Personal Health Records Need a Comprehensive and Consistent Privacy and Security Framework

Personal health records (PHRs) – records that are managed, controlled, and shared by individuals rather than their healthcare providers-hold the potential to transform healthcare by empowering consumers and patients to become key, informed decision-makers in their own care. These records increase individual control over personal data and permit individuals to record, store, and share relevant health information, including data that may be missing from official medical records, such as pain thresholds in performing various daily activities, details on the side effects of medication, and daily nutrition and exercise logs.

1) The Potential for PHRs to Revitalize Healthcare

2) PHRs Must Be Governed by Consistent Policies To Be Effective

3) The HIPAA Privacy Rule Would Not Adequately Protect PHRs

4) What Sort of Privacy Protections Are Necessary for PHRs?

5) Toward a Comprehensive and Consistent Privacy and Security Framework


1) The Potential for PHRs to Revitalize Healthcare

Personal health records (PHRs) – records that are managed, controlled, and shared by individuals rather than their healthcare providers – hold the potential to transform healthcare by empowering consumers and patients to become key, informed decision-makers in their own care. These records increase individual control over personal data and permit individuals to record, store, and share relevant health information, including data that may be missing from official medical records, such as pain thresholds in performing various daily activities, details on the side effects of medication, and daily nutrition and exercise logs.

However, the public will be reluctant to use PHRs without reasonable privacy and security measures in place to protect their data. To date, no comprehensive set of privacy and security rules effectively governs PHRs. Congress has taken a step toward addressing this problem as part of the recent economic stimulus legislation: the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) are tasked with drafting joint recommendations regarding PHR privacy and security requirements by February 18, 2010 for those records not covered under the privacy and security regulations of the Health Insurance Portability and Accountability Act (HIPAA). In addition, PHR vendors are covered by new federal requirements that they notify individuals in the event of a breach of health data. However, more action is needed to build public trust in PHRs.

In this policy post, CDT advocates for the adoption of consistent policies to govern all PHRs. CDT also identifies the deficiencies of the current HIPAA Privacy Rule as applied to PHRs and offers some recommendations for establishing privacy and security protections for these tools.

This subject matter is explored in greater detail in the Statement of Deven McGraw, Director of the Health Privacy Project at the Center for Democracy & Technology, Before the National Committee on Vital and Health Statistics Subcommittee on Privacy, Confidentiality & Security delivered on June 9, 2009.


2) PHRs Must Be Governed by Consistent Policies To Be Effective

Congress’s definition of a personal health record – “an electronic record of information on an individual that is managed, shared, and controlled by or primarily for the individual” – is instructive for two reasons. First, it clearly distinguishes PHRs from electronic health records, which are created and used by doctors, hospitals, and health insurers. Second, it prefaces the privacy and security challenges that must be dealt with before consumers will look to PHRs as tools to improve their healthcare.

Consumers will not adopt PHRs until they are assured that information they store in them will remain private and secure. Recent survey data from the Markle Foundation shows, on the one hand, that four out of five U.S. adults believe PHRs would be valuable for such varied uses as allowing them to check for errors in their medical records and to transfer their records between physicians. On the other hand, the data suggests that up to 80% of the public has expressed moderate to high privacy concerns.

HIPAA’s privacy and security regulations apply only to “covered entities” – health care providers (including physicians and hospitals), health care clearinghouses, and health plans – and the “business associates” with whom covered entities contract to perform functions or services on their behalf using patient health data. Currently, any covered entity that offers a PHR must abide by HIPAA’s Privacy Rule, but, as explained in more detail below, this regulatory regime doesn’t lend itself well to protecting consumers against the risks of using PHRs.

All other PHRs, including most offered by Internet companies and employers, are outside the coverage of HIPAA (except those provided by vendors who might be covered as business associates because of their contractual relationships with covered entities). These vendors may be loosely constrained by a patchwork of other laws – such as FTC requirements that they comply with whatever privacy policies they’ve drafted, federal laws regulating electronic communications, or state health privacy laws in a select number of jurisdictions – but not by any comprehensive set of privacy and security requirements.

The privacy policies drafted by private vendors may provide insufficient protection for consumers. A 2007 study commissioned by HHS found that the privacy policies of PHR vendors in general lacked the standard components of privacy notices. For example, only two of thirty PHR vendors described what would happen to consumers’ data if the vendor were sold or went out of business, and only one had a policy with respect to accounts terminated by the consumer.

The study by HHS and FTC provides the government and the private sector the opportunity to develop a consistent approach to regulating all PHRs, but further action from the Administration is needed before this goal can be realized. Specifically, while the study is only required to address vendors not already covered by HIPAA, HHS should expand it to facilitate the creation of a consistent set of regulations for PHRs across the board.

2007 Altarum Study Commissioned by HHS

Markle Connecting for Health Survey Data

Post at e-CareManagmenet blog exploring whether commercial vendors are now covered by HIPAA any time they contract with an entity already covered by HIPAA


3) The HIPAA Privacy Rule Would Not Adequately Protect PHRs

HIPAA was drafted to address privacy issues raised by the exchange of health data within the traditional healthcare system – the needs of consumers using PHRs were not contemplated. The HIPAA Privacy Rule provides a set of baseline rules that should be expanded to better protect traditional health records, but it is underprotective of PHRs for at least two reasons: it allows the release of information without the patient’s authorization for treatment purposes, payment, and healthcare operations; and it relies only on individual authorization to protect personal information against marketing and commercial uses.

If the HIPAA Privacy Rule is nevertheless viewed as the appropriate vehicle for strengthening or expanding privacy protections for consumers who use PHRs, CDT believes the HHS Secretary should promulgate HIPAA rules specific to the unique issues raised by PHRs.

For example, the rules permitting covered entities to use personal health information without consent for treatment, payment, and health care operations should not be applied to PHRs; the possibility for unauthorized disclosure undermines the fundamental policy goal behind PHRs of preserving the individual’s control over access to the information. Without such control, individuals will remain hesitant to populate their PHRs with information or use them to share health data in ways that could improve their care.

Likewise, the Privacy Rule’s reliance on individual authorization to govern access to personal information in PHRs for marketing and a range of commercial purposes should not be the sole “privacy protection” applicable to such uses. This strategy fails to protect consumers because it places the burden of protecting privacy solely on individuals and vests the bargaining power with PHR vendors who have exclusive control over the wording of privacy policies and consent forms. Internet users seldom read, and frequently do not understand, the details of consent forms before signing them, and many assume that the existence of a privacy policy means that personal information will not be shared even though such policies usually say quite the opposite. The data in PHRs is particularly attractive to third parties and, absent regulation, vendors may subject consumers to targeted advertisement, the sale of their data to pharmaceutical companies and health insurers, and direct solicitation by PHR companies’ business partners.

CDT Policy Paper, Rethinking the Role of Consent in Protecting Health Information Privacy


4) What Sort of Privacy Protections Are Necessary for PHRs?

Congress chose a promising approach in the stimulus legislation. Joint investigation by the HHS and the FTC, with its experience in issues related to online privacy and consumer protection, is likely to yield a strong set of proposals, so long as the questions are directed toward the areas most in need of attention.

Fortunately, policymakers need not start from scratch in developing appropriate recommendations. In June 2008, Markle Connecting for Health released the Common Framework for Networked Health Information, outlining consensus privacy and security polices for PHRs that were developed and supported by a diverse and broad group including technology companies, consumer organizations like CDT, and HIPAA-covered entities. At the core of this framework is the belief that PHRs should be governed by a consistent and meaningful set of privacy and security policies regardless of the type of entity offering them.

Particular policy interventions might include:

  • Baseline regulatory standards that specify particular uses or disclosures for which independent consent must be obtained. These standards would help prevent consumers from granting blanket authorization for undesirable uses of their data. For example, vendors might be required to obtain consent to disclose data for marketing or commercial purposes independently of other consent.
  • Prohibitions on certain uses or disclosures of data in PHRs, regardless of consent. Compelled disclosures pose a particular problem in the contexts of employment, credit, or insurance where disclosure is nominally voluntary but in fact compelled. Congress has already moved in the direction of such prohibitions with the Genetic Information Nondiscrimination Act of 2008 (GINA), which prohibits employers and health insurers from utilizing genetic information to make employment, coverage, and underwriting determinations.
  • Limits on downstream use of data from PHRs.Given the risks posed by advertisers and other business partners of Internet-based PHRs, federal regulation of the behavior of downstream recipients is a necessary complement to contractual privacy agreements that govern third-party use of personal data.

Common Framework for Networked Personal Health Information


5) Toward a Comprehensive and Consistent Privacy and Security Framework

To establish greater public trust in PHRs and pave the way for their widespread adoption, we need a comprehensive and consistent privacy and security framework that is vigorously enforced regardless of whether an entity is covered under HIPAA. Policymakers should look to the Markle Common Framework for Networked Personal Health Information, which was developed through a multi-stakeholder process and endorsed by a broad group of stakeholders, because it provides a consistent policy framework for PHRs. In moving forward, HHS and the FTC must leverage their regulatory expertise to decide which elements of this framework should be imposed by regulation and which should be adopted through other mechanisms.


Share Insight