Welcome  |  Sign In
Skip Navigation Links
HealthVault Developer Center
Click to Rate and Give Feedback

Microsoft HealthVault and HIPAA

May 2008


The Microsoft HealthVault team is often asked about our approach to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). Given the status of HIPAA as the prevalent current federal legislation pertaining to the privacy and security of health information, this is a natural and important question. We have prepared this document as a concise, clear explanation. Succinctly stated:

Microsoft HealthVault is not a covered entity or business associate as defined by HIPAA.

The remainder of this whitepaper provides a detailed analysis of why this is the case, but the “lay” explanation is quite simple.

HIPAA was designed to regulate the flow of health information when it is out of the patient’s direct control—for example, when it is forwarded to third-party billing services by a healthcare provider. At the same time, the HIPAA authors clearly recognized that patients have a right to a copy of their own health information, and built into the legislation an explicit mechanism that allows for patients to request and receive that copy.

The obligations that HIPAA places on covered entities and business associates do not apply to the copy under the patient’s control, because patients are in the best position to decide which parts of their information they want to share, and with whom they share it.

HealthVault is, very simply, a tool for individual patients to manage health information that is under their control. The rules and choices around how that information is shared are under the exclusive control of the patient. When information is sent from a covered entity into a HealthVault record, it is done at the explicit request of the individual.

Microsoft strongly believes that not only is this approach completely in line with the intent of HIPAA, but it is also essential in order for patients to truly be empowered to more easily acess and control the use and disclosure of their health information.


Why HealthVault is not a covered entity

The HealthVault platform offers:

  • An online storage facility for consumers to keep health-related information.
  • A set of features consumers can use to collect, view, share, and transfer health-related information.
  • A set of features various health-related service providers can use to offer their consumers services connected with their customers’ health-related information stored in HealthVault.

HIPAA covers healthcare organizations. HealthVault is a Web-based service that is not one of the types of entities currently covered by HIPAA. Simply put, HealthVault is not a:

  • Health plan because it does not provide insurance.
  • Healthcare clearinghouse because it does not convert health data into or out of standard formats covered by HIPAA.
  • Healthcare provider because it does not provide healthcare or services as defined under HIPAA (that is, HealthVault does not provide users with medical or diagnostic advice or health-related products or services).
  • Sponsor of Medicare prescription drug cards.

Further, HealthVault does not provide:

  • Business associate functions under HIPAA because the HealthVault service is used by patients to manage their own information and not by HIPAA-covered entities to manage medical records (see further discussion below).


HealthVault approach to regulation and privacy

As a responsible corporate citizen, Microsoft is not waiting for regulations to define our privacy and security practices. Microsoft designs and operates HealthVault based on corporate policies developed over years of attention to privacy issues, influenced by input from privacy and health advocates. We expect HealthVault features to evolve as we learn more about the needs of our users. You can review the current privacy and security requirements for providers of HealthVault-compatible solutions at http://msdn2.microsoft.com/en-us/healthvault/cc268231.aspx.

Microsoft believes that health information is most effectively protected when consumers are at the center of the healthcare system and in control of their information. It is our goal to provide our users with clear and understandable information about the choices they can make in storing, sharing, and transferring information using HealthVault.

Microsoft supports a comprehensive federal approach to privacy legislation. Since healthcare is a topic of lively discussion in the U.S., we expect regulations will change, and are committed to complying with law.


Information transfer from HIPAA-covered entities

Microsoft does not access the data in a user’s account except as necessary to operate the service and as described in the privacy statement at www.healthvault.com. HealthVault provides an additional way for HIPAA-covered entities to transfer health information to their patients, replacing or supplementing mail, fax, and e-mail. You should seek legal advice about legal and regulatory requirements applicable to such transfers and, if you currently require patient consent for transfers to patients, a similar form of consent might be appropriate for transfers to HealthVault.


Information storage

Healthcare providers should not use HealthVault as an electronic medical record system. Healthcare providers should import a copy of any HealthVault data into their own medical record system prior to using that data to make clinical decisions. Since the data in HealthVault accounts is managed and controlled by individuals (consumers and patients), you should evaluate its completeness and accuracy as you would other information received from your patients or their families.


Why HealthVault is not a business associate

HealthVault accounts are offered to and operated for the benefit of individuals. The success of the HealthVault platform is dependent on the development of an array of compatible non-Microsoft applications and devices that offer services that individuals can use to collect their health-related information and help manage their health. Microsoft offers application developers and device manufacturers support on how the HealthVault APIs can be used to exchange data with HealthVault accounts (with user notice and consent). We may also occasionally offer assistance to providers developing HealthVault-compatible applications and devices. Application developers and device manufacturers working for HIPAA-covered entities may use those APIs (for example, to help transfer data to their customers who are also HealthVault users), but HealthVault is not offered as an electronic medical record system or as a service for HIPAA-covered entities.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Page view tracker