Microsoft HealthVault: You put your right HIPAA in . . .

In a post today, Sean Nolan, Chief Architect of Microsoft Health Solutions and blogger at Family Health Guy explains Microsoft's position regarding whether Microsoft HealthVault is required to comply with the privacy standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The blog post, "You put your right HIPAA in . . ." provides some background on the process that Microsoft has gone through to look at the question of whether they are directly required to comply with HIPAA as a "covered entity" or whether the must enter into "business associate agreement"with other covered entities. Although they don't reach a final definitive conclusion Microsoft does state that they are now prepared to sign a business associate agreement with any covered entity who concludes that it is important as a part of their compliance and responsibility under HIPAA.

The post by also includes a link to the standard Microsoft HealthVault Business Associate Agreement.

The conclusion reached by Microsoft seems like a practical one to this health care lawyer. Anyone who deals with health information has a responsibility to assess whether or not they are a covered entity under HIPAA. They further have a responsibility to be a part of the conversation with those other person that they deal with who are covered entities as to whether a business associate agreement must be in place. However, the final decision of whether a business associate agreement is required must be made by the covered entity who is responsible for complying with the privacy provisions.

The determination of whether a particular party is a business associate under HIPAA is one that largely depends on the unique facts of the relationship that they have with a covered entity under HIPAA. There is not a blanket determination of whether someone is or is not a business associate for purposes of HIPAA compliance. The questions that must be asked to assess whether a business associate relationship exists under 160.103 and 164.502 are:

1. Does the person/party "perform or assist" in the performance of a "function or activity" involving the use or dislcosure of individually identifiable health information" OR
2. Does the person/party provide certain "professional services to or for the covered entity" involving the disclosure of individually identifiable health information (as these terms are futher defined under the regulations).

As stated in the post there is still unclear areas as a result of the ARRA HITECH privacy provisions that will still need to be sorted out as we move forward. However, the important issue is to continue to move forward.

Microsoft and Mayo Clinic Collaboration: Mayo Clinic Health Manager

Today Microsoft Corporation and Mayo Clinic announced a new consumer online health service called Mayo Clinic Health Manager, build on the HealthVault platform.

The press release states that Mayo Clinic Health Manager provides individuals "a place to store medical information and receive real-time individualized health guidance and recommendations based on the clinical expertise of Mayo Clinic . . . [extending] the capabilities of traditional personal health records, using an individual's health information to generate customized recommendations on which they can act to help them better manage their health and the health of their families."

Learn more from the Media Kit or take a tour.

How does this change the current PHR landscape?

Like others who have been commenting today I see this as combining the power brand of Mayo Clinic and its guidelines with what appears to be simple PHR tools designed to allow you to record, track, monitor, etc. your health information. However, at this point it still doesn't get over the hurdle of the individual having to individually input their own data.

Will health consumers become engaged to take on this role? Can providers and payors start to feed good data into the system to lessen the burden on the consumer/patient? What role will state and federal payors play in these systems? How will we all address the issues raised by Dave deBronkart (e-patientDave) which have been the center of discussion on the health blogosphere the past couple of weeks.

More questions than answers.

UPDATE (4/23/09): Did Microsoft sign a HIPAA Business Associate Agreement as a part of the collaboration? In HIPAA lawyer jargon the real question is "whether Mircrosoft is offering a service for or on behalf of the Mayo Clinic and is receiving protected health information." Answer per Microsoft from Nei Versel's Healthcare IT Blog.