Medical-Privacy Alert (cont.)

Despite the confusing HIPAA landscape, regulatory changes now hold all PHR providers accountable to some degree for their privacy practices. A provision of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires that all PHR service providers, regardless of whether they are bound by HIPAA, notify you when a breach occurs. FTC began to enforce the rule in February 2010. Violations can result in fines of up to $1.5 million. (As of press time, FTC hadn’t reported any fines.)

There also is a move afoot to standardize how each online PHR provider states its privacy policy. Office of the National Coordinator for Health Information Technology (ONC), which is the primary federal agency that coordinates the electronic exchange of health information, is devising such a rule. ONC also would require PHR service providers to make their privacy policy clearly visible on their website.

A standardized format would help consumers to more easily compare the privacy policies of different PHR service providers, says Nancy Szemraj, who is an ONC spokesperson. Such information now might be scattered among multiple locations or under different headings, such as “terms of use” or “frequently asked questions.”

This guideline is expected to be released this year—Szemraj couldn’t be more specific—but when it arrives, it won’t be mandatory. ONC’s expectation is that PHR providers will use this tool to gain your trust. But we believe that a toothless guideline leaves a gaping hole for consumers to continue to be confused or misled.

BANKING ON IT. An emerging option on which to store your PHR is a community health-record bank or community health-record trust. These are electronic repositories for your medical records that you control much like you would a bank account. Whenever a patient receives care, the new information that’s generated is deposited into the user’s community health-record bank account, where only he/she can access it and send it to doctors and other medical personnel.

How much that you might pay for such an account varies. We found one community health-record bank that’s subsidized by the government and therefore is free. Another community health-record bank charges a one-time fee of $99. Still others require ongoing fees of up to $5 per month.

But don’t necessarily expect to find a community health-record bank in your backyard quite yet. So far, there is a scattering of community health-record banks in Arizona, Florida and Washington. Dossia Consortium, which includes BP, Intel and Wal-Mart, has developed community health-record banks for several of its corporate members. But other efforts have been stalled by finances or politics, says Dr. William A. Yasnoff, who is president and CEO of Health Record Banking Alliance, which promotes community health-record banks. It likely will be 3 to 5 years before community health-record banks become widespread, he says.

Community health-record banks connect to sources of health records (e.g., doctors, labs, hospitals) in a particular geographic area. If someone from outside of that community signs up, his/her community health-record bank account will be incomplete, Yasnoff says, because the intent is for the records to be kept and updated locally. That might change as these entities expand nationwide.

You should know that even though community health-record banks are not subject to HIPAA, they are protected by a stricter federal law—the Electronic Communications Privacy Act, which requires a consumer’s consent to release information to any private party.

Community health-record banks also are required under HITECH to notify members when a security breach occurs. Unfortunately, no law can guarantee that there won’t ever be a breach. “All computer systems are potentially vulnerable to hacking, including systems of patient records in hospitals and doctors’ offices,” Yasnoff says.

When it comes to online security, that might be so, but consumers still should expect a PHR service provider to have a healthy respect for their privacy.

Lisa A. Eramo has written on health-care regulation, health-information management and medical coding for 6 years. Her stories have appeared in For The Record magazine, The Journal of American Health Information Management Association and Medical Records Briefing.