HIPAA and Personal Health Records (PHRs)

Question 7

Recently, health plans, specifically employer-sponsored self insured group health plans, have started to provide PHRs for their employees and dependents who participate in the health plan. These PHRs are typically accessible from a secure website using a specific user name and password. In addition, one vendor’s particular type of PHR automatically integrates with a health plan’s third party claims administrators, so that when a participant goes to a physician and that physician files a claim with the third party claim administrator, the claims administrator will transmit a copy of the claim to the PHR vendor, and the PHR vendor will then automatically upload the claim into the participant’s PHR. The PHR and the automatic update process are provided for all participants without their request.

However, in order to access the PHR, the participant must sign on to the secure website to view the PHR. If a participant did not want a PHR for some reason, the participant would not be required to view the PHR on the secure website, but it would still be resident in the PHR vendor’s computer system in case the participant changed his or her mind in the future. The PHR is not removed from the computer system, because if it was, the participant’s PHR would not automatically update. If the participant changed his or her mind in the future and wanted the PHR, the PHR would then not contain any updates and would need to be started from scratch. Because PHR’s are provided without the consent of the participant or spouse, does this violate the HIPAA privacy rules?

Proposed Answer

No. Assuming all of the appropriate business associate contracts are in place, a PHR provided by a health plan is part of the health plan’s health care operations activities, and can be created and updated without the consent of the individual who is the subject of the PHR.  

Answer

OCR agreed with the answer, and stated that the authorization remains valid unless it expires or is revoked.  A state law could impact this outcome, but the state law would have to be evaluated along with the specific facts of the case.  Except for specific cases (investigations or enforcement actions) or in addressing requests for preemption exception determinations, OCR does not make determinations as to the application of a state law. 

For the full text of the Q&A session, click here.

If you know someone who would like to receive our newsletter, email subscribe-path@dpath.com with their name, company name, telephone number, and email address and they will be added to the mailing list.

If you want to unsubscribe, send a blank email to unsubscribe-path@dpath.com.