Rules still pending on privacy and security requirements for PHRs

The Office of the National Coordinator for Health Information Technology (ONC) within the Department of Health and Human Services (HHS) has announced plans for a public roundtable discussion on personal health records (PHRs) to be held in early December. The event will address a variety of aspects related to PHRs and their future direction, and will focus in particular on the topic of privacy and security requirements for PHR vendors and third party providers who are not currently covered by HIPAA. While many HIPAA-covered entities such as health insurance plans and healthcare entities offer some form of personal health record to their customers, vendors like Google (Google Health), Dossia (Personal Health Platform), and Microsoft (HealthVault) do not necessarily fall under the scope of HIPAA, and where they do it is typically only in the role of a business associate. The Health Information Technology for Economic and Clinical Health (HITECH) Act referred specifically to PHR vendors as potentially non-covered entities, and directed HHS, in consultation with the Federal Trade Commission (FTC), “to conduct a study and submit a report on privacy and security requirements for entities that are not covered entities or business associates” (§13424(b)(1)) and to complete that report no later than one year after the law was enacted. The one-year deadline elapsed over six months ago in February, and while work on the report seems to be a higher priority now, ONC Chief Privacy Officer Joy Pritts said recently that she doesn’t anticipate its completion until early 2011.

The original version of the Health Insurance Portability and Accountability Act (HIPAA) passed in 1996 mandated compliance with security and privacy requirements only for HIPAA-covered entities, specifically including health care providers, health care plans, and health care clearinghouses. HITECH extended the coverage of the HIPAA Privacy Rule and Security Rule requirements to business associates (whose compliance was previously the responsibility of the covered entity with whom business associate agreements were entered into), and also addressed non-covered entities providing PHRs and associated technical services with some of the provisions in the law. Most notable among these is perhaps the health data breach disclosure and notification rules (§13407) that went into effect in September 2009 (although they remain in the form of “interim rules”). There were two sets of breach disclosure rules put in place — one for covered entities and business associates under the authority of HHS, and the other for data breaches from PHR vendors and other non-covered entities under the authority of the FTC. The section of the HITECH Act that applied the data breach disclosure rule to non-covered entities explicitly includes the word “temporary” in the title, although it is not clear if the expectation was that the rules for privacy and security requirements, when promulgated, would include additional rules on data breach disclosure and therefore supersede the provisions in §13407.

The text of §13424 includes in the scope of the now-overdue study and subsequent report “requirements relating to security, privacy, and notification in the case of a breach of security or privacy” and reflects the same sort of notification exemption language that applies to breaches involving encrypted data (“rendered unusable, unreadable, or indecipherable”). It would seem that the opportunity exists for ONC to revise or make new recommendations regarding data breach disclosures within the context of conducting the study and producing the report that HITECH requires. Of course, a report with recommendations has no force of law, and the scope of rules for non-covered entities that might potentially be promulgated under HITECH’s authority appears limited to handling of data breaches. Potential changes in HIPAA applicability — such as extending it to include currently non-covered entities that nonetheless process, store, or manage health data — would presumably require further legislative action in addition to any executive branch decisions about appropriate privacy and security requirements.