your assessment that, especially without the "air cover" of HIPAA, there is a real burden on us not only to in fact protect the privacy of our users, but to "prove" our competence at doing so.

The first step in proving that commitment is simply to state it so publically and openly. The market pressure on us to deliver on that promise is extraordinarily high. Realize that if we were to fail, we would not simply destroy credibility for HealthVault. The damage would extend far beyond to our other Microsoft properties and products as well. Do not think for a moment that this responsibility is lost on me or anybody on our team.

Of course, we are doing far more.

We are working with leading consumer privacy advocates to develop certification processes for the PHR industry as a whole, and have committed to both submit the HealthVault infrastructure to that certification and to highlight which of our partners have gone through the process.

We work daily with policy makers at the federal and state levels to help ensure that appropriate legislation is drafted and passed that does provide assurances applicable to personal records. In fact we have specifically called on Congress to pass comprehensive consumer privacy legislation.

In the few months that we have been live, we have undergone two external penetration tests run by respected security firms, and have committed to continue testing using new vendors on a regular basis to ensure we stay solid. This is in addition to developing and operating HealthVault under Microsoft's Secure Development Lifecycle -- a process that has been widely regarded as state of the art with regards to delivering on security and privacy commitments.

We have a full team devoted to developing "trust interfaces" that users can actually use when granting rights to view or modify their data. Because these interfaces are some of the most complex of all usability challenges, we are also funding additional research within the Microsoft Research division to test our existing experiences and develop new ideas in this area.

I hope these few examples give you a flavor of how seriously we take our responsibilities in this area. It is my sincere hope that other personal health systems in the market do the same -- a breach at any one would be detrimental to the growth of a market I believe can really help people.

Within the sphere of consumer control -- HIPAA simply apply. That's not a knock against HIPAA -- it just wasn't built to protect data when it is within the control of an individual. In this environment, hiding behind HIPAA would be nothing more than looking for easy air cover ... and that would not get us where we need to be.

Thanks again for your comments --- I appreciate the opportunity to have this discussion in a public forum where others can join in as well.

re: HIPAA-potamus

john pitcher — Sat, 16 Aug 2008 02:49:59 GMT

Who are the author/s of HIPPA legislation...I need to write them

RE: HIPAA authors

seannol — Sat, 16 Aug 2008 07:37:50 GMT

John, the original 1996 HIPAA legislation was sponsored by senators Ted Kennedy and Nancy Kassebaum. The privacy rule itself was written by HHS as directed by the legislature; details on that rule can be found at http://www.hhs.gov/ocr/hipaa/finalreg.html. That page also has a link to submit questions about the Privacy Rule, so may be the best place for you to start.

Hope that helps ... good luck!

---S

You put your right HIPAA in…

Family Health Guy — Wed, 03 Jun 2009 08:02:08 GMT

Early last May, I posted an entry that described our position regarding the relationship of HealthVault