Bryon Pickard, president of the American Health Information Management Association, told Congress on Tuesday that HIPAA's privacy and security protections should be extended to all entities handling health information and should include personal health records, Health Data Management reports.
"PHRs offered by non-HIPAA-covered entities have no protection unless there is state legislation that specifically addresses the issue," Pickard said, adding, "Even if state legislation exists, there is concern that if the PHR operator is in one state, and the consumer is in another, which law applies and/or prevails."
Some insurers that offer PHRs believe they have the right to access and use the data, which can erode individuals' "ability to trust and ensure the appropriate use of their personal information," Pickard said.
"[W]e recommend that uniform laws be written to cover the misuse of personal health information regardless of where it resides or is transmitted -- this would then include the [PHR]," he added.
AHIMA also recommended new privacy protections for patient financial information, Health Data Management reports (Health Data Management, 6/20).