The office2.0 conference began yesterday with a cocktail party. At the party, I met a doctor from CNMRI who is using technology in two interesting ways. He’s using Twitter so his staff can figure out what tasks each of them are engaged in throughout the day – this allows them to focus more on patients, and less on locating each other. The second is a project to build a web based statewide health information network in the State of Delaware. This will let doctors and patients share medical records across the web. As interesting as these new applications of technology are, they rang two alarms for me: privacy and HIPAA. As I’ve noted in both my columns and on this blog, I believe that privacy is likely to emerge as a regulatory and litigation issue in the next year. The use of Twitter in a medical capacity has significant privacy implications. While I was unable to access Twitter to review its contract, I would assume that it has provisions similar to the contracts of most internet infrastructure providers which basically say that the provider has no liability for anything and does not guarantee the security of its network. So where does that leave the doctor when Twitter accidentally discloses that one of the doctor’s patients is in exam room 3 being treated for a STD, and the doctor is sued when the patient’s wife finds out? Twitter may have some liability depending on what its privacy policy says. As I often point out, privacy policies are contracts between companies, their customers, and often third parties. As a result, they should be reviewed with the same level of scrutiny.
HIPAA is also a big issue. I inquired whether the doctor had sent Twitter a Business Associate Agreements (BAA) and how these agreements would function in the context of a networked medical records system in which each doctor had their own ISP and likely host who was connected to other hosts and bandwidth providers.
BAAs are main legal issue for web hosts and other internet infrastructure providers under HIPAA. BAA’s impose additional contractual obligations on third parties based on a health care provider’s obligations under HIPAA. In essence you are contractually obligated to follow the terms of the BAA. HIPAA itself does not contain a form BAA. As a result, businesses are free to create their own BAAs as long as they conform to the bare minimum required by the statute. As might be expected, some businesses have been using BAAs to back door contractual provisions that they were unsuccessful at getting in their initial negotiation. The most common provisions I see are privacy warranties and SLA carve outs, neither of which are required by HIPAA. Hosts and other internet infrastructure providers need to pay close attention to BAAs they receive to make sure that they are only contractually obligating themselves to things they can actually do.
Comment anonymously or log into your WHIR account
Logging in allows enhanced commenting features (such as external linking) in news, features, blogs and more.