HIPAA Regulatory Alert

HIMSS backs development of interoperable ePHRs

Group says ePHRs should use HIPAA standards

The Healthcare Information Management and Systems Society (HIMSS) says it supports development of interoperable electronic personal health records (ePHR) that are interactive and use a common data set of electronic health information and e-health tools. HIMSS says it envisions ePHRs that are universally accessible and layperson-comprehensible, and that may be used as a lifelong tool for managing relevant health information. "The ideal ePHR would receive data from all constituents that participate in the individual's health care, allow patients or proxies to enter their own data (such as journals and diaries), and designate read-only access to the ePHR or designated portions," a HIMSS position statement says. HIMSS says it supports ePHR applications with the following characteristics:

  • provide for unique patient identification;
  • allow secure access to the information contained in the ePHR;
  • permit receipt of e-mail alerts that do not reveal protected health information;
  • allow patient proxy to act on behalf of the patient;
  • permit designation of information to be shared electronically;
  • provide technical support to ePHR constituents at all times.

Current forms of ePHRs in the market mainly involve three basic models:
1) software used by individuals to enter and maintain their personal health information;
2) web sites maintained by third parties that allow patients to enter and access their information; and
3) web sites that allow patients to view information from other applications, such as an institutional electronic health record/electronic medical record or from an application that maintains the individual's health insurance claims data.

Adopt HIPAA standards even if not covered

To the extent that an entity offering an ePHR is not a HIPAA-covered entity, or is not covered by other privacy and security laws, HIMSS encourages the entity to adopt at a minimum the privacy and security standards of HIPAA as if the organization were a covered entity. Although there is currently a lack of universal data element standards for ePHRs, HIMSS supports development of ePHRs with this minimum data set — personal identifier, clinical summary, results/reports, histories, contact and registration information, and current and historical insurance information. HIMSS acknowledges there are many legal barriers that impede widespread ePHR adoption and recommends development of national standards to ease burdens placed on constituents due to variances in state law and/or development of national and uniform state rules, regulations, and/or standards to address legal concerns raised by ePHRs.

Senators say HHS needs medical privacy office

Sens. Edward Kennedy (D-MA) and Patrick Leahy (D-VT) say they will introduce legislation to create an office within the Department of Health and Human Services to interpret and enforce medical privacy.

"In this electronic era, it is essential to safeguard the privacy of medical records while ensuring our privacy laws do not stifle the flow of information fundamental to effective health care," said Kennedy, who was a sponsor of the original HIPAA legislation. He said he is unhappy with what he called the "bizarre hodgepodge" of regulations under the law and with HHS' failure to provide "adequate guidance on what is and is not barred by the law."