Computer World has an article up about online personal health records (PHR) systems, and a report which claims that they pose risks to consumer privacy. The premise of the report (and the article) is intriguing: online PHR systems could be a new type of business model which might undermine privacy and security rules governing traditional health care providers (particularly HIPAA). Happily (from a privacy standpoint), both the article and the report it is based on fail to make a case that PHR systems represent a new, serious hole in the privacy regime created by HIPAA. The biggest problems I had are that the report simply assumed that PHR systems are outside of HIPAA, and that it assumed that PHR systems which fall outside of HIPAA aren't required to comply with HIPAA's regulations. First, I'm not sure how many PHR systems actually fall outside of HIPAA. HIPAA doesn't just cover health care providers, it also covers health plans and health care clearinghouses. Before I become excited about PHR systems evading regulations covering health care providers, I would want to know whether they systems in question are part of one of the other categories of covered entities under HIPAA. Second, even if a PHR system isn't a covered entity under HIPAA, it might be required to comply with HIPAA due to its contracts with entities which are covered entities. Indeed, the HIPAA rules specifically require that covered entities enter into such contracts with certain of their business associates (e.g., 45 C.F.R. 164.314(a)(1) "Business Associate Contracts and Other Arrangements"). Again, the report simply didn't consider to what extent the hypothetical hole in HIPAA might be closed by the business associate portions of the regulations.
As a note, none of the above is meant to say that there aren't privacy risks involved in online PHR systems. For example, as the report notes, PHR systems represent one more repository of data which is subject to security breaches. Further, when you transmit data to such systems, it might be captured, either via snooping on a network, or via software like a keystroke logger installed on a local computer. However, neither of those risks have anything to do with HIPAA, and would be the same even if PHR systems were undeniably covered. Thus, while there are privacy concerns with PHR systems, the article didn't make the case that a HIPAA loophole is one of them.