Skip to Content

CDT Releases Major Report on Guidelines for Personal Health Records

Washington, DC –The Center for Democracy & Technology's Health Privacy Project today released a major policy paper outlining a mix of legal requirements and voluntary best practices needed for the widespread adoption of Personal Health Records (PHRs).

A PHR is an electronic tool that allows consumers to store, manage, use, and share their personal health information.  However, the success of PHRs depends in large part on whether consumers trust that their sensitive information is well protected. CDT's report, "Building a Strong Privacy and Security Policy Framework for PHRs," recommends baseline privacy rules and urges the adoption of comprehensive best practices based on the Markle Common Framework.  

"We will squander the promise and potential of PHRs if consumers do not trust that their most sensitive information is safe and secure," said Deven McGraw, director of CDT's Health Privacy Project.  "By preserving consumer trust and providing certainty to the marketplace, the right PHR regulations can drive the revolution in self-managed health care that is waiting to happen."

The report is aimed at Congress and federal agencies responsible for ensuring protections are in place for consumers using PHRs.  Among the recommendations made in the report:

  • Require consumer consent to collect, use, disclose, and maintain data in a PHR.
  • Require PHR providers to provide opportunities for consumers to amend, correct or annotate information in a PHR.
  • Prohibit compelled use of a PHR.
  • Require PHR providers to have data retention policies.
  • Require PHR providers to adopt reasonable security protections, including strong authentication policies.
  • Prohibit the unauthorized re-identification of aggregate/de-identified data from a PHR.
  • Make all PHRs subject to consistent federal rules.

The full report can be found online here.