PHRs and Privacy: Tackling Tough IssuesRegulating Personal Health Records Far From Easy
Because it's so difficult, even for the experts, to define a PHR, coming up with privacy rules for these records is a challenge, Gellman argues. "It's extremely messy and becoming messier."
HHS expects to submit to Congress early next year a long-overdue report on privacy and security requirements for personal health records vendors, which usually are not covered by the HIPAA privacy and security rules. Section 13421 of the HITECH Act called for HHS to submit a report on the requirements for PHR vendors and others not covered by HIPAA.
I'm not sure I understand what a PHR is any more.
The Dec. 3 event was designed to gather information that HHS can use in crafting its report. Based on the recommendations in the report, new regulations might be proposed or Congressional action might be requested.
EHRs vs. PHRsUnlike an electronic health record, which is created by a healthcare provider, a personal health record is controlled by an individual.
Federal authorities define a personal health record as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual. PHRs are regulated under HIPAA only if they are offered by a covered entity, such as a hospital, physician group or insurer. In some cases, healthcare organizations offer PHRs in partnership with a vendor.
Many surveys have confirmed that consumers don't understand existing privacy laws or know what a PHR is, panelists at the Dec. 3 event lamented.
"The public is clueless about PHRs; the majority have no idea that they exist," says Tresa Undem a pollster who conducted a consumer survey on PHRs for the California HealthCare Foundation. That survey found only 7 percent of Americans have used a PHR.
In general, when it comes to online privacy, "The American consumer has no idea about what they should be concerned about," says Lee Tien, an attorney with the Electronic Frontier Foundation.
PHRs and AdvertisingGellman calls on federal regulators to take a particularly close look at PHRs that accept advertising. "Commercial advertising-supported PHRs are essentially devices to transfer records to marketers," he argues, labeling such data leakage as a critical issue.
Those are strong words. But it appears the Federal Trade Commission shares similar concerns.
A new FTC privacy report endorses implementation of a simple, easy-to-use "do not track" mechanism that consumers can use to opt out of the collection of information about their Internet behavior for targeted ads. Perhaps a "do not track" mechanism might help alleviate some concerns about PHRs with ads.
Surveys by the Markle Foundation confirm that consumers want to be able to review who has accessed their PHRs and want to be notified of breaches and have a mechanism for correcting information in their records, says Josh Lemieux, the foundation's director of personal health technology.
The foundation has prepared a Common Framework for Networked Personal Health Information that some say could provide a good starting point for PHR regulations. Because HIPAA was designed with healthcare organizations, not consumers, in mind, it's not a good fit for consumer-controlled PHRs, proponents of the framework argue.
So we'll be watching to see whether HHS decides that some or all of HIPAA should apply to PHRs, or whether a separate set of rules, based in part on the Markle Foundation framework, is a better idea. What do you think is the best option? We'd like to hear from you.