Personal Health Records: Who Are You Going to Trust?
Personal health records (PHRs) have the potential to move our health care system toward a more patient-centered model by enabling individuals to store and share copies of their health information. However, many consumers hesitate to use PHRs because of privacy concerns. These concerns are justified by the uncertainty that characterizes our current system: there are no consistent rules protecting PHRs, and there are arguably no national privacy and security standards governing PHRs provided by entities outside the coverage of the Health Insurance Portability and Accountability Act (HIPAA). When doctors, hospitals, and health insurers (or their business associates) offer PHRs, the HIPAA Privacy Rule applies. When independent entities provide PHRs – like many of the ones available online – no substantive standards apply except that a company must comply with whatever privacy policy it creates or risk Federal Trade Commission (FTC) action. Unsurprisingly, a 2007 study commissioned by the Department of Health and Human Services (HHS) found many PHR privacy policies lacking. A seemingly intuitive solution to the problem is to apply the HIPAA Privacy Rule to all PHRs. However, HIPAA was drafted to address the privacy issues raised by traditional health records, not consumer-oriented PHRs.
The broad application of HIPAA could actually make personal health information less safe due to two major deficiencies. First, HIPAA allows a number of disclosures without consumer consent for treatment, payment, or healthcare operations. Involuntary disclosures are contrary to Congress’s own definition of a PHR as “an electronic record of information on an individual that is managed, shared, and controlled by or primarily for the individual” and may increase consumer reluctance to use PHRs in ways that could improve their care. Second, HIPAA’s exclusive reliance on individual authorization to protect consumers against inappropriate commercial use of their information is inadequate. Consent forms drafted by PHR vendors may be difficult to understand and, like other end-user agreements, consumers have little choice but to take them or leave them. PHRs need consistent regulations designed to address the unique challenges they present.
Congress has begun to examine the issue by asking HHS and the FTC to recommend privacy and security protections for PHRs not covered by HIPAA, but this approach risks overlooking the shortcomings of HIPAA as a PHR policy. The study should broaden its scope to examine privacy risks common to all PHRs. Policymakers need not start from scratch. The Markle Common Framework for Networked Personal Health Information offers a comprehensive set of policies and technical standards that has been widely endorsed. Last month CDT brought together over 40 “PHR experts” – including major PHR vendors, consumer groups, physicians, Health2.0 innovators, and foundations – for a workshop to discuss solutions to the most critical policy issues arising from PHRs. CDT’s recommendations, which will consider the issues raised at the workshop, will be released this summer.