The Microsoft HealthVault team is often asked about our approach to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), including the American Recovery and Reinvestment Act of 2009’s extensions to HIPAA. Given the status of HIPAA as the prevalent current U.S. federal legislation pertaining to the privacy and security of health information, this is a natural and important question. We have prepared this document as a concise explanation. Succinctly stated:
Microsoft HealthVault is not a covered entity as defined by HIPAA. We offer HealthVault solution providers that are HIPAA covered entities the opportunity to sign our HealthVault business associate agreement.
HIPAA was designed to regulate the flow of health information when it is out of the patient’s direct control—for example, when it is forwarded to third-party billing services by a health care provider. At the same time, the HIPAA authors clearly recognized that patients have a right to a copy of their own health information, and built into the legislation an explicit mechanism that allows for patients to request and receive that copy.
HealthVault is, very simply, a tool for individual patients to manage health information that is under their control. The rules and choices around how that information is shared are under the control of the patient. When information is sent from a covered entity into a HealthVault record, it is done at the explicit direction of the individual.
Microsoft strongly believes that not only is this approach completely in line with the intent of HIPAA, but it is also essential in order for patients to truly be empowered to more easily access and control the use and disclosure of their health information.
However, ambiguity and uncertainty surrounding new health privacy provisions in the American Recovery and Reinvestment Act of 2009 have raised new questions about whether HIPAA applies to services offered by covered entities that connect to consumer-driven online health platforms like HealthVault. We do not want this ambiguity and uncertainty to stall progress toward a dynamic, trusted patient-centric health care system. Microsoft is also committed to complying with applicable laws. That is why we offer HealthVault solution providers that are HIPAA covered entities the opportunity to sign our HealthVault business associate agreement.
Microsoft HealthVault is not a covered entity
The HealthVault platform offers:
HIPAA covers health care organizations. Microsoft is not a covered entity by virtue of offering HealthVault. Simply put, HealthVault is not a:
Microsoft’s approach to privacy and security
Microsoft is not waiting for regulations to define our privacy and security practices. Microsoft designs and operates HealthVault based on corporate policies developed over years of attention to privacy and security issues, influenced by input from experts and advocates.
We expect HealthVault features to evolve as we learn more about the needs of our users. It is our goal to provide our users with clear and understandable information about the choices they can make in storing, sharing, and transferring their health information using HealthVault. Microsoft is working collaboratively with agencies and stakeholders that are interpreting the provisions of the American Recovery and Reinvestment Act of 2009 and related rulemaking. Effective privacy protections that establish trust are critical to the success of health IT and health care in general.
Health Information transfer from HIPAA covered entities
Microsoft does not access health data in a user’s account except as necessary to operate the service and as described in the privacy statement at www.healthvault.com. HealthVault provides an additional way for HIPAA covered entities to transfer health information to their patients, replacing or supplementing mail, fax, and e-mail. You should seek legal advice about legal and regulatory requirements applicable to such transfers and, if you currently require patient consent for transfers to patients, a similar form of consent might be appropriate for transfers to HealthVault.
Health Information Use
Health care providers should not use HealthVault as an electronic medical record system. Health care providers should import a copy of any HealthVault data into their own medical record system prior to using that data to make clinical decisions. Since the data in HealthVault accounts is managed and controlled by individuals (consumers and patients), health care providers should evaluate its completeness and accuracy as they would other information received from their patients or their patients’ families.
HealthVault and business associate agreements
HealthVault accounts are offered to and operated for the benefit of individuals. The success of the HealthVault platform is dependent on the development of an array of compatible non-Microsoft applications and devices that offer services that individuals can use to collect their health-related information and help manage their health. Microsoft offers application developers and device manufacturers support on how the HealthVault APIs can be used to exchange data with HealthVault accounts (with user notice and consent).
Application developers and device manufacturers working for HIPAA covered entities may use those APIs (for example, to help transfer data to their customers that are also HealthVault users). We offer HealthVault solution providers that are HIPAA covered entities the opportunity to sign our HealthVault business associate agreement.
If you have any concerns or complaints, please contact the Microsoft Health Solutions Group HIPAA Official: Michael Stokes, Director of Policy and Compliance.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.