1. What is a PHR?
2. What is a platform?
3. What are the different types of PHRs?
4. Are PHRs private?
5. Does HIPAA cover PHRs?
6. What types of PHRs are not covered by HIPAA?
7. What laws protect PHRs?
8. How to decide if a commercial PHR is for you?
9. Questions to ask about ANY PHR you are considering:
A PHR is a personal health record. PHRs can be used to collect and store official records/labs/tests/claims data directly from providers. They can also store other health-related data such as heart rate, glucose levels, medications, allergies, exercise habits, lifestyle, sexual history, personal notes and other data you might create.
The term ‘PHR’ implies you control this type of information—because its ‘personal’, it’s yours. But that is simply not true of all PHRs. A PHR is a means of storing and controlling your personal medical information. The difference between a PHR and an EHR (electronic health record) is that individuals have the ability to mange their own PHRs. An EHR is a collection of many different health records that your health care provider controls and populates with information.
Your level of control over your information varies with each PHR. In fact, there are PHRs that can allow employers, insurers, researchers, marketing corporations, hospitals, drug companies, and government agencies to access all the information in your PHR without getting your explicit informed consent. In other words, they perform counter to the initial PHR described.
PHRs are meant to benefit consumers by encouraging them to take a more active role in their own health care and become better informed about it. PHRs are a place to store your own health information, and they may also have tools that can, for example, assist you in managing your prescriptions or a chronic medical condition. Unlike PHRs, EHRs’ primary purpose is to benefit health care providers by giving them more complete medical histories for treating patients. In theory, this should improve the quality of patient care.
The features that PHRs offer vary, but some common ones include the ability to store and transmit:
- information about your medical history;
- information about your prescriptions, including dosages and refills;
- diagnostic test results, both laboratory and imaging;
- drug alerts;
- your immunization records;
- your physicians’ treatment plans for you.
A PHR may also support options such as secure email with your physicians and links to medical informational websites and archives.
Under HIPAA, you can request your medical records (with some exceptions) in the format you specify (paper, electronic, microfilm) and receive them at a reasonable cost. If your request is denied, there is a process to appeal the denial. (45 CFR § 164.524)
Currently, there are no laws that prevent anyone from designing a PHR that you do not control. It is critical to know and understand which PHRs keep you — the individual, the patient– in control of access to your health information. For more definitions of a PHR, click here to go to our glossary. Top
A “platform” is an online web service that can store your personal health information. Platforms offer other programs and partner applications including PHRs that you may decide to add/use. Google Health and Microsoft Health Vault are examples of platforms. Google Health was discontinued in January of 2013 because of privacy issues. These online services store information and allow you to share information with providers and different companies. It is important to understand that a platform’s privacy policies differ from the policies of other companies on that platform. In fact, there is a remarkable range of privacy practices among the programs offered by platforms.
If a program is offered by a HIPAA-covered entity or business associate (examples: health care providers, insurers, pharmacies, labs) you have little control over your information HIPAA allows these companies to use your information without your consent for “treatment, payment and health care operations” (link to FAQ).
Companies that do not comply with HIPAA also have no limits to what they can do with your information. PHRs are new products and are virtually unregulated today.
Before you share any health information with a program or partner application carefully read their privacy policies. Do not share before reading, reviewing and understanding the privacy policies and their interconnections. Do not assume that a platform’s privacy policies are the same as a program/partner’s policies. They can be dramatically different. Top
PHRs can be either paper based or electronic. Electronic records can be kept on a variety of different media, including personal computers, thumb drives, CDs, or web-based applications. While electronic records may be easier to access, update and share, paper records may be easier to secure.
- Paper. Some people may already have your own paper-based PHRs. These may include copies of diagnostic test results, drug and prescription notices, or treatment invoices and Explanations of Benefits from providers and insurers. These offer a fairly good summary of your medical history. For security purposes, you want to make sure that they are stored in a secure location. The problem with the paper files, is that they lack accessibility and are not easily shared.
- Personal Computer. You can easily install a PHR application on your personal computer where you may input information, download files, and scan documents you receive from your healthcare providers. Since the information is stored locally on the computer, you can control it and have the ability to update and print it. An example is MyMedsPHR, which records your medications and reminds you when to take them. A downfall of this type is if you have a medical emergency, no one will be able to access your medical history through your PHR unless you carry an up-to-date CD or thumb drive on your person and can tell the ER staff where it is—and they ability to read it. Therefore, in emergencies or if you are not prepared, this is not ideal.
- Internet. Most PHR products are Internet based. They are very similar to a local application on your computer, but accessible online when you log in with a user name and password. An example is Microsoft’s HealthVault. This type of online PHR lets you manage your records from wherever you are and you give others access as well. All you need is your user name and password therefore, Internet-based PHRs make your medical information available in non-ememrgeny situations as well as in emergencies. Internet-based PHR security depends on the security of the devices you use to store and transmit your information, whatever is built into the PHR application itself, and the security of the networks the information travels along.
- Smartphone mobile application. Smartphone apps can be used to send information and receive medical information from health care providers and insurers. Many apps have to ability to measure vital signs—like heart rate and blood pressure—and update your PHR continuously. The applications may even give you the option of sharing your data using social media. These applications present numerous privacy and security concerns, which are compounded when they link to social media. The FDA is in the process of developing regulations for some types of mobile medical apps, but not the ones that act as PHRs. Only those that are either accessories to a regulated medical device (such as an app that monitors an insulin pump) or that transform a mobile platform into a regulated medical device (for example, an app that uses a phone’s touch-screen capability to monitor vital signs) are currently being considered for FDA regulation. For consumer information, see FDA Proposes Health ‘App’ Guidelines.
- PHR smart card. A number of vendors offer a secure PHR smart card that stores medical information. All you and your doctor need is a card reader and you are both able to access your records on a computer screen and also update the card. Problems with this type of PHR may be the question of universally available card readers are and the actual security of the card, in case you lose it.
If you are considering using a PHR to maintain your health records, please view the AHIMA’s (American Health Information Management Association) list of 12 Questions Consumers Should Ask When Choosing a PHR. AHIMA also has a website that can help you choose a PHR based on your age and other health requirements. . Top
The privacy protections applying to PHRs depend on where the PHR originates. Internet-based PHR security depends on the security of the devices you use to store and transmit your information, whatever is built into the PHR application itself, and the security of the networks the information travels along.
A PHR that a doctor or a health plan provides would fall under the laws that protect medical privacy and set standards for maintaining the security of your medical information. This would include both HIPAA and the Confidentiality of Medical Information Act (CMIA).
While helpful, breach notification requirements only come into play after your data has actually or potentially been compromised. Top
For HIPAA to apply to a PHR, a HIPAA-covered entity must provide it. This generally would be a health care provider or a health plan that offers a PHR as one of its services. If that is the case, the PHR comes under the federal privacy and security rules that protect your medical records. The HIPAA term for a third party that performs services for a health care provider or health plan that require the use or disclosure of medical information is a “business associate.” Business associates are covered by the HIPAA Privacy and Security Rules, including the data breach notification requirements.
The HIPAA Privacy Rule gives you a right to know who has accessed or received information from your PHR (called an “accounting of disclosures”). However, it is unclear how this works with PHRs since you would generally be the one accessing your own PHR, and anyone else who accesses it would need your permission. It has been suggested that providers who offer PHRs include a functionality that lets you view an access log.
HIPAA does not give you the individual right to sue whoever is responsible for the breach of your medical records. Only an attorney general can bring a legal action. Top
If your employer offers a PHR, the PHR typically won’t be covered by HIPAA regulations. However, the PHR will be covered by HIPAA if it is part of an employer-sponsored health plan. PHRs from commercial vendors, including mobile medical application vendors, will not be covered under HIPAA regulations. While some commercial PHRs may advertise themselves as “HIPAA-compliant,” the only privacy protections they offer are those in their own privacy notices and practices, which they can change at any time. To give you an idea what to look for in a commercial PHR vendor’s privacy practices, the Office of the National Coordinator (ONC) at the Department of Health and Human Services (HHS) has a model notice of privacy practices for commercial PHR vendors. Top
No laws protect your right to control health information in PHRs. PHRs are required to comply with posted corporate privacy policies. The FTC is charged with monitoring and enforcement of PHR privacy policies. If the FTC determines what the PHR does with information is inconsistent with what they say they do in their policies, the FTC could determine that the PHR is “unfair and deceptive” and require fines, changes in what they do, etc.
Although a commercial PHR may not be covered by the HIPAA regulations (but may be covered by the CMIA, depending upon the interpretation of Cal. Civ. Code § 56.06) it is still subject to breach notification requirements. A PHR vendor or a business that offers products and services through the vendor’s website is liable for a breach of unsecured (unencrypted) health information, and must notify the affected individuals, the media if the breach involves 500 or more individuals, and the Federal Trade Commission (FTC). (42 U.S.C. § 17937) The FTC has helpful information for vendors about who falls under this rule, what kind of incident requires a breach notification, and the specifics of notice (whom to notify, when, by what means, and with what information).
The FTC forwards notices of PHR breaches that it receives from vendors to the HHS Office for Civil Rights (OCR). However, the FTC has enforcement authority over commercial PHRs. OCR has enforcement authority over HIPAA-covered PHRs. OCR maintains a list of all health-related data breaches that affect more than 500 individuals. Top
Any PHR that shares any information, identifiable or “de-identifiable/ aggregate/anonymous” data with employers, insurers, etc. is risky. Assume your PHR does not give you control over your health information until you affirmatively confirm otherwise. Be selective about any information you provide.
For example, if you want to track lifestyle information that a doctor, insurer or employer wouldn’t normally have, you may want to use an alias when you set up that account. Some PHRs let you open an account under an alias or your dog’s name, but a fake name alone will not necessarily make your data safe, because the PHR could use other public online information about you to re-identify your health records.
There are two documents you should read if you are trying to choose which commercial PHR is for you:
1. The vendor’s Notice of Privacy Practices. This will tell you everything you need to know about the PHR, most importantly, how much control the vendor allows you to have over your medical information. The notice of privacy practices should be very clear about what information the vendor will release and in what form. There is a difference between personally identifiable medical information and statistical information (which does not contain personal identifiers). The notice of privacy practices should inform you whether or not they will release personal or statistical information for the following purposes:
- marketing and advertising;
- medical and pharmaceutical research;
- information to your insurer and/or employer
- gathering data for developing applications
The notice should tell you where your data goes if you cancel or transfer your PHR and whether or not the vendor has relationships with third parties. The notice should have a security section that explains the security measures in place, and either meets industry standards, or states that are HIPAA compliant. It should tell you that the vendor will protect the information in your PHR from any unauthorized access, disclosure, or use. It should tell you that your PHR data is stored in the U.S., because if it is not, it will not be protected by any U.S. laws.
Click here to learn more about a few commercial PHRs and how they rank. Find out if they protect your privacy.
- Who will have access to my medical information?
- What control will I have over how my information is shared? How it is shared? In what form (personally identifiable or statistical/de-identified)?
- Where is my information stored—in the U.S.? in the cloud?
- Can I find out who accessed my medical information?
- Do I have authorization power over access to my information and how does the authorization process work? Can I revoke my authorization once it’s been given?
- Do I have any ability to delete information that has already been sent to providers from my PHR?
- What security measures are in place to protect my information (encryption in transmission and storage)?
Consider PHRs a goldmine of your most personal, sensitive information. Ask yourself, would you want your employer, insurer, a drug company, bank, etc. to know:
* how many sex partners you’ve had?
* how often you drink?
* how often you excercise?
* if you take an antidepressant?
* if your child is diabetic, in therapy or taking medicine?
* if you have considered suicide, or looked for any support group online?
* if you have researched “asthma”, “cancer”, “herpes”, “fatigue”?
U.S. Department of Health and Human Services – Office of the National Coordinator (ONC)
Office of the National Coordinator for Health Information Technology
U.S. Department of Health and Human Services
200 Independence Avenue S.W.
Washington, D.C. 20201
“Consumer Guide to Understanding and Using the PHR Model Privacy Notice on Company Data Practices”: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=3781
Department of Health and Human Services – Office for Civil Rights (OCR)
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free: 1-877-696-6775
To file a complaint about what you believe is a privacy violation regarding your PHR: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
If you have a complaint about a PHR vendor that is not covered by HIPAA, you can contact the FTC at 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. To file a complaint with the FTC, this is the best place to begin:https://www.ftccomplaintassistant.gov/ The FTC keeps a database of complaints in the Consumer Sentinel Network, which helps many civil and criminal law enforcement investigators with their research.
American Health Information Management Association (AHIMA)
233 N. Michigan Avenue, 21st Floor
Chicago, IL 60601-5809
Main Number: (312) 233-1100
Customer Relations: (800) 335-5535
AHIMA has extensive information on PHRs, including how to decide which one might be right for you: http://www.ahima.org/resources/phr.aspx