Comments Sought on PHR Privacy

Report on Personal Health Records Risks in the Works
Comments Sought on PHR Privacy
As they scramble to submit a long overdue report to Congress on privacy and security requirements for personal health records, federal regulators are seeking comments on the issues.

A personal health record is an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual.

The Department of Health and Human Services' Office of the National Coordinator for Health Information Technology is accepting PHR comments through Dec. 10 on its website. ONC is seeking feedback on such topics as:

  • The privacy and security risks, concerns and benefits related to current and emerging business models for PHRs;
  • Consumer expectations about collection and use of health information, including legal protections for PHRs;
  • The pros and cons of applying different privacy and security requirements to PHRs, mobile technologies and social networking.

PHR Roundtable

On Dec. 3, ONC will host a day-long roundtable event in Washington on PHRs featuring panels of researchers, legal scholars and representatives of consumer, patient and industry organizations. Although the Washington venue is completely booked, the event can be viewed live online.

"We have scheduled that meeting to help us prepare our report to Congress," says Joy Pritts, ONC's chief privacy officer. She expects the report to be completed early in 2011.

Based on the recommendations in the ONC's report, new regulations might be proposed or Congressional action might be requested, Pritts adds.

HITECH Mandate

Section 13421 of the HITECH Act called for the Department of Health and Human Services to submit a report by last February on the privacy and security requirements for PHR vendors and others not covered by HIPAA. But the report has been delayed while the ONC worked on other projects, Pritts says.

Personal health records are regulated under the HIPAA privacy and security rules only if they are offered by a "covered entity," such as a hospital or physician group.

Breaches of PHRs must be reported to the Federal Trade Commission. In the year since the FTC breach notification rule for personal health records took effect, no major breaches affecting 500 or more individuals have been reported, the FTC says.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.