The Security Scrutinizer with Howard Anderson

PHRs and Privacy: Tackling Tough Issues

Regulating Personal Health Records Far From Easy
PHRs and Privacy: Tackling Tough Issues

One of the many difficult challenges involved in devising federal regulations governing the privacy and security of personal health records is that so many different flavors of PHRs exist. Alluding to the growing number of PHR models, Robert Gellman, a privacy and information policy consultant and attorney, says, "I'm not sure I understand what a PHR is any more." Gellman was one of the speakers at an all-day roundtable event on PHR issues hosted by the Department of Health and Human Services on Dec. 3.

Because it's so difficult, even for the experts, to define a PHR, coming up with privacy rules for these records is a challenge, Gellman argues. "It's extremely messy and becoming messier."

HHS expects to submit to Congress early next year a long-overdue report on privacy and security requirements for personal health records vendors, which usually are not covered by the HIPAA privacy and security rules. Section 13421 of the HITECH Act called for HHS to submit a report on the requirements for PHR vendors and others not covered by HIPAA.

The Dec. 3 event was designed to gather information that HHS can use in crafting its report. Based on the recommendations in the report, new regulations might be proposed or Congressional action might be requested.

EHRs vs. PHRs

Unlike an electronic health record, which is created by a healthcare provider, a personal health record is controlled by an individual.

Federal authorities define a personal health record as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual. PHRs are regulated under HIPAA only if they are offered by a covered entity, such as a hospital, physician group or insurer. In some cases, healthcare organizations offer PHRs in partnership with a vendor.

Many surveys have confirmed that consumers don't understand existing privacy laws or know what a PHR is, panelists at the Dec. 3 event lamented.

"The public is clueless about PHRs; the majority have no idea that they exist," says Tresa Undem a pollster who conducted a consumer survey on PHRs for the California HealthCare Foundation. That survey found only 7 percent of Americans have used a PHR.

In general, when it comes to online privacy, "The American consumer has no idea about what they should be concerned about," says Lee Tien, an attorney with the Electronic Frontier Foundation.

PHRs and Advertising

Gellman calls on federal regulators to take a particularly close look at PHRs that accept advertising. "Commercial advertising-supported PHRs are essentially devices to transfer records to marketers," he argues, labeling such data leakage as a critical issue.

Those are strong words. But it appears the Federal Trade Commission shares similar concerns.

A new FTC privacy report endorses implementation of a simple, easy-to-use "do not track" mechanism that consumers can use to opt out of the collection of information about their Internet behavior for targeted ads. Perhaps a "do not track" mechanism might help alleviate some concerns about PHRs with ads.

Surveys by the Markle Foundation confirm that consumers want to be able to review who has accessed their PHRs and want to be notified of breaches and have a mechanism for correcting information in their records, says Josh Lemieux, the foundation's director of personal health technology.

The foundation has prepared a Common Framework for Networked Personal Health Information that some say could provide a good starting point for PHR regulations. Because HIPAA was designed with healthcare organizations, not consumers, in mind, it's not a good fit for consumer-controlled PHRs, proponents of the framework argue.

So we'll be watching to see whether HHS decides that some or all of HIPAA should apply to PHRs, or whether a separate set of rules, based in part on the Markle Foundation framework, is a better idea. What do you think is the best option? We'd like to hear from you.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.