Connecting for Health. a broad industry coalition organized by the Markle Foundation, announced yesterday a framework for PHR privacy protection that could, if fully implemented, bridge the gap from HIPAA protection of PHI in the covered entity and business associate realm to the Wild West environment in the world of PHRs. Parties endorsing the Common Framework for Networked Personal Health Information include Microsoft, Google, payors, providers, IT vendors, and associations from AHIP to AARP.
This framework has been in development for 18 months, and is being touted as the solution to the PHR privacy question — i.e., how can PHR vendors be trusted to keep personal health record information private if they are not covered by HIPAA or other regulatory strictures. The response to date has been, essentially: “Hey, we have a privacy policy.” As these policies, by their terms, may be revised without advance notice they are (even if they are very good) not much to rely upon.
Since this is a framework rather than a finished product — guiding principles rather than fully-fleshed-out rules — some of the same nagging questions that I have raised before elsewhere at HealthBlawg (as have many others) remain. For example:
- How are privacy policies enforced? Self-policing? Third-party certification? This seems to be up in the air at the moment.
- Is there a mechanism for health care provider certification of records (“chain of trust”), so that PHR information may be trusted by other providers? This seems to be in the works.
There is a tremendous amount of information provided via the links above, and the participants in this effort are to be commended for their undertaking, which has been made necessary by the regulatory vacuum in this field and by the concomitant need to develop public trust in a whole new type of products and services that would otherwise bee seen as useful but perhaps too risky. There’s a long road ahead, but this framework puts us several steps down that road.