Transcript Slide 1

Legal and Clinical
Regulation of PHRs –
The Current Framework
Tom Jones, M.D.
Richard Marks
Chief Medical Officer, Tolven, Inc.
President, Patient Command, Inc.
Why the focus on PHRs?

PHR market development




Tethered PHRs
Retail PHRs
Political support for PHRs
Political concern for a comprehensive
legal framework to govern PHRs



Bills introduced last session of Congress
Activity this session
Obama Administration initiatives
What do regulators want?




Privacy advocates: concern about
consumer access and control
Consumer advocates: poor service,
misleading advertising
HIPAA covered entities: a level
playing field (or at least a consistent
one)
Congress: a new, unregulated
industry where misconduct is likely
What are the myths?




PHRs today are presently
unregulated.
HIPAA applies to PHRs.
No laws apply to PHRs – they are the
Wild West.
Congress must fashion a
comprehensive new regulatory
framework, else PHRs will go
unregulated and unsupervised.
PHR reality




PHRs presently are subject to many
federal and state laws.
These laws govern security, privacy, and
consumer protection.
In many ways, these laws offer consumers
more sensible, more effective protection
than HIPAA does for EHRs.
Congress can update and supplement
existing law rather than trying to enact a
whole new framework for an emerging
industry that it doesn’t yet understand.
Laws governing PHRs today





1986 Stored Communications Act
(SCA), part of the Electronic
Communications Privacy Act (ECPA)
Federal Trade Commission Act
Computer Fraud and Abuse Act
1974 Privacy Act
State privacy, consumer protection,
and data breach notification laws
Stored Communications Act




Written for the world in 1986
Electronic communications services (ECS)
and remote computing service (RCS) –
different protections – needs updating
Health record banks and most other PHRs
fall within ECS, so consumers get strong
protection – no disclosure without
consumer consent
Problem of compelled disclosure to
government remains
HIPAA and PHRs




Myth: HIPAA governs PHRs.
Fact: HIPAA governs doctors, hospitals,
health plans, drug plans (HIPAA “covered
entities”).
HIPAA does NOT control what patients
can do with copies of their records (eg,
copies in a HRB).
Extending HIPAA – designed for “covered
entities,” not patient-controlled records –
beyond its present scope would be a big
mistake.
Federal Trade Commission Act

Directed at deceptive trade practices
including



Deceptive advertising
Deceptive contracting practices
Regulates HRBs’ contractual
promises to consumers
Computer Fraud and Abuse Act



Applies to any computer used in
interstate or foreign commerce that
affects interstate or foreign commerce
or a communication of the U.S.
Punishes access or use that’s
unauthorized or that exceeds
authorization
Criminal: fines and imprisonment
Computer Fraud and Abuse Act

Important to consumers who use their
PHRs in social networks (eg, disease
channels) and to HRBs that facilitate
social networking
U.S. v. Drew (C.D. Cal. 2008)




Woman created fictitious MySpace page
Teenager committed suicide
Held: woman criminally liable for
violating MySpace terms of service
Considerations for legislation




Important for Obama Administration
and for Congress.
Is a new, comprehensive statutory
framework necessary for PHRs?
How much does Congress know
about regulating the PHR industry?
Is updating the existing statutory
framework more effective, and
necessary in any event?
Issues that bother clinicians


The topic of PHRs often generates controversy
among clinicians
The main areas of concern are:
 Control of information
 Completeness of information
 Validity of information
 Integration of Information
 Litigation risks
 Affordability
Will I lose control?


I created the information, why can’t I keep it?
You can keep it, you just need to give the patient
an accurate copy
Is the information complete?


What is the patient hiding from me?
The patient is undoubtedly hiding the same
things that he/she has always been hiding.
How can I trust the information?


If the information comes from a PHR, how can I
know if it is accurate?
Systems must provide authentication of
information if it originates elsewhere and then is
transmitted through a PHR
How does this affect my EMR?


If the patient sends me electronic information,
how can I see it in my EMR?
The whole notion of an interoperable healthcare
information infrastructure depends upon
standards for representing and exchanging
information
Am I going to get sued?


What happens if the patient sends me
information from his/her PHR and I don’t read it
and then the patient has a problem that could
have been prevented if I had read the PHR?
The same thing will happen as when you ignore
a letter, phone message, or verbal information
transcribed in your paper record
How can I afford this?


I would like to be able to offer a PHR to my
patients; how can I afford to do so when I cannot
even afford an EMR for my office?
Affordability can be achieved with new
technology and new business models
Aspects of proposed legislation


In order to explore the clinical information
landscape of PHRs, we will look at key aspects
some existing legislative initiatives
We will relate sections of those initiatives to the
clinical concerns mentioned earlier
Defining PHR

Stark
The term ‘‘personal health record’’ means an
electronic record of individually identifiable
health information on an individual that can be
drawn from multiple sources and that is
managed, shared, and controlled by or for the
individual.
Preparing for regulation

Not later than one year after the date of the
enactment of this Act, the Secretary, in
consultation with the Federal Trade Commission,
shall conduct a study on privacy and security
requirements …that should be applied to
 (A) vendors of personal health records;
 (B) entities that offer products or services through the website of a vendor of
personal health records;
 (C) entities that are not covered entities and that offer products or services
through the websites of covered entities that offer individuals personal health
records;
 (D) entities that are not covered entities and that access information in a
personal health record or send information to a personal health record
Stark
Information integration

The National Coordinator shall perform the
duties under subsection (c) in a manner
consistent with the development of a nationwide
 interoperable health information technology
infrastructure… (Dingell-Barton)
 health information technology infrastructure that allows for
the electronic use and exchange of information…(Stark)

Interoperability has yet to be adequately
addressed by CCHIT
Levels of interoperability



Key to making health care information
electronically available is the ability to share that
data among health care providers—that is,
interoperability.
Interoperability is the ability for different
information systems or components to exchange
information and to use the information that has
been exchanged.
This capability is important because it allows
patients’ electronic health information to move
with them from provider to provider, regardless
of where the information originated.
GAO report 08-954‘Electronic Health Records:
DOD and VA Have Increased Sharing of Health Information, but More Work Remains’
Privacy



A substantial number of patients will not make
use of PHRs if their healthcare information is not
protected
If patients will not use PHRs, sharing information
with clinicians is more difficult
All of the pending legislation acknowledges the
need for privacy
Protecting privacy


Patient control of access to information should
be a critical feature of PHRs
Patient access control does not imply loss of
“information ownership”
 Provider acquiescence should not be necessary
 Privacy violations need to be taken as seriously as home
invasions; judgments about the potential for harm should
not create exceptions
Patient control of information flow

Stark
Sensitive protected health information may be
segmented, with the goal of minimizing the
reluctance of patients to seek care (or disclose
information about a condition) because of
privacy concerns involving sensitive protected
health information, while maximizing patient
safety and clinical utility of the information.
Non-care information access




Clinicians have obligations to report certain data
to public health organizations
Participation in research activities may require
additional reporting
The role of PHRs in such activities has yet to be
determined but must soon be articulated
Patients must have control over information reuse that is not legally required
Timeliness


If providers cannot get information to and from
PHRs, their usefulness will be diminished
There are multiple attempts to address this issue
in pending legislation
Affordability


NEW YORK (CNNMoney.com) -- President-elect
Barack Obama, as part of the effort to revive the
economy, has proposed a massive effort to
modernize health care by making all health records
standardized and electronic.
Here's the audacious plan: Computerize all health
records within five years. The quality of health care
for all Americans gets a big boost, and costs decline.
President-elect wants to computerize the nation's
health care records in five years. But the plan comes
with a hefty price tag, and specialized labor is
scarce.
CNN 1/12/09
Conclusions


Practitioners and patients alike will be better
served by interoperable electronic health record
systems that include PHRs that permit the
patient to control the flow of his/her health
information across clinical care settings
Attempts to craft further regulation of already
protected healthcare information may prove to
be counter-productive for PHR development and
deployment