Friday, July 1, 2011

Who needs a HIPAA-disclaiming PHI service?

by Ed Gerck, Ph.D.

Apparently, according to Google, not consumers. Google to End Health Records Service After It Fails to Attract Users, is the headline as seen in

This news has been seen and talked about in many different ways. It could be that Google is reducing claims on health services. It could be evidence of broken data flows among US health-care institutions. Perhaps, it is evidence that many doctors do not use electronic records at all. While all these views may be true, so that something like Google Health would not be worthwhile at this time, Google's action may actually be signaling a reaction that is much more important to understand.

It is true that Google has blamed it on (lack of) users. A former manager of Google Health said the service could not overcome the obstacle of requiring people to laboriously put in their own data.

However, the problem that  the Personal Health Record (PHR) had to be updated by the consumer was mostly overcome early on by Google Health by making it automatic (opt-in from your lab results, for example).  Google also solved many of the incompatibility issues in sharing electronic health records across institutions, and making it easy for doctors to join in.

Saying that "the problem was the user" (where did we hear that before?) seems to be more of a credible excuse for failing than another much more relevant reason, which was consumers not trusting a service that disclaimed HIPAA.  Even calling it PHR and not Protected Health Information (PHI, protected by HIPAA), might have by itself alarmed consumers, who are becoming more educated about their privacy needs.

Another possibility is that HIPAA enforcement can no longer be held at bay and that Google "got it" early, before the New York Times, Information Week, MIT Technology Review, Microsoft, WebMD, and others.

Indeed, it looks ever more likely that HIPAA enforcement and fines will be applied also to those disclaimers that are seen as just a "run around" of the consumer-protection PHI regulations that were one of the very reasons for the HITECH Act. Why would otherwise federally-regulated PHI be "free-for all" (meaning: affiliates) just because the consumer uploaded it to a website that disclaimed HIPAA protection as a requirement to provide service? How did the provider (Google, Microsoft, WebMD) determine whether a patient is aware of the possible risks?

But HIPAA enforcement is not even the major source of worries.

HIPAA violations can also be criminal (eg, Knowingly - 1 year/ $50,000) and  “Covered entities cannot avoid responsibility by intentionally ignoring problems with their contractors”.

So, failing to provide HIPAA privacy based on a disclaimer by a contractor (eg, Google Health, Microsoft, WebMD) will likely fail the industry standard of care today and expose the covered entities to responsibility in various levels, in addition to duties under state tort law.

Now, looking at NASDAQ, Epsilon, Citibank, and other "secure service provider" breach cases, they still argue that user data security needs only to be secure enough to deter the type of intrusion that a reasonable person might expect to occur, just as Google Health also does with username/password access control.

Well, even if this argument is valid (and there are legal reasons why not, such as preventing contributory negligence in breaching other people's files by using information gained from breaking my file) it's questionable under relying-party HIPAA and HITECH considerations whether it would apply to anyone but oneself -- even under HIPAA rule 45 C.F.R. § 164.530(c).

And HITECH is funded by fines, which is not a unique model in enforcing HIPAA.  Recently, I heard of a new unit in the California DHHS that is looking for more audits. They were funded for two years with the expectation that the unit would become self funded via penalties before it ran out of the initial funding. It was reported to me that they fined one hospital (a large one) $75,000 for an x-ray technician looking at four medical records that he had no medical or business reason to look at them.

Now, imagine someone using Google Health to improperly look at the medical records of someone else. This could be a potential large liability for Google, and a potential "black eye".

That's also why IT customers, and their users, should not work with anything short of Safe Harbor, even if the customer does not need HIPAA and HITECH. It's just a proven time-bomb otherwise, in regulatory enforcement and/or in attacks.

Here, hackers, HITECH, and HHS enforcement are actually least of worries. Private law suits by patients are more of concern and easier because standard of care is so much higher.

Google Apps, however, even if just through a mail client, can be part of a cost-effective HIPAA and HITECH Safe Harbor compliant solution for PHI using ZSentry for Google (click for free trial & Premium options).

ZSentry for Google can also be used with webmail and cell phones, does not add any liability to Google's operation and uses Google's strong points of reliability, support, and ease-of-use, for the benefit of health care providers and consumers. Read More...