HIPAA-potamus

In one of those classic if I had a nickel things ... you have no idea how many times I get asked if HealthVault is "covered" under HIPAA.

The short answer to that question is, very simply, NO. HealthVault is neither a covered entity or business associate as defined by HIPAA. But the more complete answer requires a few more words.

HIPAA was designed to regulate the flow of health information when it is out of the patient's direct control -- for example, when it is forwarded to third-party billing services by a provider. At the same time, the HIPAA authors recognized clearly that patients have a right to a copy of their own information, and they built into the legislation an explicit mechanism that allows for patients to request and receive that copy.

The obligations that HIPAA places on covered entities and business associates do not apply to the copy under the patient's control, because the patient is in the best position to decide which parts of their information they want to share, and with whom they want to share it.

HealthVault is, very simply, a tool for individual patients to manage health information that is under their control. The rules and choices around how that information is shared are under the exclusive control of the patient. When information is sent from a covered entity into a HealthVault record, it is done at the explicit request of the individual.

We believe strongly that not only is this approach completely in line with the intent of HIPAA regulation, but it is essential in order for patients to truly be empowered with their own information.

So is this a "get out of jail free" card for HealthVault? No way -- the obligations we have taken on around patient privacy, data security and third party audits are frankly far more stringent than those that HIPAA-covered entities are required to adhere to. And if we don't deliver on those obligations -- we're out of business. That's a pretty strong motivation for us to do a good job.

Together with our legal team, we finally got our act together to publish a position paper that describes in detail why our assessment here is correct. If patient privacy is your thing, I encourage you to check it out.

Once again, our cards are on the table -- and we are confident we are doing the right thing. If you have any questions, ask them here and I will do my best to get a clear answer.