Personal Health Records – is HIPAA the Answer?

There has been considerable discussion lately about whether the new privacy provisions in the economic stimulus legislation (the American Recovery and Reinvestment Act or ARRA) extend the coverage of the HIPAA privacy and security regulations to commercial vendors of personal health records (PHRs) any time they contract with a HIPAA covered entity.

In a blog post today we argue that PHR vendors should be covered under HIPAA only under certain circumstances, such as when they are performing a function or activity on behalf of a hospital or physician. PHRs should be governed by a comprehensive framework of privacy and security protections, but HIPAA – which was designed to regulate the flow of information among entities in the traditional health care system – would provide inadequate privacy protection for records kept by or for individuals.

The blog post explains why the HIPAA privacy regulations, at least as they are currently structured, are inappropriate for protecting PHRs in most circumstances. The post also looks at other factors that should be taken into consideration in deciding when vendors of PHRs could (and perhaps should) be covered by HIPAA. The post is part of a three-party series co-authored by Vince Kuraitis, J.D., M.B.A., Principal and Founder of Better Health Technologies LLC and David C. Kibbe, M.D., M.B.A., Principal, The Kibbe Group LLC.