Mar

11

Personal Health Records - Where is the Security?

Personal Health Records – What Security?

I prepared the following written testimony for the Oregon Health Fund Board which is charged with leading the health care reform charge in Oregon. As a bit of background Senate Bill (SB) 329, Oregon’s version of health care reform, was signed into law following the Oregon 2007 Legislative Session. Among other things, it encouraged promoting the use of personal health records (PHRs) by Oregon citizens. As it turns out, it doesn’t even appear the use of a PHR offered by a HIPAA covered entity can be counted on to be private and secure. Read on my friends!

Oregon Health Fund Board Written Testimony – Personal Health Records March 5, 2008

SB 329 specifically referenced encouraging Oregon citizens to begin using personal health records (PHR) to maintain and track their health information. There are currently several PHRs on the market, including those offered by health plans, providers and employers. There is a significant flaw in all that needs to be addressed before encouraging Oregon citizens to begin using PHRs to track their health information – it does not matter who is offering or managing the PHR.

I believe PHRs will become a valuable tool in assisting individuals manage their personal health and in longitudinal care, especially for individuals with a chronic condition. Given record retention laws and the accompanying legal advice, “only keep records as long as required because they may represent a liability,” my records from early adulthood, as an example, have long ago been shredded. A PHR provides a method of storing those records over an extended period of time and allow use when moving from one provider to another.

There are a number of other benefits associated with PHRs such as the ability for a consumer to store all health records in one place, the ability to examine what is being retained by their providers to determine if the information is accurate, the ability to present documentation and exercise their right under the HIPAA Privacy Rule to request an amendment in the event a record is incorrect, the ability to monitor chronic conditions over an extended period of time and so forth. At this point, though, the disadvantages – the lack of privacy and security controls – outweigh, in my opinion, the benefits of a PHR.

Currently there are no common technical or data standards regarding the construction of PHRs. This means that if an Oregonian populates a PHR, that does not mean that Oregonian can easily move the information stored in one PHR to another PHR. Information may be lost or the individual may need to go back to the source of the health information and pay for or request the information be transmitted to the new PHR vendor. There is no prohibition under HIPAA or Oregon law against providers charging consumers for this information. In fact both HIPAA and Oregon law specifically allow providers to charge for copies, even if those copies are in electronic form.

Of greater concern is the lack of security and privacy potentially inherent in PHRs, no matter who offers as a benefit or markets the PHR. There are no regulations (state or federal) requiring data stored in PHRs be maintained securely. There are no regulations (state or federal) that prevent the vendor who is the custodian of that health information from selling the data for marketing purposes. Even the Oregon Identity Theft Protection Act (SB 583, 2007) does not cover any breaches of medical information that is associated with a name. As an aside, I did raise the issue of the lack of privacy and security as it relates to PHRs during testimony on SB 329 during the 2007 Oregon Legislative Session.

In other words when it comes to PHRs, caveat emptor – it is very important to read the fine print before signing up for a PHR and even then, the consumer is only potentially protected pursuant to state and federal consumer protection laws, Federal Trade Commission regulations and tort. As an aside, tort is not necessarily a deterrent from misuse of data or inappropriate protection of data by a vendor, employer, health plan or provider because the consumer who is allegedly harmed due to breach or misuse needs to prove harm which, in cases such as this, can be difficult.

Even if laws and rules (federal and/or state) were in place to require appropriate use and privacy and security protections, it would not necessarily result in adequate consumer protection. A very good example of this is the enforcement or lack thereof of the HIPAA Administrative Simplification Provisions and associated rules. The HIPAA Privacy Rule was effective April 2003 and the Security Rule was effective April 2005. Since the effective date of both rules, the US Department of Health and Human Services, responsible for rule enforcement, has levied zero civil penalties against any covered healthcare organization for rule violations. Consumer privacy will only be protected if the appropriate deterrents are in place and the government is willing to step forward and enforce laws and rules should they be promulgated.

Some have stated that consumer data is protected if the PHR is offered by a vendor working on behalf of a HIPAA covered entity (health plan, provider, healthcare clearinghouse) as what is called a business associate. This is not necessarily true. HIPAA did not contemplate PHRs and large covered entities have found creative ways to get around HIPAA privacy and security requirements while still advertising that the PHR they are making available to patients or health plan members is private and secure.

As a real life example, a large health plan that serves the Northwest (including Oregon) offers members their own PHR as a free member benefit. The large health plan indicates all information stored in the PHR will be private and secure. One would assume that, because of these statements and HIPAA requirements, this would be true but now it’s time to read the fine print.

In this case, if one takes the time to read the actual legal document outlining afforded protections and liability for inappropriate release, breach, etc. on the part of the health plan, the consumer finds the health plan has side stepped the issue characterizing the use of the PHR as voluntary, a mechanism for consumers to record health information “outside the control” of the health plan, even though the health plan is or should be responsible for the security and privacy of data sent to and from their secure web site and stored on their servers.

Specifically, the large health plan’s “Privacy Policy” statement governing the PHR states, “[HEALTH PLAN] does not warrant this Site will meet your requirements, or that your access or use of this Site will be uninterrupted, timely, secure or error-free, nor does [HEALTH PLAN] make any warranty whatsoever regarding the quality of any products, services, information or any other material you obtain through this Site (emphasis added).” This indicates the health plan assumes no responsibility for security if the site hosting the PHR is used.

The “Privacy Policy” further states, “[HEALTH PLAN] is not responsible for any loss or damage arising directly or indirectly from your use of this Site, or the interception of loss of any data transmitted to or from this Site. [HEALTH PLAN] shall have no liability whatsoever for failure of electronic or mechanical equipment or communication, telephone or other connection problems, computer viruses, unauthorized access or interception of data or this Site, theft, or errors. Your use of this Site, and the submission of any information by you are at your own risk. (emphasis added).” The general public will likely not read this statement because the advertising related to the PHR indicates that all data stored in the PHR will be private and secure. I may be a bit more on the paranoid side than some but this language indicates to me this health plan has significantly backed away from taking responsibility for privacy and security of the consumer’s health information. Given this language, I would not recommend even considering use of this health plan’s member PHR and this is supposedly a covered entity, required to implement the appropriate privacy and security practices outlined in the HIPAA Privacy and Security Rules.

If this is the case with a “HIPAA covered entity,” I become very skeptical (as does the World Privacy Forum) when it comes to recommending any consumer purchase access to a PHR through a vendor such as Google, Microsoft or The Dossia Project. Given the lack of regulations, lack of enforcement of regulations that do exist and limited lack of recourse on the part of consumers if their health information stored in a PHR is breached or inappropriately used, I would recommend consumers wait before signing up for a PHR or at the very least, explain very clearly the risks associated with PHR use at this point in time.

As a further aside, it would be an incorrect assumption to conclude that providers will use the information stored in a PHR for diagnosis and treatment purposes. At this point in time, providers would use the information stored in the PHR but just as they would use a health questionnaire filled out by the patient. There are valid reasons for this.

Given the construction and use of PHRs at this point in time, providers cannot validate the information stored in the PHR is accurate, complete and originated from a trusted source. If the information is incorrect and the physician acts on it, he or she would be placing the patient at risk and open the door to significant liability.

Also, providers are concerned that consumers will change valid medical information about the consumer because the consumer isn’t happy with the diagnosis, chart notes or other information contained in the record. If the record is correct and indicates, say, the consumer is morbidly obese or suffers from generalized anxiety disorder and the consumer isn’t happy with that information being stored in their PHR, they may have the ability to alter what would be a valid medical record. This is not to say a consumer shouldn’t have a right to retain what they choose in their PHR but, at the same time, it does not mean a provider is bound to rely on what may be incomplete medical information for diagnosis and treatment.

The issues of validating the information contained in the PHR and protecting records that are sent from a trusted source from alteration need to be addressed before providers will trust PHR data when it comes to diagnosis and treatment. This does not mean a consumer should not have the right to annotate records provided by, say, their primary care physician, but the record itself should remain intact if it is the goal to see providers use PHRs as valid sources of health care information about a consumer in diagnosis and treatment.

In conclusion, at this point in time I would strongly recommend not encouraging Oregon citizens to immediately go out and sign up for a PHR. I would recommend documenting what is available on the market today (even PHRs offered through health plans, employers and providers), document outstanding issues (especially regarding security and privacy), document benefits and then present consumers with the full picture. Just to say “it is private and secure” means little to me. You need to prove it and stand behind your statements. If you have any questions, please feel free to contact me.

Sincerely,

Chris Apgar, CISSP President, Apgar & Associates, LLC Chair, Oregon & SW Washington Healthcare, Privacy & Security Forum