- The Federal Trade Commission (FTC) issued interim regulations regarding breach notification requirements for PHR vendors, as mandated by the American Recovery and Reinvestment Act of 2009. According to the FTC press release, aside from breach notification, the proposed rule also:
stipulates that if a service provider to one of these [PHR vendor] entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.
The full notice can be found here.
- Mayo Clinic, in collaboration with Microsoft, launched its new personal health record (PHR) site on Tuesday April 21, 2009. The Mayo Clinic Health Manager uses Microsoft's HealthVault system to store medical histories, test results, immunization files and other records from doctors' offices and hospital visits, along with data from home devices like heart rate monitors. Anyone, not just Mayo Clinic patients, can open an account online; users can grant limited access to doctors, family members, and others to view the information contained in their PHR. It would be very interesting to learn if the Mayo Clinic required Microsoft to sign a Business Associate Agreement, or if Microsoft would publicly acknowledge that their PHR product is subject to certain privacy and security rules under HIPAA. ("Mayo Clinic backs new personal health record site", USA Today, April 21, 2009.)
- Meanwhile, the Boston Globe raised serious doubts regarding the accuracy of patient information contained in Google Health's PHRs because "Google takes some information from insurance billing records that use broad and imprecise codes to describe patient treatment." According to Dr. David Kibbe, a senior technology adviser to the American Academy of Family Physicians, "[claims] data is notoriously inaccurate and notoriously incomplete with respect to an expression of the problems a person has." However, as Bob Evans of Global CIO Blog points out in an entry on this subject, is it better to have some information regarding a patient contained in a PHR, even if there is a good chance that such information can be wrong, or no information at all? ("Electronic Health Records Raise Doubt", The Boston Globe, April 13, 2009; "Google Health Records Reveal Grossly Inaccurate Info", Global CIO Blog (Bob Evans), April 13, 2009.)