What is a PHR?
What is a platform?
How did you grade these PHRs?
Why should you worry if a company is “HIPAA compliant”?
Will you allow vendors to respond to these grades?
Have you received any money from these vendors?
What laws protect PHRs?
Should you use a PHR?
How can a PHR harm me?
Why is “anonymous”, “de-identified”, or “aggregate” data a problem?
A PHR is a personal health record. PHRs can be used to collect and store official records/labs/tests/claims data directly from providers. They can also store other health-related data such as heart rate, glucose levels, medications, allergies, exercise habits, lifestyle, sexual history, personal notes and other data you might create.
The term ‘PHR’ implies you control this type of electronic health record—because its ‘personal’, it’s yours. But that is simply not true of all PHRs.
Your level of control over your information varies with each PHR. In fact, there are PHRs that can allow employers, insurers, researchers, marketing corporations, hospitals, drug companies, and government agencies etc. to access all the information in your PHR without getting your explicit informed consent. In other words, they perform counter to the initial PHR described.
Currently, there are no laws that prevent anyone from designing a PHR that you do not control. It is critical to know and understand which PHRs keep you — the individual, the patient– in control of access to your health information. For more definitions of a PHR, click here to go to our glossary. Top
A “platform” is an online web service that can store your personal health information. Platforms offer other programs and partner applications including PHRs that you may decide to add/use. Google Health and Microsoft Health Vault are platforms. These online services store information and allow you to share information with providers and different companies. It is important to understand that a platform’s privacy policies differ from the policies of other companies on that platform. In fact, there is a remarkable range of privacy practices among the programs offered by platforms.
If a program is offered by a HIPAA-covered entity or business associate (examples: health care providers, insurers, pharmacies, labs) you have little control over your information HIPAA allows these companies to use your information without your consent for “treatment, payment and health care operations” (link to FAQ).
Companies that do not comply with HIPAA also have no limits to what they can do with your information. PHRs are new products and are virtually unregulated today.
Before you share any health information with a program or partner application carefully read their privacy policies. Do not share before reading, reviewing and understanding the privacy policies and their interconnections. Do not assume that a platform’s privacy policies are the same as a program/partner’s policies. They can be dramatically different. Top
We first established the criteria based on the Code of Fair Information Practices, privacy rights protected by the Hippocratic Oath, the U.S. Constitution, common law and state and federal law, and the Privacy Principles developed by the Coalition for Patient Privacy. We described what we believe are the most meaningful privacy controls individuals should have over health information in electronic health systems.
PPR is staffed by consumer advocates, not lawyers. We did not employ attorneys to legally interpret the policies. Once the reviews were complete, we tallied the total points for each PHR and divided that total by 10, the number of categories. All categories were weighted equally.
Two grades were given to Google Health and Microsoft HealthVault, products we refer to as “Platforms.” Google Health and Microsoft HealthVault’s privacy policies apply only to their Platform, not to any of the companies linked to their Platform. For example, while the Platform, may require the individual’s consent before disclosing any data; any third party such as another PHR, a tracking tool for diabetes or research search engine does not necessarily play by the same rules.
One grade was given to the Platform itself and another grade was given to the programs and partner applications linked to the Platform to highlight the differences between the applicable policies. The programs and partner applications for each Platform were treated as one group. There are simply far too many different programs/partners for PPR to grade each individually. As such, we took a random sampling of these programs/partners. The grade for these groups of companies (an “F” for both Google Health partners and Microsoft HealthVault programs) does not mean that all of the third party companies failed. Rather some of the companies randomly selected scored poorly because they do not allow meaningful patient control over their information. Note that NoMoreClipboard.com is a PHR available on both platforms and it earned an “A”.
We also note that if the Program or Partner application is “HIPAA compliant” it can use any information provided from your account for “treatment, payment and health care operations” without getting your express consent. This does not give the individual control over their private, sensitive information. Most people have no idea how broad those three categories actually are.
HIPAA grants corporations the right to use your personally identifiable information without your knowledge or permission for purposes of “Treatment, Payment, & Health Care Operations.” These categories are broad and apply to companies you don’t even know are involved with your health care. Learn More: “Chilling News” & “HIPAA: Intent vs. Reality” Top
We sent the vendors their Report Card in advance. We welcomed vendors’ responses to the report card, and will post vendors’ comments. We want to open or continue a dialogue with all vendors interested in protecting privacy. Each report card contains detailed comments for each category. We reserve the right to respond to all vendor comments we post. Top
PPR conducted privacy training for Microsoft in 2009 and was paid for those services. Privacy trainings are available to any entity interested in developing a corporate culture of privacy. We do not provide paid consulting to any vendors, though we happily provide feedback. We are not paid for any feedback. We also note that Microsoft signed on to the Coalition for Patient Privacy Principles in 2007 and 2009. Top
No laws protect your right to control health information in PHRs. PHRs are required to comply with posted corporate privacy policies. The FTC is charged with monitoring and enforcement of PHR privacy policies. If the FTC determines what the PHR does with information is inconsistent with what they say they do in their policies, the FTC could determine that the PHR is “unfair and deceptive” and require fines, changes in what they do, etc.
The American Recovery and Reinvestment Act (ARRA) requires PHRs to notify victims if there is a breach of privacy. The FTC and HHS are required to study PHRs and make recommendations for how PHRs should be regulated. This report is due to Congress on 2/17/10. Top
Any PHR that shares any information, identifiable or “de-identifiable/ aggregate/anonymous” data with employers, insurers, etc. is risky. Assume your PHR does not give you control over your health information until you affirmatively confirm otherwise. Be selective about any information you provide. For example, if you want to track lifestyle information that a doctor, insurer or employer wouldn’t normally have, you may want to use an alias when you set up that account. Some PHRs let you open an account under an alias or your dog’s name, but a fake name alone will not necessarily make your data safe, because the PHR could use other public online information about you to re-identify your health records.
PPR is not recommending the use of any of the PHRs we reviewed, regardless of the grade earned. We do not guarantee any of the information provided. This is simply a guide, prepared by consumer advocates, to raise awareness and share an educated opinion. Top
Consider PHRs a goldmine of your most personal, sensitive information. Ask yourself, would you want your employer, insurer, a drug company, bank, etc. to know:
* how many sex partners you’ve had?
* how often you drink?
* how often you excercise?
* if you take an antidepressant?
* if your kid is diabetic, in therapy or taking Ritalin?
* if you have considered suicide, or looked for any support group online?
* if you have researched “asthma”, “cancer”, “herpes”, “fatigue”?
It is practically impossible to ensure that anonymous/de-identified/aggregate data cannot be re-identified; far too much information exists and is accessible now to the average person. Dr. Latanya Sweeney showed she can re-identify 87% of the population with just gender, month and date of birth and zip code.
Data is either useful or anonymous, but never both. Learn More. Data may seem anonymous but when coupled with another set of data, the merged data set can often reveal identity. Consider data an employer or insurer already has on you, overlapped with “anonymous” data such as age, location, gender and dates of absence for a report on those who searched for “cancer testing.” If employers and insurers want to identify sick or expensive people, they can. Top