PHR Privacy Report a Work in ProgressFederal Officials to Hold Event to Gather Ideas
Section 13421 of the HITECH Act called for the Department of Health and Human Services to submit a report by last February on the requirements for PHR vendors and others not covered by HIPAA. But the report has been delayed while the Department of Health and Human Services' Office of the National Coordinator for Health Information Technology worked on other projects, says Joy Pritts, ONC's chief privacy officer. She expects the report to be completed early in 2011.
Personal health records are initiated and maintained by patients. They can include information entered by patients as well data from other sources, such as a doctor's electronic health records.
On Dec. 3, ONC will host a day-long roundtable event in Washington on PHRs featuring panels of researchers, legal scholars and representatives of consumer, patient and industry organizations. "We have scheduled that meeting to help us prepare our report to Congress," Pritts says.
Based on the recommendations in the report, new regulations might be proposed or Congressional action might be requested, Pritts adds.
Personal health records are regulated under the HIPAA privacy and security rules only if they are offered by a "covered entity," such as a hospital or physician group.
In written testimony prepared for a Congressional hearing held Sept. 30, Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, called for stronger protection of personal health records, but not through HIPAA. She said that the Markle Foundation's Common Framework for Networked Personal Health Information would provide a good starting point.
Another Overdue ReportONC and the HHS Office for Civil Rights also are continuing work on another overdue report, called for under the HITECH Act, on whether rules for de-identified health information should be updated, Pritts says. Under the HIPAA privacy rule "safe harbor" for de-identification, 18 common identifiers must be stripped out of data for it to qualify as de-identified so it can be shared for research and certain other purposes.
At the HIPAA Summit West meeting Oct. 4-6 in San Francisco, an ONC official will discuss the results of a preliminary study on the de-identification issue, Pritts says.
ONC also is just beginning to review recommendations from a privacy and security tiger team on a number of issues, including patient consent, related to health information exchange, Pritts says. Thus, it remains to be seen whether those recommendations, and others in the works, might find their way into federal regulations from HHS, she adds.