PHR Privacy Report a Work in Progress

Federal Officials to Hold Event to Gather Ideas
PHR Privacy Report a Work in Progress
Federal officials are still months away from submitting an overdue report to Congress on privacy and security requirements for personal health records vendors, which are not covered by HIPAA.

Section 13421 of the HITECH Act called for the Department of Health and Human Services to submit a report by last February on the requirements for PHR vendors and others not covered by HIPAA. But the report has been delayed while the Department of Health and Human Services' Office of the National Coordinator for Health Information Technology worked on other projects, says Joy Pritts, ONC's chief privacy officer. She expects the report to be completed early in 2011.

Personal health records are initiated and maintained by patients. They can include information entered by patients as well data from other sources, such as a doctor's electronic health records.

On Dec. 3, ONC will host a day-long roundtable event in Washington on PHRs featuring panels of researchers, legal scholars and representatives of consumer, patient and industry organizations. "We have scheduled that meeting to help us prepare our report to Congress," Pritts says.

Based on the recommendations in the report, new regulations might be proposed or Congressional action might be requested, Pritts adds.

Personal health records are regulated under the HIPAA privacy and security rules only if they are offered by a "covered entity," such as a hospital or physician group.

In written testimony prepared for a Congressional hearing held Sept. 30, Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, called for stronger protection of personal health records, but not through HIPAA. She said that the Markle Foundation's Common Framework for Networked Personal Health Information would provide a good starting point.

Another Overdue Report

ONC and the HHS Office for Civil Rights also are continuing work on another overdue report, called for under the HITECH Act, on whether rules for de-identified health information should be updated, Pritts says. Under the HIPAA privacy rule "safe harbor" for de-identification, 18 common identifiers must be stripped out of data for it to qualify as de-identified so it can be shared for research and certain other purposes.

At the HIPAA Summit West meeting Oct. 4-6 in San Francisco, an ONC official will discuss the results of a preliminary study on the de-identification issue, Pritts says.

ONC also is just beginning to review recommendations from a privacy and security tiger team on a number of issues, including patient consent, related to health information exchange, Pritts says. Thus, it remains to be seen whether those recommendations, and others in the works, might find their way into federal regulations from HHS, she adds.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.