Legal and Clinical Regulation of PHRs – The Current Framework Tom Jones, M.D. Chief Medical Officer, Tolven, Inc. Richard Marks President, Patient Command, Inc.

Why the focus on PHRs? PHR market development Tethered PHRs Retail PHRs Political support for PHRs Political concern for a comprehensive legal framework to govern PHRs Bills introduced last session of Congress Activity this session Obama Administration initiatives

What do regulators want? Privacy advocates: concern about consumer access and control Consumer advocates: poor service, misleading advertising HIPAA covered entities: a level playing field (or at least a consistent one) Congress: a new, unregulated industry where misconduct is likely

What are the myths? PHRs today are presently unregulated. HIPAA applies to PHRs. No laws apply to PHRs – they are the Wild West. Congress must fashion a comprehensive new regulatory framework, else PHRs will go unregulated and unsupervised.

PHR reality PHRs presently are subject to many federal and state laws. These laws govern security, privacy, and consumer protection. In many ways, these laws offer consumers more sensible, more effective protection than HIPAA does for EHRs. Congress can update and supplement existing law rather than trying to enact a whole new framework for an emerging industry that it doesn’t yet understand.

Laws governing PHRs today 1986 Stored Communications Act (SCA), part of the Electronic Communications Privacy Act (ECPA) Federal Trade Commission Act Computer Fraud and Abuse Act 1974 Privacy Act State privacy, consumer protection, and data breach notification laws

Stored Communications Act Written for the world in 1986 Electronic communications services (ECS) and remote computing service (RCS) – different protections – needs updating Health record banks and most other PHRs fall within ECS, so consumers get strong protection – no disclosure without consumer consent Problem of compelled disclosure to government remains

HIPAA and PHRs Myth: HIPAA governs PHRs. Fact: HIPAA governs doctors, hospitals, health plans, drug plans (HIPAA “covered entities”). HIPAA does NOT control what patients can do with copies of their records (eg, copies in a HRB). Extending HIPAA – designed for “covered entities,” not patient-controlled records – beyond its present scope would be a big mistake.

Federal Trade Commission Act Directed at deceptive trade practices including Deceptive advertising Deceptive contracting practices Regulates HRBs’ contractual promises to consumers

Computer Fraud and Abuse Act Applies to any computer used in interstate or foreign commerce that affects interstate or foreign commerce or a communication of the U.S. Punishes access or use that’s unauthorized or that exceeds authorization Criminal: fines and imprisonment

Computer Fraud and Abuse Act Important to consumers who use their PHRs in social networks (eg, disease channels) and to HRBs that facilitate social networking U.S. v. Drew (C.D. Cal. 2008) Woman created fictitious MySpace page Teenager committed suicide Held: woman criminally liable for violating MySpace terms of service

Considerations for legislation Important for Obama Administration and for Congress. Is a new, comprehensive statutory framework necessary for PHRs? How much does Congress know about regulating the PHR industry? Is updating the existing statutory framework more effective, and necessary in any event?

Issues that bother clinicians The topic of PHRs often generates controversy among clinicians The main areas of concern are: Control of information Completeness of information Validity of information Integration of Information Litigation risks Affordability

Will I lose control? I created the information, why can’t I keep it? You can keep it, you just need to give the patient an accurate copy

Is the information complete? What is the patient hiding from me? The patient is undoubtedly hiding the same things that he/she has always been hiding.

How can I trust the information? If the information comes from a PHR, how can I know if it is accurate? Systems must provide authentication of information if it originates elsewhere and then is transmitted through a PHR

How does this affect my EMR? If the patient sends me electronic information, how can I see it in my EMR? The whole notion of an interoperable healthcare information infrastructure depends upon standards for representing and exchanging information

Am I going to get sued? What happens if the patient sends me information from his/her PHR and I don’t read it and then the patient has a problem that could have been prevented if I had read the PHR? The same thing will happen as when you ignore a letter, phone message, or verbal information transcribed in your paper record

How can I afford this? I would like to be able to offer a PHR to my patients; how can I afford to do so when I cannot even afford an EMR for my office? Affordability can be achieved with new technology and new business models

Aspects of proposed legislation In order to explore the clinical information landscape of PHRs, we will look at key aspects some existing legislative initiatives We will relate sections of those initiatives to the clinical concerns mentioned earlier

Defining PHR The term ‘‘personal health record’’ means an electronic record of individually identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual. Stark

Preparing for regulation Not later than one year after the date of the enactment of this Act, the Secretary, in consultation with the Federal Trade Commission, shall conduct a study on privacy and security requirements …that should be applied to (A) vendors of personal health records; (B) entities that offer products or services through the website of a vendor of personal health records; (C) entities that are not covered entities and that offer products or services through the websites of covered entities that offer individuals personal health records; (D) entities that are not covered entities and that access information in a personal health record or send information to a personal health record Stark

Information integration The National Coordinator shall perform the duties under subsection (c) in a manner consistent with the development of a nationwide interoperable health information technology infrastructure… (Dingell-Barton) health information technology infrastructure that allows for the electronic use and exchange of information…(Stark) Interoperability has yet to be adequately addressed by CCHIT

Levels of interoperability Key to making health care information electronically available is the ability to share that data among health care providers—that is, interoperability. Interoperability is the ability for different information systems or components to exchange information and to use the information that has been exchanged. This capability is important because it allows patients’ electronic health information to move with them from provider to provider, regardless of where the information originated. GAO report ‘Electronic Health Records: DOD and VA Have Increased Sharing of Health Information, but More Work Remains’

Privacy A substantial number of patients will not make use of PHRs if their healthcare information is not protected If patients will not use PHRs, sharing information with clinicians is more difficult All of the pending legislation acknowledges the need for privacy

Protecting privacy Patient control of access to information should be a critical feature of PHRs Patient access control does not imply loss of “information ownership” Provider acquiescence should not be necessary Privacy violations need to be taken as seriously as home invasions; judgments about the potential for harm should not create exceptions

Patient control of information flow Sensitive protected health information may be segmented, with the goal of minimizing the reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns involving sensitive protected health information, while maximizing patient safety and clinical utility of the information. Stark

Non-care information access Clinicians have obligations to report certain data to public health organizations Participation in research activities may require additional reporting The role of PHRs in such activities has yet to be determined but must soon be articulated Patients must have control over information re- use that is not legally required

Timeliness If providers cannot get information to and from PHRs, their usefulness will be diminished There are multiple attempts to address this issue in pending legislation

Affordability NEW YORK (CNNMoney.com) -- President-elect Barack Obama, as part of the effort to revive the economy, has proposed a massive effort to modernize health care by making all health records standardized and electronic. Here's the audacious plan: Computerize all health records within five years. The quality of health care for all Americans gets a big boost, and costs decline. President-elect wants to computerize the nation's health care records in five years. But the plan comes with a hefty price tag, and specialized labor is scarce. CNN 1/12/09

Conclusions Practitioners and patients alike will be better served by interoperable electronic health record systems that include PHRs that permit the patient to control the flow of his/her health information across clinical care settings Attempts to craft further regulation of already protected healthcare information may prove to be counter-productive for PHR development and deployment