Report Card for: Personal Health Records (PHRs)

Offered by Employers and/or Insurers

Grade = F

Using an employer’s or insurer’s PHRs means sharing personal health information with that employer or insurance company. You aren't guaranteed any control over your private information. Sharing this information puts your employment, insurability, and credit at risk.

Employer and insurer PHRs offer enticing health quizzes that gather and share much more information than you would typically provide including alcohol and drug use, sexual history, eating and exercise habits. Often employers and insurers offer incentives for you to fill out surveys, health assessments, or participate in disease management programs. Employers and insurers can directly access your PHR, enabling them to gather MORE information about your health.

We cannot officially grade PHRs offered by any employers or insurers because access is limited to employees and enrollees. However, we did obtain copies of the form privacy policies for two employer or insurer-based PHRs. Very clearly, they control the use and disclosure of your health information, not you. Here is a sample of what we found in the policies:

• Your employer and your group health insurance plan "may use and disclose your protected health information (PHI)."

• "the Plan may use and disclose your personal Health Information furnished…by you, your employer, the Plan or any 3rd party"
• The PHR "discloses to the Plan or to your employer the fact that you registered…, that you have completed a health risk assessment or that you have participated or are enrolled"
• The PHR "limits access to Personal Information to you, the Plan, and any third-party vendor that provides services on behalf of the Plan" along with…all its affiliates.  (There may be many third-party vendors and affiliates, with hundreds or thousands of employees who can access your health information!)

• “We may use your Personal Health Information (PHI) for certain health care operations—for example,…determining premiums and other costs”
• “Your PHI can generally be used or disclosed for research without your permission if an Institutional Review Board (IRB) approves such use or disclosure”

• “We may use or disclose PHI to contact you to raise funds for our organization”

Keep in mind that your personal health information can be used broadly under HIPAA without your consent (See FAQ).

View this page as a PDF