Online health records: New frontier in a ‘wild, wild West’

The new online health accounts that give consumers a way to store and keep track of their medical data are the newest frontier in the unregulated terrain of electronic health records.

While laws like the Health Insurance Portability and Accountability Act (HIPAA) provide certain protections for records, online health accounts fall outside those regulations because the commercial entities offering them – Google, Microsoft, WebMD and Revolution Health to name a few – are not “health care providers,” nor does the data necessarily fall under the definition of a “medical record.”

This new form of online health record is part of a murky legal area with few laws, regulations or ethical constraints.

“It’s the wild, wild West in terms of people’s medical privacy,” said Tim Sparapani, senior legislative counsel with the American Civil Liberties Union in Washington, D.C.

The law is lagging far behind technology.

“Microsoft HealthVault is live. GoogleHealth is live. Revolution Health is live. The genie is way, way out of the bottle,” said Pam Dixon, executive director of the World Privacy Forum in San Diego.

Depending on the privacy policy of the health account vendor, consumers who have signed up for online accounts may have already given up certain protections, such as the doctor-patient privilege.

Patients are more likely to be asked if they have subscribed to an online health account by lawyers representing them, said Robert Gellman, an attorney and privacy consultant in Washington D.C.

“If I’m a litigator, the first question I would ask the patient is ‘Have you given your medical records to a PHR [personal health records] vendor?’ You can be sure someone is going to argue that the patient has waived the privilege by turning them over to a vendor,” he said.

Not a HIPAA entity

The idea behind online health accounts is to let consumers manage their own medical records, much like managing personal photos through an online account.

For example, Microsoft’s HealthVault lets users manually upload medical information into their account and permits their health care practitioners to import data, including scanned images, into their account, said Elisabeth Giammona, a Microsoft spokesperson.

But the sensitivity of health data and the value of the personal information contained in a health record to an advertiser, data miner or lawyer makes it an area in need of greater oversight and regulation, privacy experts say.

“When it comes to health records, we need something better than ‘buyer beware,’” said Deven McGraw, director of the health privacy project at the Center for Democracy and Technology in Washington, D.C.

“The main problem is that HIPAA doesn’t apply to Microsoft and Google, and we think there needs to be a comprehensive approach to privacy,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, D.C. and a privacy law professor at Georgetown Law School.

Online vendors of personal health records don’t fall under HIPAA because it is limited to health care entities and medical records held by a health care provider, said Gellman.

“Information can easily leak out of your health records,” he said, although he noted that if an online account is provided through a health care provider, it may be covered by HIPAA.

“A number of things change when records are held” by entities not covered by HIPAA, said Dixon.

She noted that HIPAA requires notification and the opportunity to object, seek a protective order and contest a subpoena of an individual’s medical records.

“We all know health records are often used in med-mal, tort and even custody and divorce cases. This is a big deal when you’re being sued, but I’m not convinced the average consumer has a full grasp of what it means to give up those rights,” Dixon said.

Even if HIPAA were to apply, it would not address privacy concerns, some experts say.

“HIPAA is based on a business model driven by health care; Internet vendors operate on an ad-driven business model,” said McGraw.

Some privacy advocates say extending HIPAA to Internet health records might even exacerbate privacy concerns, because of the numerous exceptions in the statute that allow medical records to be shared without a patient’s consent.

“HIPAA is a data miner’s dream,” said Dr. Deborah Peel, a practicing physician and founder of Patient Privacy Rights, a consumer advocacy group in Austin, Texas.

For example, HIPAA’s exceptions permit disclosure of medical records without consent for medical research, public health and law enforcement purposes, she said.

Privacy policies rule

Given the legal vacuum, the controlling law is the privacy policies promulgated by the Internet health records providers.

“Microsoft, Google, WebMD, and Revolution Health all have different privacy policies,” said Dixon.

But Gellman said “they all say ‘subject to change without notice at any time,’ so whatever promises have been made can be changed by them.”

Many privacy experts said the Internet vendors are making a good effort to address privacy concerns in their policies.

“We think Microsoft in particular is doing a good job on privacy, consent and giving patients the ability to control their records. Right now it seems to be the gold standard and Google is competing,” said Sparapani.

However, a big concern is how such privacy policies treat third-party applications made available to consumers through the online vendor. An example would be a diabetes management application that contracts with Google to allow GoogleHealth users to track their condition.

“Are the Googles and Microsofts requiring third parties to have privacy policies? At some point, the number of third-party applications will reach a point that they can’t guarantee they are policing those agreements,” said McGraw.

Peel’s organization is working on a credentialing system to rate the privacy policies of online health account vendors.

Such a certification process would require that the privacy policy make a clear statement of consumer control and that the vendor subject itself to an outside audit to make sure it is abiding by its policy.

But Dixon said even the best privacy policy cannot make up for holes in the legal framework, such as a waiver of the doctor-patient privilege by uploading your records to a site.

“Doctor-patient privilege is a very significant privacy protection. Once data is moved and consent is signed, you’ve waived your privilege. It’s evaporated. Gone,” said Dixon.

Pending legislation

Although there are two pending bills in Congress that promote electronic records and call for recommendations on regulations from the Department of Health and Human Services on privacy and security of electronic patient records, neither bill would create a private cause of action for individuals whose health records are disclosed without consent.

“The bottom line is none of these bills is good. There needs to be a private cause of action and robust privacy and security provisions,” said Dixon.

The bills are: The PRO(TECH)T Act of 2008 (“The Protecting Records, Optimizing Treatment, and Easing Communications through Healthcare Technology Act”), H.R. 6357, and the Wired for Healthcare Quality Act, S. 1418.

Questions or comments should be directed to the
writer at: sylvia.hsieh@lawyersusaonline.com