Comments Sought on PHR PrivacyReport on Personal Health Records Risks in the Works
A personal health record is an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual.
The Department of Health and Human Services' Office of the National Coordinator for Health Information Technology is accepting PHR comments through Dec. 10 on its website. ONC is seeking feedback on such topics as:
- The privacy and security risks, concerns and benefits related to current and emerging business models for PHRs;
- Consumer expectations about collection and use of health information, including legal protections for PHRs;
- The pros and cons of applying different privacy and security requirements to PHRs, mobile technologies and social networking.
PHR RoundtableOn Dec. 3, ONC will host a day-long roundtable event in Washington on PHRs featuring panels of researchers, legal scholars and representatives of consumer, patient and industry organizations. Although the Washington venue is completely booked, the event can be viewed live online.
"We have scheduled that meeting to help us prepare our report to Congress," says Joy Pritts, ONC's chief privacy officer. She expects the report to be completed early in 2011.
Based on the recommendations in the ONC's report, new regulations might be proposed or Congressional action might be requested, Pritts adds.
HITECH MandateSection 13421 of the HITECH Act called for the Department of Health and Human Services to submit a report by last February on the privacy and security requirements for PHR vendors and others not covered by HIPAA. But the report has been delayed while the ONC worked on other projects, Pritts says.
Personal health records are regulated under the HIPAA privacy and security rules only if they are offered by a "covered entity," such as a hospital or physician group.
Breaches of PHRs must be reported to the Federal Trade Commission. In the year since the FTC breach notification rule for personal health records took effect, no major breaches affecting 500 or more individuals have been reported, the FTC says.