Connecting for Health. a broad industry coalition organized by the Markle Foundation, announced yesterday a framework for PHR privacy protection that could, if fully implemented, bridge the gap from HIPAA protection of PHI in the covered entity and business associate realm to the Wild West environment in the world of PHRs. Parties endorsing the Common Framework for Networked Personal Health Information include Microsoft, Google, payors, providers, IT vendors, and associations from AHIP to AARP.
Since this is a framework rather than a finished product — guiding principles rather than fully-fleshed-out rules — some of the same nagging questions that I have raised before elsewhere at HealthBlawg (as have many others) remain. For example:
- How are privacy policies enforced? Self-policing? Third-party certification? This seems to be up in the air at the moment.
- Is there a mechanism for health care provider certification of records (“chain of trust”), so that PHR information may be trusted by other providers? This seems to be in the works.
There is a tremendous amount of information provided via the links above, and the participants in this effort are to be commended for their undertaking, which has been made necessary by the regulatory vacuum in this field and by the concomitant need to develop public trust in a whole new type of products and services that would otherwise bee seen as useful but perhaps too risky. There’s a long road ahead, but this framework puts us several steps down that road.