Department of Health and Human Services Alex Brandon/The Associated Press
Reading Time: 6 minutes

For 15 years, the Health Insurance Portability and Accountability Act (HIPAA) has given patients a variety of privacy protections for personal health information obtained by medical providers. Unbeknownst to many, though, the same protections do not apply to records controlled by consumers. Privacy advocates say it’s time that stricter standards apply to those records — but efforts to do just that have gone nowhere in Washington, and Congressionally mandated recommendations on how to make it happen are already 18 months late.

The regulatory void amplifies the dangers that exist when people post their health information online — to social networking sites, discussion boards, mobile technologies and personal health record-keeping systems, privacy experts say.

HIPAA, the law that outlines how doctors, hospitals and insurance companies are supposed to handle patient health information, dates to 1996, but was amended most recently in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act portion of the president’s economic stimulus legislation. HITECH set aside $27 billion to encourage doctors and hospitals to convert paper records to digital form, and Congress amended HIPAA to provide additional protections, since so much more data was likely to be exchanged electronically.

But HIPAA doesn’t cover so-called personal health records, which are patient-managed medical records, and other related technologies, including mobile applications and social media, where people sometimes store or publish details about their health. Personal health records are typically provided for free online — by firms like Google Health, Microsoft HealthVault and Dossia — and include services that allow patients to record their health information, set health goals, list medications, communicate with doctors and track their progress. They also often provide access to medical search engines and discussion groups.

“There is a strange perception in the public that all health information is under HIPAA, but it’s not,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public research interest group. “People are taken by surprise that there is no legal regulation.”

Depending on company privacy policies, health records outside of HIPAA’s purview can be bought and sold, shared with merchants and even disclosed to employers, according to the World Privacy Forum. Privacy policies and consent forms have become so complex and ubiquitous that privacy advocates fear consumers are not adequately reviewing them.

“If consents are made too complex, many will click ‘Yes.’ They’ve simply become so overwhelmed by lengthy online notices. Yet the risks of medical data disclosures exceed those of financial breaches, and the damage may simply be irreparable,” said William Pewen, former senior health policy adviser to Sen. Olympia J. Snowe, R-Maine, who helped draft the HIPAA legislation.

“Too few realize that social networking sites can utilize such information for commercial purposes, or that some disease-related sites have ties to drug manufacturers who might exploit the medical data one shares.”

No place to turn

Advocacy groups have been attempting for years to beef up protections, with little success. The Federal Trade Commission (FTC) acts as a partial safeguard for the public when it comes to handling the abuse of these online sharing systems, and can prosecute cases of unfair or deceptive practices outlined in Section 5 of the Federal Trade Commission Act. For instance, if a company says in its policy that it will never sell consumer information, but then it does, the FTC has the authority to seek civil penalties.

But the agency can go only after cases that involve masses of people, leaving individual consumers with no safety net. This is problematic for privacy groups because despite efforts to educate consumers, they say people are often unaware about possible future consequences of posting this sort of data online.

The FTC is not ignorant of these holes in privacy rights. “HIPAA rules are very specific in terms of what you can and cannot share,” explained Maneesha Mithal, associate director of the FTC’s Division of Privacy and Identity Protection. We don’t have those specific rules.”

Privacy rights advocates are trying to protect consumers by expressing their views to Congress, creating consumer guidelines and meeting with companies that provide these technologies. There is some disagreement among privacy groups about just what should be done to protect consumers, and the dynamic nature of the Web continues to raise new dilemmas. Also, there is an unresolved question over who “owns” information posted online — that is to say, whether it should be those who post the information, those who read it or the companies that provide the data-carrying service.

Several years of legislative efforts went nowhere. In 2006 and again in 2007, former Rep. Patrick Kennedy, D-R.I., introduced bills that would provide financial incentives for the use of personal health records while mandating that the Department of Health & Human Services (HHS) issue privacy standards. Rep. Charles Boustany, R-La., introduced similar legislation in 2008. A 2007 measure from Rep. Edward Markey, D-Mass., focused on privacy for personal health records. None of the legislation made it out of subcommittee.

But privacy advocates seemingly scored a bit of a victory in the 2009 stimulus legislation. A provision of that law tasked HHS, in consultation with the FTC, to develop more specific privacy recommendations for personal health records and related technologies and to report their findings to Congress by Feb. 17, 2010.

But the HHS Office of National Coordinator (ONC) for Health Information Technology, the agency responsible for overseeing the details of the law, has still not filed the report. A spokesman for HHS told iWatch News the department was working on it, but could provide no target date for release.

An ONC spokesperson said the agency has had ongoing discussions with the FTC, the Department of Commerce and HHS Office for Civil Rights, and said the delay in issuing the report “reflects the complexity of the issues at hand and our commitment to thoroughly evaluate these issues with our federal partners to develop strong, fair and consistent recommendations.”

But that rationale isn’t sufficient for everyone.

“It is unacceptable,” said Dixon from the World Privacy Forum. “I think non-HIPAA-covered entities are of critical importance because that’s where all the information is. We need those recommendations sooner rather than later…They need to get this done.”

Harley Geiger, policy counsel at the Center for Democracy & Technology (CDT), a civil liberties research group, said CDT submitted comments and recommendations in July 2010 for the agencies to consider when writing the report.

An ongoing debate

Personal health records have not yet proven particularly popular. An April 2010 study sponsored by the California HealthCare Foundation found that only 7 percent of Americans have ever signed up for personal health records. Google Health announced in June that it planned to get out of the business of providing personal health records at the end of the year.

Patient groups do encourage the use of personal health records, but are nevertheless concerned because the companies that deliver them promise a secure sharing system, yet no government guidelines are in place to regulate them.

How to proceed from here, though, is a source of disagreement. The World Privacy Forum has pushed for the government to broaden HIPAA to include personal health records, while CDT and the Privacy Rights Clearinghouse have urged that separate, specific federal guidelines be put in place.

Specifically, CDT recommends that companies offering personal health records be required to obtain consumer consent to collect, use and disclose data; that they be transparent about relationships with third-party applications and websites and that they authorize federal and state consumer protection authorities to enforce provisions.

Deven McGraw, director of the Health Privacy Project at CDT, pointed out that HIPAA laws have always only applied to specific health care entities. “HIPAA is not the right set of rules [for personal health records] because it’s all geared toward how traditional health organizations have used data,” she said.

There is one regulation for personal health records in the 2009 HIPAA legislation. If a digital medical records provider transmits protected health information to an organization or business partner that is covered by HIPAA, such as a hospital or clinic, then they are considered a “business associate” under the law and therefore subject to the same privacy rules as those they contract with.

For example, Google Health has created partnerships with the Cleveland Clinic and Beth Israel Deaconess Medical Center, and Microsoft has created partnerships with NewYork-Presbyterian Hospital and the Mayo Clinic.

While Microsoft has said it is subject to HIPAA in certain cases, Google has asserted that the company isn’t regulated by HIPAA, and therefore is not a business associate under HIPAA. Instead the company sets up its own privacy standards. Dossia considers itself to be under the rules of HIPAA and says it abides by the standards the law lays out, Mike Critelli, the company’s CEO, told iWatch News.

The companies insist they are not selling their customers’ information, and say they are doing everything possible to ensure the privacy of the health records.

But they have also been trying to influence how regulators may eventually treat such records, according to lobbying disclosure forms reviewed by iWatch News.

Google has interacted with members of Congress regarding the economic stimulus and “health information technology and online privacy,” among a multitude of other issues, as is typical for a large company. The most recent form in which Google reported it had addressed “health information and online privacy” was during the first quarter of 2010, when the company spent a total of $1.38 million on lobbying.

Microsoft declined to comment on lobbying, but records show the company spent $1.72 million during the first quarter of this year lobbying on a myriad of issues, including the security and privacy of Microsoft HealthVault, the firm’s personal records application. Its filings show the firm lobbied both Congress and executive branch agencies, including the FTC and HHS.

Dossia also lists privacy standards and personal health records on its lobbying disclosure forms. The most recent privacy-related lobbying disclosed in the filings was during the first quarter of 2010, when the company spent a total of $80,000.

Critelli, Dossia’s CEO, said he thought personal health records’ issues are less about privacy and more about giving patients control over their own medical information.

He said he thought the system was self-policing, though he said he would support a regulatory system in which firms work with rulemakers to establish regulatory guidelines that are updated through a continuous process.

Help support this work

Public Integrity doesn’t have paywalls and doesn’t accept advertising so that our investigative reporting can have the widest possible impact on addressing inequality in the U.S. Our work is possible thanks to support from people like you.