Healthcare e-Records Law
As Google jumps into the competition to provide electronic health records, the World Privacy Forum frets that the management of health records by non-healthcare companies will undermine the legal privacy accorded to the records. The WPF warns that because HIPAA protection may not apply to Google-managed records, patient privacy will suffer.
* By accessing the record (or by availing oneself to the conveniences afforded by the vendor’s management of the record), the person accessing it agrees by contract to abide by the terms.
* Vendor agrees to notify patient before vendor complies with a subpoena (or similar order) seeking patient’s records.
* Vendor agrees to refrain from disclosing patient's record to third parties for commercial or marketing purposes.
* The fact the record is in the hands of the vendor does not undermine the legal privileges accorded communications between patient and physician.
* And so on.
The Greer case illuminates the power of contract law in this electronic age. This power is just as much available to individuals as it is to corporations.
Is this contract-law power perfect for protecting patient privacy? No. But it is substantial. And it can be supported in court by good public policy arguments. Further, many parties will honor terms of access for non-legal reasons, such as ethics, politics or public reputation.
The law of healthcare privacy is very complex. HIPAA does provide certain protection, but HIPAA is subject to many exceptions and nuances. The array of protections that apply to records managed by HIPAA-regulated healthcare providers is far from ideal.
Many patients may be attracted to records services from vendors like Google. As patients embrace these vendors, contract law affords patients power to take proactive steps to enhance their privacy.
I have written an example of Healthcare Terms of Access that a patient could post on his health record.
See my further discussion of privacy contract terms with Google and my further discussion of privacy contracts formed with automated systems.
--Benjamin Wright, Senior Instructor on Computer Privacy Law at the SANS Institute.
[The foregoing is not legal advice for anyone, but it is something to think about.]