Heathcare Record Terms of Access

Privacy Protection by Contract

Electronic Medical Record

Some fear the law will not accord adequate privacy to healthcare records managed by non-healthcare companies like Google. I have argued that legal terms posted by a patient in (or in relation to) the patient's healthcare record can enhance legal privacy.

For the sake of public discussion, here is a humble example of what the terms might provide:

---
IMPORTANT

Healthcare Record Terms of Access

Declared and Agreed by Patient

1. I, the patient, have granted one or more third parties (the "Record Manager") power over this record. I have done so because I believe it is beneficial to me relative to my health.

2. These Terms of Access are communicated to anyone, including the Record Manager, accessing or possessing power to access my information in this record.

3. This record may contain my personal healthcare information.

4. These Terms of Access apply to you ("You") unless you are a "covered entity" under the Healthcare Insurance Portability and Accountability Act (HIPAA). You could include the Record Manager.

5. You agree to these Terms of Access, and You agree to abide by them, by doing either of the following:

(a) accessing this record, or

(b) availing Yourself to the conveniences afforded by the Record Manager’s power over this record.

6. I am entitled to privacy for my information in or discerned from this record ("My Information").

7. You agree to keep My Information private and confidential, consistent with norms for covered entities under HIPAA.

8. You agree to give me at least 6-months advance notice (delivered via first-class mail, postage-prepaid) before You change Your privacy policy relative to My Information.

9. You agree to give me notice (delivered via priority US mail, postage-prepaid) before You comply with a subpoena (or similar order) seeking access to My Information.

10. The fact that the Record Manager possesses power over this record does not undermine the legal privileges accorded communications between me and my healthcare providers.

11. You may deviate from these Terms of Access only if:

(a) I agree in a document – printed on paper – and signed by me in ink or by voice signature;

(b) The document clearly explains the deviation to me in plain English; and

(c) From all the circumstances, including the signed document, compelling evidence exists that I knowledgeably and voluntarily approved the deviation.

---

Again, I post this form language just for the purpose of public discussion. These terms are not necessarily complete. Before relying on terms like the above, you may want to seek legal advice. What I say here is not a substitute for legal advice. If you need advice, you should consult a lawyer.

As I learn more about this topic, and hear comments, I may revise what I've posted above. So check back.

--Benjamin Wright

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

2 comments:

AnonymousFebruary 29, 2008 at 9:59 PM
Nice blog but I have a question. How can I patient have control over his record if he don't touch it. also what will happen if any one read that record, I don't think that it will be a big thing.

again Nice blog

______________________________
http://chooselawyer.blogspot.com/
Benjamin WrightMarch 2, 2008 at 11:00 AM
la7oon asked a question: "How can [a] patient have control over his record if he [can't] touch it"?

I suspect there are and will be many, many kinds of electronic patient records. Some may give patients more direct control over the content of their records than others. If a patient can insert words into his record, then he might insert "terms of use" as I have suggested. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html

Now, if the patient is unable to insert terms into his record, it might be possible for him effectively to communicate the terms just by publishing them in a relevant web site that he does control. I have previously cited the Greer v. 1-800-FLOWERS.COM case for the idea that terms published on a web site might impact a contractual relationship that does not directly involve the web site. For more on extreme contract law, see http://hack-igations.blogspot.com/2008/01/robot-surveillance-contracts.html

[Again, nothing I say on this or any other blog is legal advice for anyone, just a contribution to public discourse.] --Ben

InfoSec & Forensics Law