Health information exchange outside HIPAA

The Social Security Administration (SSA) has essentially been the first government adopter of the Nationwide Health Information Network (NHIN), going into production early this year with an information exchange with MedVa to receive medical records in support of disability claims. By all accounts, this first effort has been an unqualified success, reducing the time to retrieve and process the needed documentation from weeks or months to under an hour. SSA is now in the process of looking for ways to expand the number of medical record sources it can access to do benefit eligibility determinations more efficiently. According to an announcement last week, one option under serious consideration is tying into Microsoft’s HealthVault personal health record system. There are a lot of interesting aspects to this potential relationship, but one aspect that may be a bit unusual in the overall health information exchange context is that prospect of having an end-to-end exchange of electronic medical records completely outside the coverage of HIPAA. Neither Microsoft nor SSA is a covered entity under HIPAA, and there’s even some debate whether PHR vendors like Microsoft, Google, myPHR, and others fall under the category of “business asssociate” either. An information exchange between Microsoft and SSA would fall outside the scope of HIPAA and the Privacy Act, and would only be subject to the breach disclosure requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act. If nothing else, the evolution of health IT in such a direction largely outside the existing regulatory and legal framework governing personal health information only highlights the need to address patient privacy protections explicitly, rather than as an adjunct to laws focused primarily on organizational entities.