definitive Are Google/MSFT bound by HIPAA?

[David Farber <dave () farber net>]

________________________________________
From: Peter Swire [peter () peterswire net]
Sent: Sunday, February 24, 2008 3:28 PM
To: David Farber
Subject: RE: [IP] Re:      Are Google/MSFT bound by HIPAA?

Dave:

            Given the several items on this thread, perhaps a bit more background would help people understand the 
apparently weird result that the personal health record (PHR) sites run by many entities, including Microsoft (up and 
running) and Google (planned), are not covered by HIPAA.  My comments here are based on my extensive participation in 
government for the proposed and final HIPAA rule, and my work on PHRs since with a number of public policy groups and 
companies.

            1.  In terms of the thread to date, I agree entirely with Joe Saul’s legal analysis.

            2.  HIPAA applies only to “covered entities” because the 1996 statute specifically applies only to covered 
entities.  The 1996 law was passed in large part to shift health payments from paper to electronic form, and so the 
privacy/security protections apply to entities that are involved in the health payment system.  For instance, providers 
who only accept cash are also outside of HIPAA.

            3.  It is a very tricky thing to have a law apply to types of data, such as “any medical data about an 
individual.”  Little bits of health data crop up in almost any database.  Booksellers sell books about cancer.  
Newspapers have articles about “your health,” and subscribers reveal their interests by where they click.  Banks 
process payments for dentists and HIV clinics.

            A regulatory system based on “this data is medical,” thus, would sweep in all sorts of people who don’t 
have systems in place to comply with little bits of medical data in their much larger databases.  This kind of 
convergence -- medical, financial, etc., data mingling in databases -- is one reason that quite a few global companies 
(including Microsoft and Google) have now shifted to supporting baseline privacy laws that would apply to the full 
range of data held by companies.

            4.  As with other privacy issues, California is taking the lead here.  As of January 1, 2008, the 
California Medical Information Act likely applies to many PHR products.  A BNA story reported it this way: “The CMIA 
previously defined covered entities to include any business that maintains medical information for the "primary 
purpose" of making the information available for purposes of diagnosis or treatment. A.B. 1298 amends California Civil 
Code Section 56.06(a) by deleting the "primary purpose" standard, thus expanding the CMIA to regulate: "[a]ny business 
organized for the purpose of maintaining medical information in order to make the information available to an 
individual or to a provider of health care at the request of the individual or a provider of health care, for purposes 
of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual."

            5.  The CMIA has some but not all of the HIPAA requirements.  Notably, the HIPAA enforcement provisions 
don’t apply.  But I and many others have criticized the lack of HIPAA enforcement to date by HHS.  By contrast, the 
Federal Trade Commission has brought quite a few cases against web sites that break their privacy promises.

            It quite possibly makes sense for the laws here to shift.  The CDT project will be one place that is 
discussed, and bills have been introduced in Congress.  But the FTC can act today if any PHR site violates its privacy 
policy.

            Peter


Prof. Peter P. Swire
C. William O'Neil Professor of Law
   Moritz College of Law
   The Ohio State University
Senior Fellow, Center for American Progress
(240) 994-4142, www.peterswire.net

-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com