Historians often point to the development of penicillin as a revolutionary change in modern medicine. But the World Wide Web, and the major international corporations that help users organize the way they navigate it, is on the cusp of another transformative moment in the evolution of healthcare. If you’ve picked up a newspaper — or more likely read one online — in the last month, you have probably encountered at least one story on Personal Health Records (PHRs) and the controversy surrounding plans by Google, Microsoft, Aetna, and other companies purportedly to give consumers more active control of their healthcare decisions.

On their face, the PHR systems in development by entities better known for computer operating systems and easier online searches for the latest tawdry news about former New York Governor Eliot Spitzer strive to address the new consumerism in healthcare head-on by returning control and access to individual health records directly to the consumer. Critics, however, argue that the very nature of PHRs wrests power away from consumers, and highlights the uncertain privacy protections associated with some programs. While the mainstream media has thoroughly explored the spectrum of risk attached to some PHRs, neither it nor industry-specific news sources (in healthcare or ARM) to date have examined PHRs from a healthcare receivables standpoint. In this context, PHRs still hold the potential for risk and reward on both the consumer and provider sides of the equation, but the terms of those pros and cons change when observed through an economic lens.

Background on PHRs

PHRs are individual health records that incorporate patient data from a variety of sources — doctor and hospital visits, insurance company information, and most notably the consumer himself — that are stored in a central repository, often online, and made accessible to the consumer and those parties he authorizes to retrieve it. The advantage of PHRs to consumers is that they allow health care providers in various locations to contribute to a patient’s medical history, while simultaneously allowing the consumer herself to view and add to that record. Whereas in the past records of treatment for the same patient at a hospital in San Francisco and a clinic in Buffalo would have had to be manually complied, routinely by facsimile if at all, PHRs afford providers in both cities the opportunity to view a complete medical history, almost in real time.

Critics of PHRs note, however, that third-party hosts of consumer health information do not equally afford privacy assurances and many such systems are not subject to the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA), enacted by Congress in 1996. As the federal law that provides the foundation for governing the security of private medical information, HIPAA regulates “covered entities” under the law, not health records themselves. In general, covered entities include health insurers, healthcare providers, and medical clearinghouses. Collection agencies that work delinquent medical accounts are also subject to HIPAA regulations. But HIPAA provisions do not attach to a patient’s medical record, and vendors like Google or Microsoft Corporation, both of which have launched major PHR pilot programs in the last six months, are not bound by HIPAA statutes. As a result, opponents of PHRs, including Texas-based Patient Privacy Rights, and The World Privacy Forum (which recently commissioned a report on PHRs), contend that in the absence of HIPAA safeguards, commercial PHR providers could be vulnerable to data security breaches that would compromise consumers’ personal medical information without any federal enforcement mechanism for the privacy infringement.

A recent survey of healthcare IT managers conducted by Cisco Systems showed that data security was among the managers’ highest priorities, as reported by The Wall Street Journal. Further data revealed that of those surveyed, almost 25 percent had reported a security breach in the last year. Complicating this information is the concern among medical IT professionals that internal breaches, cited by 51 percent of managers, are a greater risk than external threats to private data, cited by 12 percent. To wit (although the circumstances might be slightly extraordinary), the Los Angeles Times said last week that UCLA Medical Center will fire 13 (non-M.D.) employees, and discipline 12 others (several of whom are doctors) for snooping into the computerized health records of troubled pop star Britney Spears, who was admitted to UCLA MC twice in the month of January for psychiatric evaluations.


Next Article: Federal Security Changes Will Impact ED, IRS ...

Advertisement