Detailed PHR Privacy Report Cards

See detailed comments explaining why these PHRs received their grades. For more on the grading system please see the FAQ. To return to the PHR Privacy Report Card Home Page click here. If you are having trouble viewing the tables below, each PHR is available as a PDF.


View CapMed’s Report Card as a PDF here.

Personal Health Record Report Card:  CapMed icePHR

 

This PHR is primarily for
use “in case of an emergency”
www.icephr.com
A B C D F

Grade = C

(See Below for Grade Explanations)

Privacy Policy/Notice:
* Location: Privacy Policy must be easy to find and accessible from the organization’s home page. Should be unavoidable and accessible on any page that collects information. ww checkmark Privacy Policy is found at the bottom left corner, small link. It is item 6 of 13 in a comprehensive legal document.
* Readability: Privacy Policy must be clear, easy to understand, and at a low reading level. checkmark Written by lawyers, for lawyers. Very few declarative statements at a very high readinglevel. The Disclaimer of Warranties and Limitations of Liability written in all BOLD conveysa “get out of jail free” card for the company rather than any meaningful commitment to privacy or security. None of their policy invokes much confidence in protecting privacy. We don’t get the sense this policy is meant to really inform or engage the user.
* Transparency: Privacy Policy is comprehensive; individuals should not have to read multiple policies to understand how their information can be used. checkmark Privacy Policy is part of long legal agreement (13 pages) and refers to other components of the legal agreement, including the Disclaimer/Limits of Liability referenced above. The reference to HIPAA compliance is confusing and unclear. Does this mean CapMed will use any health information without getting your consent if it’s for “treatment, payment or healthcare operations”?
Learn More
Patient Control/Choice:
* Consent for Identifiable Data: No information is shared or collected without explicit, informed consent. Privacy Policy states how information will be shared and ideally, how it will NOT be shared. checkmark CapMed states they will not share individual patient information “during the registration process” with third parties, “including health insurers“. It’s a good sign that they explicitly commit to not share with insurance companies. However, they also state they are in full compliance with HIPAA as a non-covered entity. This provides us no assurance, as HIPAA allows sharing without consent for “treatment, payment, and healthcare operations.” It is difficult to tell based solely on this policy, but the reference to HIPAA opens a huge loophole. Also, is information provided ‘during registration’ the only information protected?
Of note, if the company is sold or merged, your information will be shared with the “actual or prospective purchasers“. As it’s written, it would not appear that they would need to get your permission to share all your identifiable data if the company goes bankrupt and they are bought out by an insurance company, marketing company, or researcher.
Finally, CapMed never quite committs to holding 3rd parties accountable. “CapMed may undertake efforts to see that any third party… is under contractual obligation to use the information solely for the purpose for which the information was disclosed… CapMed is not responsible for… their conduct…” If a company can’t commit to at least contractual requirements, why should anyone trust them with their personal data?
* “De-Identified Data”: No de-identified or aggregate data should be used without explicit, informed individual consent. checkmark Shares “de-identified” data, no opt out.
* Segmentation: Patients can segment/hide sensitive information. checkmark You have the ability to hide each condition, medication, immunization, etc. to Emergency personnel (ER access is the primary feature of this PHR). Can share with HealthVault but all information is copied, doesn’t appear to allow segmentation there.
Access/Participation:
* Patients can easily find out who has accessed or used their information. checkmark You receive an email when someone accesses information with the reason for accessing. You can also see a history of access.
* Patients must be able to promptly and permanently remove themselves and their health information from the system upon request. checkmark You are abe to delete any/all information. You must email customer service and it will be deleted in three (3) business days. No mention of any permanent files if they retain the records internally for any period of time after patient requests deletion.
Integrity/Security:
* Patients can expect their data to be secure. Data should only be stored in the U.S. and use authentication that goes beyond username and password login. checkmark From the Disclaimer of Warranties and Limitations of Liability: No warranty that any content “will remain unaltered, uncorrupted and unusable… secure from attack…” They do maintain encryption, firewalls, complaint with HIPAA security requirements. No mention of whether or not the data is stored in the U.S.
Customer Service/Enforcement:
* Patients can easily report concerns and get answers. checkmark Email, mail and 800# available for customer support. Sent an email on 11/10/09 and as of 12/01/09 had not received a response.
View CapMed’s entire Privacy Policy. We highlighted sections of importance.

View Google Health’s Report Card as a PDF here.

Personal Health Record Report Card:  Google Health

A Platform w/ PHRs/Programswww.google.com/healthSee FAQ for explanation of the difference
between a PHR and a platform
A B C D F

Platform Grade = D

Partners Grade = F

(See Below for Grade Explanations)

Privacy Policy/Notice:
* Location: Privacy Policy must be easy to find and accessible from the organization’s home page. Should be unavoidable and accessible on any page that collects information. ww checkmark Privacy Policy is up front/home page. Could improve by making more visually noticeable.
* Readability: Privacy Policy must be clear, easy to understand, and at a low reading level. checkmark The google Health Privacy Policy is generally written in a user friendly style; it is well organized and concise. However, there are contradictory and confusing statements:”we do not sell, rent or share your information (identified or de-identified) without your explicit consent…” BUT
“Google will use aggregate data to publish trend statistics and associations” (no opt out)We also find the following statement vague and confusing. The Goolge Health policy states that you must authorize HIPAA covered entities to send information to your Google Heath account and goes on to say: “When you ask Google to send your heath information to others, you will also be giving Google permission to send those certain types of health information.” Send to whom? Under what circumstances?
* Transparency: Privacy Policy is comprehensive; individuals should not have to read multiple policies to understand how their information can be used. checkmark Multi-layered policy: 5 relevant documents had to be reviewed to understand full policy. Reviewed the following: Google Health Privacy Policy, General Privacy Policy, Google Health Developer Policies, Terms of Service, Sharing Authorization Agreement.
It is incredibly difficult for the average consumer to have any confidence as to what policy applies in what circumstances, for what data, etc. The “exceptions” to use of information without express consent are too vague/broad.The primary caution: How privacy is protected in the PLATFORM is generally a higher standard than how PARTNERS protect privacy once you share your information. The sharing policy should be clearer, especially about those partners that only comply with HIPAA. HIPAA-compliant Partners can use your information without your consent. Regardless of whether a Partner complies with HIPAA, consumers need to read every Partner’s privacy policy and terms of use before sending information from Google Health to a Partner.
Learn More
Google Health does provide links to these policies when you click on the Partner for a description of the service (before you add them).
Patient Control/Choice:
* Consent for Identifiable Data: No information is shared or collected without explicit, informed consent. Privacy Policy states how information will be shared and ideally, how it will NOT be shared. checkmarkThe
Goog-
le
Health
plat-
form
checkmarkPartn-
ers
that
can
acce-
ss info
if you
share
your
acco-
unt
PLATFORM: Google Health states up front that “you are in control of your information.” As a Platform, Google Health’s Platform Policy requires explicit consent to share identifiable information. However, there are conflicting and vague statements in the privacy policies as noted in the section on Transparency; these confuse the commitment to obtaining “explicit consent.”Google Health can also access/disclose PHI under the following circumstances:
1) to comply with law/legal process served or “enforceable governmental request”
2) to enforce terms of service
3) to detect, prevent, or otherwise address fraud, security or technical issues
4) to protect personal safety and welfare under urgent circumstances.Most of these exceptions are standard business practices. The 3rd item is far too broad. Can Google conduct fraud investigations without your consent for an insurance company or a government agency? Any access to users’ information to address fraud should only be permitted if ordered by a court of law.PARTNERS: Take caution with Partners that are granted access to your account. The Google Health Developer Policy requires explicit opt in for sharing data. However, we have at least two concerns:1) During our assessment, we signed up for an account and added random, multiple Partner applications. At least two of the Partners on Google Health DO NOT COMPLY with the Google Heath Developer Policy. For example, TrialX, a list and matching service for research and clinical trials does not inform the user when creating an account that their information will be used for research purposes nor does it require users to agree to their privacy policy.
FYI: one of the “research” projects includes an online marketing survey for people with HIV. EPillbox, another Partner, does not require the user to agree to their privacy policy. If Google Health does not systematically enforce their own Developer Policies, how can individuals trust other Google Health policies? 2)In spite of what the Privacy Policy states about consent, if the Partner is a HIPAA covered entity, or is “compliant” with HIPAA, then HIPAA applies – no questions asked. The HIPAA exception is highly problematic: any partner that operates under HIPAA is allowed to use your health information for “treatment, payment or health care operations” without getting your express consent.
* “De-Identified Data”: No de-identified or aggregate data should be used without explicit, informed individual consent. checkmark Google Health uses aggregated data in many more ways besides analyzing website use. For example, data is used to publish trend statistics and associations. Google gives multiple assurances that this data cannot personally identify an individual – that is simply false. Data is anonymous or useful, never both (see why).
There is no way to opt out of any of the aggregate use of your health information on Google Health.
What if Google analyzes and publishes trends about searches on drug use such as Medical marijuana? Meth? Guns? Obesity? Combined with other data sets including increasingly sophisticated mapping technologies, you can
and will be re-identified.
* Segmentation: Patients can segment/hide sensitive information. checkmark Does not appear that you can segment at any level; we shared a profile with another individual and access to the entire profile was sent.
Access/Participation:
* Patients can easily find out who has accessed or used their information. checkmarkPlat-
form
checkmarkPart-
ners
Audit trails feature is clear, easy to understand (for platform only). You can see who has accessed your information as well as a history of access, i.e. what they did and when.
PARTNERS: Once your information goes out of Google Health or isshared with a Partner, how that information is accessed may or may not be tracked by that Partner.
* Patients must be able to promptly and permanently remove themselves and their health information from the system upon request. checkmarkPlat-
form
checkmarkPart-
ners
Can “completely delete at any time” without assistance. Back up copies exist for up to 30 days.
PARTNERS: If a Partner receives information from your Google Health account the Developer Policy requires them to allow permanent deletion; “back up copies may exist for a short time.” This is a good requirement but we have real concerns as to whether the policy is enforced or not (see “Patient Control” criteria).
Integrity/Security:
* Patients can expect their data to be secure. Data should only be stored in the U.S. and use authentication that goes beyond username and password login. checkmark Google Health data is stored with all other data such as gmail, calendars, etc. in the same cloud. Data is stored in the U.S. as well as other unnamed countries. They do use electronic security measures such as Secure Socket Layer (SSL) encryption, back-up systems.
Customer Service/Enforcement:
* Patients can easily report concerns and get answers. checkmark May submit comment via webform and mail. We submitted an inquiry via the webform on 11/5/09 and as of 12/01/09 have not received a response.

View Google Health’s entire Privacy Policy. We highlighted sections of importance.

View Microsoft HealthVault’s Report Card as a PDF here.

Personal Health Record Report Card:  Microsoft HealthVault

A Platform w/ PHRs/Programswww.healthvault.comSee FAQ for explanation of the difference
between a PHR and a platform
A B C D F

Platform Grade = B

Partners Grade = F

(See Below for Grade Explanations)

Privacy Policy/Notice:
* Location: Privacy Policy must be easy to find and accessible from the organization’s home page. Should be unavoidable and accessible on any page that collects information. checkmark ww Privacy Policy is highlighted graphically, featured at the top of screen, links at bottom of page as well. There is a simple summary of the Platform’s policies featured on the homepage with a link to the details. Thesesummaries (provided they are true and accurate) are a helpful indicator of the importance the company places on health privacy.
* Readability: Privacy Policy must be clear, easy to understand, and at a low reading level. checkmark Generally written in a user friendly style. Most statements are straightforward; declarative.
* Transparency: Privacy Policy is comprehensive; individuals should not have to read multiple policies to understand how their information can be used. checkmark Privacy Policy is comprehensive, generally contained in one document with the following exceptions:
There is a link to Microsoft’s General Privacy Policy to explain Windows Live ID credentialing. There is also a link to the Service Agreement. (Note: the Liability Limitation clause makes clear that you cannot recover any damages because the account is free.)We like the commitment made here:
We use personal information collected through the Service, including health information, to provide the Service, and as described in this privacy statement. We do not use or disclose your information except as described in this privacy statement.
HealthVault should not be using information in any way that is not explicitly described in this policy.Unlike Google Health, there is no standard program agreement or Developer policy readily available. While this means you do not have to read multiple policies, it is difficult to know what exactly each individual program is required to do.

The primary caution
: How privacy is protected in the PLATFORM is generally a higher standard than the practices of HealthVault’s PROGRAMS. The policy should be clearer about this, especially about those programs that only comply with HIPAA. HIPAA-compliant programs can use your information without your consent. Regardless of whether a Program complies with HIPAA, consumers need to read every Program’s own privacy policy and terms of use before sharing any information from HealthVault. Learn MoreHealthVault encourages you to examine the terms of use and privacy policies of all programs. They do not provide links to these policies, however, until you click on “Add”. This information should be provided up front with the description of the service. Later in the process, when you’re about to add the service, a link should also be provided.
Patient Control/Choice:
* Consent for Identifiable Data: No information is shared or collected without explicit, informed consent. Privacy Policy states how information will be shared and ideally, how it will NOT be shared. checkmarkThe
Health
Vault
Plat-
form
checkmarkProg-
rams
that
can
access
info if
you
share
your
acco-
unt
PLATFORM: HealthVault states up front that the individual is in control of their information on the Platform. Your records are not used or disclosed without your consent. You decide who to share your account with. HealthVault can access/disclose PHI under the following circumstances:
1) comply with law/legal process served
2) protect and defend rights or property of Microsoft
3) urgent circumstances to protect personal safetyand welfare
These exceptions are fairl standard business practices. We would have much greater concern if these clauses were broader.PROGRAMS: Take caution with the Programs that are granted access to your account. Programs are required by HealthVault to “protect privacy” and all Programs must not “disclose your data without express consent…” However, there are at least two concerns:
1) In spite of what the Privacy Policy states about consent, if the Partner is a HIPAA-covered entity, or is “compliant” with HIPAA, then HIPAA applies – no questions asked. The HIPAA exception is highly problematic: any partner that operates under HIPAA is allowed to use your health information for “treatment, payment or healthcare operations” without getting your express consent. Learn More
2) During our assessment, we signed up for an account and added random, multiple Program applications. In general, the ‘non-HIPAA’ Programs we reviewed would not share information without consent. However, one Program randomly selected, OneTouchZoom, states that when you use their site, you consent to their terms. That is not express or informed consent. They also “combine [personally identifiable information] with other actively collected information…” and may “disclose your personally identifiable information you provide via this site to Johnson & Johnson affiliates worldwide…” We don’t think this policy offers the privacy protections HealthVault states it requires.
* “De-Identified Data”: No de-identified or aggregate data should be used without explicit, informed individual consent. checkmark Microsoft uses aggregate data for evaluating the website and some marketing analysis. You cannot opt out of this practice.
* Segmentation: Patients can segment/hide sensitive information. checkmark When you share information in your account, HealthVault allows you to decide if others can view only, view and modify, share with others, see only specific pieces and set a time limit for access. You can decide what types of information you share (medications, conditions or diagnoses, heart rate, allergies). This works very well when sharing with other individuals or doctors’ offices.You are not able to segment information at this granular level when you share information with a Program. If the consumer could dictate to the program exactly what information they share, we’d give this feature a strong “A”. Your only option if you do not want to share certain requested information with a Program is to not add or use that Program.
Access/Participation:
* Patients can easily find out who has accessed or used their information. checkmark
The
HV
Plat-
form
checkmark
Prog-
rams
The audit trails feature is clear and easy to understand (for platform only).
PROGRAMS: Once your information goes out of HealthVault or is sharedwith a Program, how that information is accessed may or may not be tracked by that program.
* Patients must be able to promptly and permanently remove themselves and their health information from the system upon request. checkmark
The
HV
Plat-
form
checkmark
Prog-
rams
You can delete a record without assistance. If an account was shared with others it is removed from their view after deletion; after 90 days the files are permanently deleted.
PROGRAMS: if you send information from HealthVault to a Program, you must ask that Program to delete the information. Programs’ policies may be different than HealthVault’s policies on deletion and retention.
Integrity/Security:
* Patients can expect their data to be secure. Data should only be stored in the U.S. and use authentication that goes beyond username and password login. checkmark Information stored on servers with limited access in controlled facilities in the U.S. All communications, except email, are encrypted.
Customer Service/Enforcement:
* Patients can easily report concerns and get answers. checkmark Customer service available via email, webform and mail. Also can contact TrustE with a complaint. We submitted an email inquiry through the webform and received a response the same day.

View HealthVault’s entire Privacy Policy. We highlighted sections of importance.

View NoMoreClipboard’s Report Card as a PDF here.

Personal Health Record Report Card:  No More Clipboard


A Basic PHR
www.nomoreclipboard.com
A B C D F

Grade = A

(See Below for Grade Explanations)

Privacy Policy/Notice:
* Location: Privacy Policy must be easy to find and accessible from the organization’s home page. Should be unavoidable and accessible on any page that collects information. checkmark ww “Your Privacy” is among one of the icons in the main menu, top of page, large icon.
* Readability: Privacy Policy must be clear, easy to understand, and at a low reading level. checkmark Generally succinct, clear statements. They provide a summary that states “The only users who will have access to your record are you and the physicians with whom you choose to share your information.
NoMoreClipboard.com will never share any of your information without your expressed permission.
” You can see the full privacy policy here.
* Transparency: Privacy Policy is comprehensive; individuals should not have to read multiple policies to understand how their information can be used. checkmark There is only one policy; very straightforward regarding use of information.
Patient Control/Choice:
* Consent for Identifiable Data: No information is shared or collected without explicit, informed consent. Privacy Policy states how information will be shared and ideally, how it will NOT be shared. checkmark One way access – you decide to whom you disclose your information. Providers cannot access your account; only see and receive information that you send.”NoMoreClipboard will not send your information to anyone without you directing it and/or consenting to it.” Can reject any information sent by a provider (via fax or electronic message).
* “De-Identified Data”: No de-identified or aggregate data should be used without explicit, informed individual consent. checkmark Aggregated data is used for ads within free accounts; you can opt-out by paying for an upgraded account. The following statements are made on their website:
At no time is individual identifiable information shared with advertisers, even if you click on the ads.
NoMoreClipboard.com does not sell patient data, even in aggregate form.
* Segmentation: Patients can segment/hide sensitive information. checkmark You cannot limit the information shared with a provider or other individual. In response to our query, NoMoreClipboard stated they have “not received feedback from our customers requesting this capability.” However, NoMoreClipboard reported they have the ability to segment and we hope they will add this feature within the next 90 days.
There are three levels of access you can grant: Read Only Access, Full Access (can read, add, edit and delete) and Administrator Access (can also grant rights to others, share).
Access/Participation:
* Patients can easily find out who has accessed or used their information. checkmark You are emailed when someone accesses your account information and given the name of the person who accessed. Currently cannot get a history of access.
* Patients must be able to promptly and permanently remove themselves and their health information from the system upon request. checkmark You are able to immediately delete any information you put in the account. To permanently delete an entire account you need to make that request to Customer Support and it will be deleted from the system within 24 hours.
Integrity/Security:
* Patients can expect their data to be secure. Data should only be stored in the U.S. and use authentication that goes beyond username and password login. checkmark Uses SSL security. Designed to support the HIPAAsecurity requirements. NoMoreClipboard provided the following statement: “All information associated with the NoMoreClipboard.com Personal Health Record application is stored in a secure data center at our corporate headquarters in Fort Wayne, Indiana.”
Customer Service/Enforcement:
* Patients can easily report concerns and get answers. Can Email, Fax and Mail information. We sent an email and received a detailed response within four business days from the chief Privacy Officer. A follow up email received a response within 24 hours.

View No More Clipboard’s entire Privacy Policy. We highlighted sections of importance.

View WebMD’s Report Card as a PDF here.

Personal Health Record Report Card:  WebMD

A Basic PHR,
“WebMD Health Record”
www.webmd.com/phr
A B C D F

Grade = C

* This Report Card does NOT apply
to any WebMD PHR offered by
an Employer or Insurer.

(See Below for Grade Explanations)

Privacy Policy/Notice:
* Location: Privacy Policy must be easy to find and accessible from the organization’s home page. Should be unavoidable and accessible on any page that collects information. ww checkmark There is a link at the bottom of the page to the WebMD Privacy Policy. When you click to register for the PHR, the link to the privacy policy and terms of use are available at the end of the registration. On the Home Page Health Record there is a link at the center-right to “How is my information kept private?” Privacy Policy is linked at the bottom of every page.
* Readability: Privacy Policy must be clear, easy to understand, and at a low reading level. checkmark While the policy is fairly well organized, the content is dense and there are a lot of passive sentences vs. declarative statements. There are many different uses of information described, and WebMD’s has multiple co-branded Partners with varying policies. As a result, it is difficult to have real confidence in your understanding of how information is actually used. We do find the glossary helpful.
* Transparency: Privacy Policy is comprehensive; individuals should not have to read multiple policies to understand how their information can be used. checkmark The Policy is fairly comprehensive though the multiple brands, Partners and products within WebMDs that can access your information make for a complex policy.
Patient Control/Choice:
* Consent for Identifiable Data: No information is shared or collected without explicit, informed consent. Privacy Policy states how information will be shared and ideally, how it will NOT be shared. checkmark This PHR doesn’t have an ability to share your record electronically, so control over your information should be straightforward. We would have more confidence in an individual’s ability to control their information if the policy was more direct and didn’t describe various exceptions to disclosures throughout the document.
Users should be very careful when deciding to participate in any surveys. WebMDs may combine information obtained from surveys and use that for market research. An individual opts-in to take these surveys.
Users should be very careful when using any of the interactive tools. These tools may connect with employers, health plans, pharmaceutical benefits managers and other third parties. Pay close attention to any policy you agree to when you opt-in to these tools. We could not verify how clear or obvious consent would be obtained for these tools.
* “De-Identified Data”: No de-identified or aggregate data should be used without explicit, informed individual consent. checkmark Aggregate data is shared with third parties. There is no opt out. The amount of “de-identified” data WebMDs can collect on you is troubling. This would include information obtained from their detailed “Health Quotient” quiz that tracks drug and alcohol use, sexual history and eating habits. Promises that this information cannot be used to identify you are false. Information is either anonymous or useful, almost never both. Learn More.
They do state they require third parties to “agree that they will not attempt to make this information personally identifiable, such as by combining it with other databases.” This is a positive commitment. Unfortunately, there aren’t any meaningful ways to enforce such a requirement.
Based on their glossary, the following categories would not be considered “personal or identifiable”: gender, zip code, age, job, health condition, dates, etc.
* Segmentation: Patients can segment/hide sensitive information. checkmark You can segment what you want to print.
Access/Participation:
* Patients can easily find out who has accessed or used their information. checkmark You can view an audit trail by clicking on “Activity” in the Settings window. You can see who accessed information with date and time stamp.
* Patients must be able to promptly and permanently remove themselves and their health information from the system upon request. checkmark There is no clear committment that WebMDs ever fully deletes information or stops using “deleted” information in aggregate form. You have to make a request in writing via postal mail to delete information in their “active databases.” However, WebMDs keeps an inactive back up for a “period of not less than six (6) years.” If the information came from a “professional” such as a health care provider or plan, you can remove it from view, but WebMD will “maintain an audit log, a notice of that transaction and a copy of the information deleted.
Integrity/Security:
* Patients can expect their data to be secure. Data should only be stored in the U.S. and use authentication that goes beyond username and password login. checkmark Requires a password, data stored physically in two separate locations, encrypt transmittal of personally identifiable information, “closely monitors the limited number of WebMD employees who have potential access. All employees are subject to disciplinary action if they violate the privacy policy. WebMDs verbally told PPR that they only store information in the U.S. but we have not received any such statement in writing.
Customer Service/Enforcement:
* Patients can easily report concerns and get answers. checkmark There is a mailing address and feedback form; no phone or email support. Also a link to TrustE. We submitted an inquiry and received a partial response 7 days later (their form says they will respond in 1-2 business days).

View the WebMD Basic PHR’s entire Privacy Policy. We highlighted sections of importance.