HIPAA Expands to Personal Health Records — Just Not Google's or Microsoft's
Posted Apr 09 2009 6:21pm
This topic comes up so many times, but most in IT realize the security standards used by Google and Microsoft far exceed those established by HIPAA. The group that is particularly bothersome to me that is not under the auspice of HIPAA is the data base information from the Pharmacy Benefit Managers, which is the information on all the medications we take. That information has been sold at a profit and I don’t see why that information is not better regulated for privacy, after all medications and and our history there of constitutes part of a medical record. That information is also used by insurance companies to accept or deny coverage, so again, why we worry so much about Google and Microsoft who protect the enterprise is a bit beyond me, the PBM data worries me a lot more in not having any privacy regulations.
One other item that comes to mind as well, do the HIPAA police exist? I realize the data bases were originally created to help pharma with their marketing of drugs so they could see which doctors were prescribing what medications and target physicians to increase sales, but now that we have found a beneficial use for the information, such as importing into a personal health record, can we please think about some HIPAA privacy issues here so our medication rap sheets are not for sale? Those are my thoughts on the matter and maybe the entire HIPAA policy should be totally rewritten and we could start fresh. When it comes to privacy I see this as a bigger area of concern rather than worrying about Google and Microsoft at this point, again they protect the enterprise and the government security standards don’t get much higher than that. BD
Those HIPAA changes came courtesy of the American Recovery and Reinvestment Act of 2009, also known as the economic stimulus law. One provision ostensibly makes third-party data repositories, personal health records and health information networks into business partners of care providers and health plans, requiring them to follow the same rules as everyone else.
If a company wants to act like the law doesn’t apply to its stewardship of patient data, why exactly would anyone entrust that companies with their personal health information?