The Rise of the Personal Health Record

The October edition of the Health Lawyers News, a publication of the American Health Lawyers Association (AHLA), contains an article I co-authored with Jud DeLoss, a principal in the law firm of Gray Plant Mooty, who blogs at Minnesota Health IT. On the eve of the Health 2.0 Conference next week the article provides a look at some of the legal issues around PHRs.

The article, The Rise of the Personal Health Record: Panacea or Pitfall for Health Information (pdf version), provides an introductory background on the changing world of PHRs, highlights Health 2.0 and covers some of the legal implications and compliance issues for PHRs. We are working on a longer and more detailed analysis that will be turned into a Member Briefing for the Health Information and Technology Practice Group. I would appreciate your posting a comment on topics or legal implications that we might consider covering in the full Member Briefing.

If you are a health lawyer, law student interested in health law or otherwise interested in the the legal aspects of the health care industry and not already a member of AHLA -- think about joining. The AHLA is at the top of my professional associations for written resource material, member briefings, in person programs, listserves and collaboration with health lawyer colleagues.

The Rise of the Personal Health Record: Panacea or Pitfall for Health Information

I. Introduction
Giant bytes have been taken out of the personal health record (PHR) market by technology companies like Google, Microsoft, Dossia, and others on a mission to connect consumers with their health information. If successful, the efforts by these and other Health 2.0 technology companies could transform the health care industry. It is too early to say whether the PHR will be the catalyst for health care reform; however, we can explore what may lie in the wake if a consumer-focused PHR revolution occurs.

Technological changes in health information management are altering the way in which patients and health care providers maintain, use, control, and disclose health information. We are experiencing a paradigm shift from the current decentralized system of records maintained by multiple entities at multiple locations – often with conflicting and duplicative information – to a centralized system relying on personal health information networks (PHINs), regional health information networks (RHIOs) or national health information exchanges (HIEs).

In the 21st Century, our health care system has become more fragmented and specialized. Patients seek the services from a variety of providers – from family care providers to specialists. Moreover, as individuals move from city to city and state to state, they leave a trail of partial medical records with various providers, insurers, and others.

The rise of electronic medical records (EMRs), electronic health records (EHRs), RHIOs, and HIEs reflects a need to address the increasing complexity of maintaining and sharing health information. PHRs may be the disruptive technology providing an alternative to a complex system of interconnected interoperable health information systems, often among health care stakeholders who have conflicting and competitive interests.

A. PHRs Defined
The Office of the National Coordinator for Health Information Technology (ONC) defines a PHR as “an electronic record of health related information on an individual that conforms to nationally recognized interoperability standards and that can be drawn from multiple sources while being managed, shared and controlled by the individual.”[2]

The ONC report highlights the growing importance of PHRs to facilitate the participation of individuals in their own care and wellness activities. Encouraging individuals to become engaged in their health care, and providing the means to document, track, and evaluate their health conditions, a PHR can lead to more informed health care decisions, improved health status, and ultimately, reduced costs and improved quality of health care. The PHR is broader than a medical record and contains any information relevant to an individual’s health, including diet and exercise logs, a list of over-the-counter medications, and personal information.

PHRs are distinguishable from EMRs and EHRs. A key distinction is that a PHR is under the patient’s control. The individual patient is the ultimate guardian of information within a PHR. Portability is another distinguishing characteristic of the PHR. The goal of a PHR is to be a lifelong source of health information for an individual.

B. History of PHRs
According to Wikipedia, the earliest article mentioning PHRs is dated June 1978. Wikipedia also mentions that most articles written about PHRs have been published since 2000. In its November 2001 report, the National Committee on Vital & Health Statistics (NCVHS) mentions PHRs and the growing consumer use of Internet-based health information services.[3]

Early on, PHRs were used in a rudimentary fashion as a way for individuals to track their own specific health care information. First generation PHRs can be categorized as either stand-alone PHRs, requiring patients to gather and enter their own information, or tethered PHRs, provided by a health plan, provider, or employer sponsor who populated the PHR with information.

The past twelve months mark a new era of increased activity. Call it a second generation of PHRs or PHR 2.0. The advancement is led by the entrance of large technology companies, such as Google with Google Health and Microsoft with HealthVault, into the PHR marketplace. PHR
2.0 is not merely a data collection application, but rather a platform for the electronic aggregation and storage of health information as well as the foundation for various applications.

At the federal level, ONC also is focusing on patient-centered health care. Released in June 2008, the ONC - Coordinated Federal Health Information Technology Strategic Plan: 2008-2012 serves as the guide to coordinate the federal government’s health information technology (HIT) efforts to achieve a nationwide implementation of an interoperability health information system.[4] A critical goal is to create “patient-focused health care” through the promotion of the deployment of EHRs and PHRs and other consumer HIT tools.

C. Social Networking and Health 2.0
The transformation to a PHR-based health information system is fueled by the intensifying interest in web-based social networking and the Health 2.0 movement. The increasing adoption of social networking and lightweight web-based tools among the general public may create a willingness to have and utilize PHRs. There are various technology players positioning themselves to create the “killer PHR application” to become the default standard for industry and the personal portal for each patient’s personal health information.

The definition of the Health 2.0 movement is still being refined.[5] Jane Sarasohn-Kahn, of THINK- health, defines Health 2.0 as “the use of social software and its ability to promote collaboration between patients, their caregivers, medical professionals and other stakeholders in health.”[6] Early use of the Internet for health care was limited to the distribution and search for health information. The read-only World Wide Web has been transformed into the World “Live” Web. Today, user-generated content is being created by businesses, professionals, and ordinary people at lightening speed through social media tools such as blogs, wikis, collaborative websites, and a variety of web based products.

Online health social networking and software as service models harness the positives of networking and collective intelligence to generate a new level of collective knowledge. Whether it is patients sharing observations on chronic conditions,[7] physicians globally exchanging clinical information and insights,[8] human powered health service searching,[9] online consulting,[10] or promoting transparency through tools for organizing, managing, and comparing health care paperwork[11] -- the Health 2.0 movement is creating business models and becoming a catalyst for improving efficiency, quality, and safety of health care.

D. The Common Framework for Networked Personal Health Information
Recently the Markle Foundation announced the Common Framework for Networked Personal Health Information,[12] which has been endorsed by a collaborative group of providers, health insurers, consumer groups, and privacy groups. The framework outlines a set of practices to encourage appropriate handling of personal health information as it flows to and from PHRs.

The framework uses the term “consumer access services,” which it defines as an emerging set of services designed to help individuals make secure connections with health data sources in an electronic environment. Consumer access services are likely to provide functions such as authentication as well as data hosting and management. The framework also provides analysis of the application of HIPAA to consumer access services.

II. Ownership of Health Information
The shift to a patient-centric PHR from a provider based record raises traditional property law issues. As health information becomes networked and technology allows for health information to be transferred more easily, the lines of ownership of health information become further blurred.

Health information is often viewed under the traditional notion of property as a “bundle of rights,” including the right to use, dispose, and exclude others from using it.[13] This legal application of historic property law may not be well suited to today’s health information where patient information is shared via a variety of formats, copied, duplicated, merged, and combined with other patient records into large scale databases of valuable information.

Who owns health information? The physician? The insurer? The patient? Under the traditional rule, providers own the medical records they maintain, subject to the patient’s rights in the information contained in the record.[14] This tradition stems from the era of paper records, where physical control meant ownership. Provider ownership of the record is not absolute, however. HIPAA and most state laws provide patients with some right to access and receive a copy of the record, along with amendment and accounting of disclosures.[15]

The PHR model, where all records are located and maintained by the patient, flips and realigns the current provider-based model of managing health information. Instead of provider-based control, where the provider furnishes access to and/or copies of the record and is required to seek patient authorization to release medical information, the PHR model puts the patient in control of his medical information.

III. Legal Liability and Compliance Issues Associated with PHRs
PHRs open the door to a wide-range of new and modified legal claims. PHR stakeholders should recognize and address the negative implications to avoid long-term problems. These, of course must be balanced against the liability risks of not adopting an available technology designed to improve the quality of health care.

A. Medical Malpractice
Medical malpractice cases address whether: a patient-physician relationship was created; the treatment provided was within the standard of care; a breach of the standard of care was causally related to the injury; and the patient was injured.[16]

Seeking to prove or disprove these elements raises the issue of whether the PHR would be relevant as evidence against a provider. Generally speaking, if the data within the PHR was provided to or accessible by the provider then the evidence is admissible.[17]

Many providers have expressed concerns over the accuracy and completeness of PHRs if controlled by patients. Whether the information is credible is a legitimate question. On one hand, a patient would not want to jeopardize his or her health by including inaccurate information. On the other hand, it is well known that patients often withhold sensitive and possibly embarrassing information.

Moreover, with the advent of electronic discovery under Federal and States Rules, the production of PHRs in their electronic form could impact evidentiary issues. Health 2.0 and other social networking sites suddenly become fair game for defense lawyers seeking to discredit patients’ claims. Patients may attempt to refer to those same records and other portions of their PHR as examples of treatment modalities approved by other medical providers. Plaintiffs’ lawyers may also investigate the potential for utilizing the collective knowledge of the types of treatments suggested online within the patient networking sites as evidence of the standard of care. In essence, the possibility exists to use PHRs as the “expert” to support or reject claims of malpractice.

B. Defamation and Invasion of Privacy
Generally, a claim of defamation requires the publication of a false statement that harms the plaintiff’s reputation or esteem in the community.[18] Accordingly, PHRs which are solely accessible by the individual or upon the invitation of the individual may not create a cause of action for defamation. However, those PHRs that include communication with other individuals or providers may provide the publication necessary to satisfy that element.

Defamation based upon online communication is fairly new. Typically, such claims have involved false celebrity information posted on the Internet.[19] Arguably, where an individual uses a PHR to publish false information, an analogous claim could be pled.[20]

Generally, the tort of “invasion of privacy” encompasses four claims: (1) intrusion upon the plaintiff’s seclusion; (2) appropriation of the plaintiff’s name or likeness; (3) publicity of the plaintiff’s private life; and (4) publicity placing the plaintiff in a false light.[21] The improper disclosure of health information contained within the PHR may form the basis for one or more of these claims. Each of these claims involves the use or disclosure of private information – such as health information – concerning a person. If wrongfully used or disclosed, those responsible for the use or disclosure, as well as those responsible for protecting the PHR, may face potential liability.

C. Discrimination and Improper Disclosure
HIPAA prohibits impermissible uses and disclosures of protected health information. Although individuals are free to use and disclose their own information as they see fit, appropriate firewalls need to be constructed where, for example, employer-sponsored health plans are providing PHRs. Information in the PHR should not flow from the plan to the plan sponsor nor should it be used for employment purposes.

In addition to HIPAA, employers – and possibly insurers – must consider the implications of the Americans with Disabilities Act, the Family and Medical Leave Act, and similar State laws. The laws offer protection to employees from access to employee health information and discrimination based upon that information.

D. Breach of Contract
Despite the disclaimers and protections set forth in user agreements, it may be possible for an individual to argue that some protections arise through the agreement itself. While user agreements tend to be drafted almost entirely in favor of the PHR vendor or provider/plan, these documents may contain limited rights in favor of the individual. The individual could bring an action for breach of those rights in the event of a violation.

E. HIPAA Compliance
Most PHR vendors have taken the position that HIPAA does not apply to them. PHR vendors generally do not qualify as covered entities. Such vendors take the position that they are not business associates because they are not providing services on behalf of covered entities but rather have a relationship with the patients. Moreover, the patient releases information to or creates information in the PHR, and HIPAA does not regulate individuals’ use and disclosure of their own information.

The contrary position is that many of the PHRs are now linked directly with covered entities to allow the health information to be transferred. Several high profile relationships have been announced relating to collaborations between PHRs and medical facilities to provide PHRs for patients.[22] The collaborations should be reviewed to determine whether a business associate relationship has been created.There has been recent activity to expand the reach of HIPAA to encompass PHRs. Federal and State proposals also may address privacy and security concerns separately. In the interim, private initiatives, by the Markle Foundation and others, propose a voluntary framework to protect health information.

F. State Laws
Many States have enacted breach notification requirements and other consumer protections, which raise new issues with respect to PHRs. Some states, e.g., California, have expanded the breach notification rules to specifically cover health information. These regulations must be addressed with respect to PHRs.Finally, many states have promulgated regulations addressing the movement towards health information exchange. Many recognize “record locator services” or other similar entities that may contain health information or act as an intermediary for locating such information.[23] These State laws may be implicated by PHRs.

G. Stark and Fraud and Abuse
The Federal Stark Law prohibits certain referrals for Designated Health Services (“DHS”) by a physician to an entity with which he/she has a financial relationship.[24] In addition, the Anti-Kickback Statute prohibits remuneration in exchange for the referral of a patient for services covered by a Federal health program.[25] The violation of these laws may provide the basis for a claim under the Federal False Claims Act.[26] State laws may provide additional restrictions and prohibitions.

Recently, a number of health plans and systems have begun to offer PHRs to patients and providers. Currently, the Stark exception and Anti-Kickback Statute safe harbor expressly allow only for EHR and electronic prescribing to be donated. PHR donation may not be protected.

In addition to the practical issues associated with the donation and use of PHRs, new avenues of identifying fraud and abuse are being opened with discovery involving PHRs. Federal investigators and qui tam litigators may turn to PHRs to prove treatment that was billed for may not have been provided. In addition, the compilation of information via Health 2.0 raises the specter of data aggregation to establish fraud over a large population of patients.

Conclusion
PHRs bring a new dimension to the debate over how to create an interoperable health information network. The shift of power into the hands of patients could bring about a sustainable model. Before proceeding with the expansion of PHRs, the legal implications that go along with such an adoption should be addressed.

Bob Coffield is a member of Flaherty, Sensabaugh & Bonasso, PLLC in Charleston, West Virginia. Bob is also a Co-Chair of the Privacy and Security Compliance and Enforcement Affinity Group, a part of AHLA’s Health Information and Technology Practice Group.

Jud DeLoss is a principal with the law firm of Gray Plant Mooty in Minneapolis, Minnesota. Jud is also a Vice Chair of the AHLA’s Health Information and Technology Practice Group.

[1] Mr. DeLoss thanks Bryan M. Seiler, a Summer Associate at the firm, for his assistance in this article. Mr. Seiler is a third year student at the University of Minnesota Law School.
[2] National Alliance for Health Information Technology, Defining Key Health Information Technology Terms, April 2008. http://www.hhs.gov/healthit/documents/m20080603/10.1_bell_viles/testonly/index.html.
[3] Report and Recommendations From the National Committee on Vital and Health Statistics, Information for Health, A Strategy for Building the National Health Information Infrastructure, November 15, 2001. http://aspe.hhs.gov/sp/NHII/Documents/NHIIReport2001/default.htm.
[4] ONC-Coordinated Federal Health IT Strategic Plan: 2008-2012 (June 3, 2008), http://www.hhs.gov/healthit/resources/reports.html.
[5] Health 2.0 Wiki, http://health20.org/wiki/Main_Page.
[6] California Healthcare Foundation, The Wisdom of Patients: Health Care Meets Online Social Media, Jane Sarasohn-Kahn, M.A., H.H.S.A., THINK-Health, April 2008, http://www.chcf.org/documents/chronicdisease/HealthCareSocialMedia.pdf.
[7] E.g., Patients Like Me, http://www.patientslikeme.com/; TuDiabetes.com, http://tudiabetes.com/; Daily Strength, http://dailystrength.org/; SugarStats, http://www.sugarstats.com/; Revolution Health, http://www.revolutionhealth.com/.
[8] Sermo, http://www.sermo.com/.
[9] Organized Wisdom, http://organizedwisdom.com.
[10] American Well, http://www.americanwell.com.
[11] change:healthcare, http://company.changehealthcare.com/; Quicken Health, http://quickenhealth.intuit.com/.
[12] Markle Foundation, Connecting for Health, Connecting Consumers Common Framework for Networked Personal Health Information, June 2008; http://www.connectingforhealth.org/phti/.
[13] Christiansen, John R., Why Health Care Information Isn’t Property – And Why That Is to Everyone’s Benefit, American Health Lawyers Association, Health Law Digest, 1999.
[14] Alcantara, Oscar L. and Waller, Adelle, Ownership of Health Information in the Information Age, originally published in Jounal of the AHIMA, March 30, 1998; http://www.goldbergkohn.com/news-publications-57.html.
[15] E.g., 45 C.F.R § 164.524.
[16] See, e.g., Nogowski v. Alemo-Hammad, 691 A.2d 950, 956 (Pa. Super 1997).
[17] See, e.g., Breeden v. Anesthesia West, P.C., 656 N.W.2d 913 (Neb. 2003) (nurse’s electronic note on patient condition which would have prevented administration of anesthesia should have been reviewed by anesthesiologist despite no verbal or handwritten report by nurse).
[18] See, e.g., Mahoney & Hagberg v. Newgard, 729 N.W.2d 302 (Minn. 2007).
[19] See, e.g., Carl S. Kaplan, Celebrities Have Trouble Protecting Their Names Online, Cyber Law Journal (July 30, 1999).
[20] See, e.g., Churchey v. Adolph Coors Co., 759 P.2d 1336 (Colo. 1988). See also Restatement (Second) of Torts § 577, cmt. k (1977).
[21] See, e.g., Werner v. Kliewer, 238 Kan. 289, 710 P.2d 1250 (1985); Humphers v. First Interstate Bank, 298 Or. 706, 696 P.2d 527 (1985). See also Restatement (Second) of Torts § 652 (1977).
[22] E.g., Google Health with Cleveland Clinic and Microsoft HealthVault with Mayo Clinic.
[23] See, e.g., Minn. Stat. § 144.291, Subd. (i).
[24] 42 U.S.C. § 1395nn(a).[25] 42 U.S.C. § 1320a-7b(b).[26] 31 U.S.C. § 3729.