Paging Dr. Google: personal health records and patient privacy.

• Author: McCarthy, Colin P.

TABLE OF CONTENTS INTRODUCTION I. THE NEW AGE OF MEDICAL RECORDS A. Traditional (Paper-Based) Medical Records B. Electronic Medical Records, Personal Health Records, and Health Information Exchanges 1. Electronic Medical Records 2. Personal Health Records 3. Health Information Exchanges C. Benefits and Potential Problems of Personal Health Records II. THE CURRENT STATE OF HEALTH CARE PRIVACY LAW A. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) 1. What is HIPAA? 2. The Privacy Rule 3. The Security Rule B. HIPAA and PHR Vendors III. WHAT SHOULD BE DONE TO PROTECT PHR PRIVACY? A. Why Should PHRs Be Afforded Privacy Protection or Regulation? B. The Ineffectiveness of FTC Enforcement of PHR Vendor Privacy Policies C. Amend HIPAA To Include PHR Vendors as Covered Entities D. New Federal Law To Govern PHR Privacy and Security CONCLUSION INTRODUCTION

Imagine the following scenario: John, a fifty-three-year-old attorney from Virginia is on vacation in California visiting friends he has not seen since law school. While out at dinner, John appears to have a stroke, and his friends rush him to the nearest hospital. John arrives at the emergency room unresponsive. His friends, knowing nothing of John's medical history, cannot tell the emergency room doctors some vital information that would be helpful for John's diagnosis. John is deteriorating. Without time to wait for lab results, the emergency room doctor administers an appropriate amount of Heparin, a commonly used anticoagulant used to counteract the effects of the stroke. (1) Unfortunately, the treatment has an adverse effect, causing John to bleed internally. John dies shortly after his arrival at the hospital, leaving his friends distraught and his doctors scratching their heads.

What is wrong with this story? Strokes are common medical problems, and modern medicine has advanced to the point where having a stroke is not normally a life-threatening occurrence. John did not die from a stroke; he died from a lack of information. John's friends did not know that two years prior, John had a Mitral valve replacement and had been on prescription Coumadin, a blood thinner, ever since. John could not convey this information to anyone as he was unconscious. The doctor had no access to John's medical records, stored at a hospital in Virginia, which clearly document John's prior procedures and current prescriptions. With this information, John's doctor could have chosen an alternative mode of treatment, and John would have survived.

Doctors and other medical professionals rely on information supplied by the patient and the patient's medical record in making their decisions. A patient's medical record gives a doctor all of the relevant information needed to make an informed and calculated decision about the patient's care and allows the doctor to take into account many factors, including preexisting conditions, prescriptions, changes in diet, and family medical history, among others. With this information, a patient's doctor can perform the medical calculus and decide the best course of treatment for the patient.

Recently, a new tool has been introduced that aims to make John's unfortunate story a thing of the past: the personal health record (PHR). A PHR, though a new concept without a uniform definition, has been characterized as "an electronic record of individually identifiable health information on an individual that is drawn from multiple sources and that is managed, shared, and controlled by or for the individual." (2) In essence, a PHR is a medical record owned by the patient, not her doctor or hospital, that can be accessed, usually via the Internet, by the patient, her health care providers, insurance companies, and others to whom the patient authorizes access. Two prominent examples of online PHRs are Google Health (3) and Microsoft HealthVault. (4) The patient may contribute to the PHR by providing information such as prescriptions, allergies, and diet. (5) A patient's health care providers contribute to the PHR by uploading, at the patient's request, copies of her electronic medical records directly into the PHR system. (6) This collaboration is intended to result in a more complete, easy-to-use, and manageable medical record accessible from anywhere with Internet access.

Although PHRs have many potential benefits, there are concerns about the privacy and confidentiality of the data stored within them. (7) This Note will focus on an important question currently in debate in the health care and privacy law fields: how the adoption of PHRs will affect the privacy of patients' health information. There is concern that PHR vendors, such as Google and Microsoft, are not governed by the strict privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)s and are held to no other standard in safeguarding patient data stored on their servers. (9) This Note will address and analyze these concerns. Part I will discuss the new age of medical records, in which PHRs will play an important part. Part II will analyze the current state of health care privacy law and its application to PHRs. Part III will set forth the argument that PHRs should be subject to the same or similar privacy regulations as other forms of medical records and will analyze two possible solutions to the problem: (1) amending HIPAA to make PHR vendors comply with its requirements, and (2) enacting a new federal law to promote the use of PHRs while also putting safeguards in place to protect patients' confidential medical data through administrative regulations.

1. THE NEW AGE OF MEDICAL RECORDS

   As early as 2001, legal scholars expressed hope for a new age of medical records, easily accessible to both patients and doctors:

   An ideal medical record would be Internet-based, but only available to physicians upon consent of the patient or in a bona fide emergency. The record could be electronically segregated into sections allowing various health care providers and others access on a "need to know" basis. The patient should have full "read-only" access to the official record, and only licensed health care providers should be able to enter information in the record, to ensure the accuracy of the record. The record could however contain a patient section allowing the patient to enter self-recorded weight and blood pressure, frequency and severity of headaches, and other similar information. Such information could even be entered electronically via biometrics devices. (10) In 2004, President George W. Bush announced his goal that most Americans would have electronic health records in ten years, envisioning that such a system would be easier for patients to use and understand, while giving medical professionals ready access to vital information about their patients. (11) More recently, in the 2008 presidential campaign, then-candidate Barack Obama focused on health care technology, supporting a move to electronic medical records so that doctors have "easy access to all the necessary information about their patients" and can "reduce costly medical errors." (12) The Department of Health and Human Services (HHS) has stated that health information technology (HIT) can reduce health care costs each year by saving time and reducing duplicative efforts. (13)

   1. Traditional (Paper-Based) Medical Records

      From the age of Hippocrates, a patient's medical record has been considered a severely private document. (14) The Supreme Court has recognized a constitutional "right of privacy," (15) including the right to avoid "disclosure of personal matters," (16) which has been interpreted to include a person's medical records. (17) Professional ethics rules require physicians to hold information about their patients in confidence. (18) Privacy of medical records is taken seriously for good reason: a patient's medical record includes a wealth of information about the patient, including personal, (19) financial, (20) social, (21) and medical data. (22) A patient's medical record will also include administrative information such as consent and authorization forms. (23)

      Traditionally, all of this data would accumulate over years in a patient's paper medical record, resulting in stacks of manila folders in a file cabinet at the patient's doctor's office, hospital, or other health care facility. With hundreds and thousands of different patients, all with their own lengthy records, storage and security of this vital information poses a serious consideration for health care facilities. (24) On one hand, a patient's record needs to be easily accessed by their provider; on the other, it must be secured from unauthorized access. (25) Although storing medical records in digital form does not completely eliminate the problem of unauthorized access, (26) electronic medical records may be monitored and audited more easily than paper records.

   2. Electronic Medical Records, Personal Health Records, and Health Information Exchanges

      1. Electronic Medical Records

         In recent years, health care providers have been moving away from traditional paper-based medical records to electronic medical records (EMRs) (27)--medical records created and used by medical providers in electronic form. (28) An EMR contains all of the information a traditional paper-based medical record does but without the problems inherent in a paper-based system, such as illegible physician handwriting, insufficient physical storage space, and lack of security. Each health care provider maintains its own EMRs--physician's offices maintain their EMRs, hospitals maintain their EMRs, and so on. Herein lies the inadequacy of stand-alone EMRs: they do not follow the patient. In John's case, his doctors had no access to the EMR on file with his hospital at home in Virginia--the EMR that clearly and prominently noted his prescriptions and other information that would have saved John's life.

         EMRs generally incorporate...