Personal Health Records: Privacy Concerns a Hurdle

Survey finds 7% of Americans have used one
Personal Health Records: Privacy Concerns a Hurdle
For those longing for the day when more Americans use personal health records, pending PHR privacy and security rules can't come fast enough.

A new national consumer survey for the California HealthCare Foundation found that of those who have not used a PHR, "worry about the privacy of my information," was the biggest barrier, cited by 75 percent.

The survey of 1,849 Americans, conducted by Lake Research Partners, found that 7 percent have a PHR, more than double the percentage identified in a similar 2008 survey by the Markle Foundation.

Personal health records, often housed on Web sites, generally are created and controlled by patients, who can add information to the records. Some PHRs also are linked to electronic health records, the official records of hospitals and clinics.

Among companies offering PHR platforms are Microsoft, Google and WebMD. Some insurers, hospitals and physicians offer PHRs directly to their clients.

HIPAA doesn't apply

The federal HIPAA privacy and security rules, which apply to electronic health records, do not apply to most PHRs. Only PHRs that are "tethered" to a healthcare organization's EHR, such as those in use at Kaiser Permanente, are covered by HIPAA.

But under the HITECH Act, which toughened HIPAA enforcement and penalties for violations, federal regulators were mandated to come up with privacy and security regulations for PHRs by this past February. Those regulations, however, are still pending.

Survey participants' concerns about the privacy of PHRs are due, in part, to reports calling attention to the fact that PHRs don't fall under the HIPAA regulations, argues Deven McGraw, an attorney who is director of the health privacy project at the Center for Democracy and Technology. "So people are on their own to read PHR privacy policies and decide whether they are comfortable with the promises that are made," she says.

Once new federal PHR regulations are in place, more Americans may be willing to jump on the PHR bandwagon, McGraw says. "I want the PHR rule to be a good set of recommendations, and if that takes a little longer, so be it," she says. "But it can't be an indefinite wait.

"The longer we wait to put in a set of core rules about how data can be used, accessed and controlled, the longer it will take for PHRs to realize their potential for consumer engagement."

Health Level Seven, a standards developer, has called on HHS to create a certification program for PHRs, along the lines of a pending certification program for EHRs that's nearing final approval.

Variable policies

Many PHR developers have done a "decent job" of addressing privacy and security issues, McGraw says. "But we should not assume that the policies of leading industry vendors are universally adopted by all PHR providers."

Steve Findlay, senior health policy analyst with Consumers Union, holds a similar viewpoint, pointing to leading PHR vendors' use of encryption, for example. But with so many PHR options available, "there is a high degree of variability" in security functions, he notes.

"The framework of security around PHRs is not yet adequate," the consumer advocate says, calling for strong federal standards.

The HIPAA privacy and security rules don't fit PHRs because they're designed with hospitals, clinics and other healthcare organizations in mind, Findlay and McGraw stress. Instead, a different legal framework for protecting PHRs is essential, they say.

Education needed

Once federal PHR regulations are enacted, public education will prove essential to winning support for using the technology, Findlay and McGraw, who are strong PHR proponents, say.

"I have no doubt that PHRs will help create an entire new way for people to track medical information and foster a new way of interacting with their doctors and hospitals," Findlay says.

Under a new Federal Trade Commission rule , PHR vendors must report major data breaches to consumers, the media and federal authorities.

Both McGraw and Findlay, who serve on committees advising federal regulators, said no such PHR breaches have been reported. Two reasons for that, Findlay argues, are that relatively few Americans have a PHR and relatively few of those records contain highly sensitive information.

Other survey findings

Among the survey's other findings:

  • Some 68 percent of all respondents say they are concerned about the privacy of their "medical records" in general.

  • About 15 percent of all respondents said they would hide something from their doctor if they knew he had an EHR that could share information with other organizations.

  • Two-thirds agreed that "we should not let privacy concerns stop us from learning how technology can improve our healthcare."

  • Of PHR users, only 29 percent are "somewhat worried" about the privacy of their information while 11 percent are "very worried."

  • Some 56 percent of PHR users said using the technology makes them feel like they know more about their health, and 52 percent said they know more about the care their doctor provides.

  • More than half of PHR users ranked as "useful" such features as making sure information is correct, looking at test results, renewing prescriptions and e-mailing providers.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.