Interesting People mailing list archives
definitive Are Google/MSFT bound by HIPAA?
From: David Farber <dave () farber net>
Date: Sun, 24 Feb 2008 13:01:37 -0800
________________________________________ From: Peter Swire [peter () peterswire net] Sent: Sunday, February 24, 2008 3:28 PM To: David Farber Subject: RE: [IP] Re: Are Google/MSFT bound by HIPAA? Dave: Given the several items on this thread, perhaps a bit more background would help people understand the apparently weird result that the personal health record (PHR) sites run by many entities, including Microsoft (up and running) and Google (planned), are not covered by HIPAA. My comments here are based on my extensive participation in government for the proposed and final HIPAA rule, and my work on PHRs since with a number of public policy groups and companies. 1. In terms of the thread to date, I agree entirely with Joe Saul’s legal analysis. 2. HIPAA applies only to “covered entities” because the 1996 statute specifically applies only to covered entities. The 1996 law was passed in large part to shift health payments from paper to electronic form, and so the privacy/security protections apply to entities that are involved in the health payment system. For instance, providers who only accept cash are also outside of HIPAA. 3. It is a very tricky thing to have a law apply to types of data, such as “any medical data about an individual.” Little bits of health data crop up in almost any database. Booksellers sell books about cancer. Newspapers have articles about “your health,” and subscribers reveal their interests by where they click. Banks process payments for dentists and HIV clinics. A regulatory system based on “this data is medical,” thus, would sweep in all sorts of people who don’t have systems in place to comply with little bits of medical data in their much larger databases. This kind of convergence -- medical, financial, etc., data mingling in databases -- is one reason that quite a few global companies (including Microsoft and Google) have now shifted to supporting baseline privacy laws that would apply to the full range of data held by companies. 4. As with other privacy issues, California is taking the lead here. As of January 1, 2008, the California Medical Information Act likely applies to many PHR products. A BNA story reported it this way: “The CMIA previously defined covered entities to include any business that maintains medical information for the "primary purpose" of making the information available for purposes of diagnosis or treatment. A.B. 1298 amends California Civil Code Section 56.06(a) by deleting the "primary purpose" standard, thus expanding the CMIA to regulate: "[a]ny business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual." 5. The CMIA has some but not all of the HIPAA requirements. Notably, the HIPAA enforcement provisions don’t apply. But I and many others have criticized the lack of HIPAA enforcement to date by HHS. By contrast, the Federal Trade Commission has brought quite a few cases against web sites that break their privacy promises. It quite possibly makes sense for the laws here to shift. The CDT project will be one place that is discussed, and bills have been introduced in Congress. But the FTC can act today if any PHR site violates its privacy policy. Peter Prof. Peter P. Swire C. William O'Neil Professor of Law Moritz College of Law The Ohio State University Senior Fellow, Center for American Progress (240) 994-4142, www.peterswire.net ------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- definitive Are Google/MSFT bound by HIPAA? David Farber (Feb 24)