Personal Health Records: PHRs and Consents for Disclosure
Under HIPAA, if a consumer wants to authorize a covered entity to disclose her records, she will usually be obliged to sign an authorization form. The HIPAA rule prescribes the content of the authorization form and its scope. That rule provides some protections because it makes it harder for a consumer to unknowingly sign a form authorizing the disclosure of health records. For example, if a consumer signs a one-sentence form authorizing anyone with records about the consumer to disclose the records to the bearer of the form, it is unlikely that any doctor or hospital would or should honor that form.
In the absence of law, a PHR can have any rule that it chooses about disclosing information with consent. It can require affirmative consent (opt-in) on a designated printed form. It can allow disclosure for some activities unless a consumer objects (opt-out) by submitting a letter through postal mail. The PHR vendor can accept a checked box on a website. Whether a PHR’s consent rules and procedures are adequate is for each consumer to evaluate. The process may vary from PHR to PHR and, perhaps, even within the same PHR system depending on the type of disclosure. Those who surf the web routinely know that it can be easy to check a box, forget to uncheck a box, or agree to something unintentionally because the authorization was buried deep in an unread notice. A casual consent to enter a sweepstakes for a one-in-a-million chance to win a t-shirt could obscure a broad authorization for the disclosure of health information. That type of authorization would not comply with HIPAA requirements, but a non-HIPAA covered PHR vendor could accept it.
Many organizations may want to use PHR records for other purposes. Finding old or scattered health records can be challenging in many cases. If the PHR vendor successfully gathers records from many sources, it will be a boon to those outside the health care system who want health information about consumers and have the leverage to obtain some form of consent. Why seek records in a dozen places when someone has nicely centralized them and can share them in digital formats? It is likely that PHR records will be sought by insurance companies for consumers who apply for life insurance or individually underwritten health insurance. Government investigators may also seek PHR records for those seeking a security clearance. An employer may want the records for a post-hiring review of health.
Depending on the configuration of the PHR and how it interacts with any associated web sites and other resources, the PHR and associated records may also reveal information beyond what is found in a standard health record. For example, suppose that a consumer’s daughter has spina bifida. The consumer’s health record maintained by his physician may not reveal that information. But the PHR record or profile may. If the consumer constantly seeks information about spina bifida on web sites associated with the commercial PHR company in some way, the record of PHR usage may reflect the consumer’s interests through a search history, through participation in a discussion group, or from tracking of ads clicked upon by the consumer. There is a high variability of how these kinds of systems can be set up, and there is a equally high variability in how non-HIPAA covered PHR systems may approach privacy controls.
Roadmap: Personal Health Records – Why Many PHRs Threaten Privacy: II. Discussion - PHRs and Consents for Disclosure