The Security Scrutinizer with Howard Anderson

When Will PHR Rules be Ready?

When Will PHR Rules be Ready?

When will federal regulators draft long-awaited privacy and security rules for personal health records? So far, officials at the Department of Health and Human Services are being tight-lipped on the subject.

Asked about the status of the rules, which, under the HITECH Act , were due in February, an HHS spokesman would only say "The rules you refer to are still in development."

Personal health records, often housed on Web sites, generally are created and controlled by patients, who can add information to the records. Some PHRs also are linked to electronic health records, the official records of hospitals and clinics.

A new national consumer survey found that of the vast majority of Americans who have not yet used a PHR, "worry about the privacy of my information," was the biggest barrier, cited by 75 percent.

The federal HIPAA privacy and security rules, which apply to electronic health records, do not apply to most PHRs.

Once new federal PHR regulations are in place, more Americans may be willing to jump on the PHR bandwagon, says Deven McGraw, an attorney who is director of the health privacy project at the Center for Democracy and Technology. "I want the PHR rule to be a good set of recommendations, and if that takes a little longer, so be it," she says. "But it can't be an indefinite wait."

I couldn't agree more. Without clear-cut federal regulations on how to keep PHRs private, they likely will never achieve their potential for getting patients more involved in their treatment. That's because if Americans don't trust PHRs, they won't use them.

In other regulatory developments, the final version of the "meaningful use" rule that supports the HITECH incentive payment programs for electronic health record use, is still on track to be ready by late spring, an official with the Centers for Medicare and Medicaid Services told the HIT Policy Committee April 21. The committee advises HHS and its Office of the National Coordinator for Health IT on policy issues.

CMS is considering all comments received on the meaningful use rule as it prepares a final version, says the agency's Tony Trenkle. "It's going to be difficult to pull together a final rule," he says. "It won't satisfy everyone. It's a balancing act."

Here's just one example of the many comments received: A coalition of 21 consumer groups and unions called on federal regulators to beef up and clarify information security provisions in the proposed rule.

In another privacy-related regulatory development, the HIT Policy Committee's privacy and security workgroup will make a proposal in May on federal privacy protection guidelines for electronic health information exchanges. In particular, the workgroup is considering two important issues. It's pondering policies governing how the intermediary that runs an HIE can access data. And it's contemplating how much choice patients should have in authorizing specific organizations to access their records via an HIE.

Similarly, the HIT Policy Committee's National Health Information Network workgroup is developing a "trust framework" dealing with privacy and security issues. NHIN isn't really a network; it's a group of standards for secure data exchange that various networks will use, ultimately, to enable the national exchange of information.

The NHIN trust framework might include measures to ensure that data received was not altered in transit as well as ways to authenticate the identity of those exchanging data.

As I mentioned in an earlier blog , many consumer advocates are calling for quick action to ensure that our ability to keep information private and secure keeps up with the growth of data sharing.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.