Personal Health Records: PHRs and Privacy Policies
Privacy policies and terms of service may, if read carefully, reveal something about the bona fides of the PHR vendor. Here are a few questions to consider.
• Does the PHR vendor disclaim all liability for the availability or accuracy of information?
• Does the policy say that the user must pay the PHR’s expenses in case of a lawsuit arising from use of the service?
• Is a user’s ability to recover damages limited or excluded in case of harm?
• Does the PHR collect personal information about consumers from other sources (e.g., data brokers)?
• Does the PHR say that it has no control over the use of personal third-party advertising networks?
• Are a consumer’s searches stored over time so that the PHR vendor has a search use profile that can be used or shared?
• Does the website reveal when someone else paid the PHR vendor to display information? Are paid links identified?
• What happens to personal information if a user stops using the service? • Is the user’s information completely deleted upon request?
• Can the PHR vendor transfer identifiable information to another country where there are no privacy or security protections?
• Can the vendor transfer information to another company without express permission?
• How many separate privacy policies and terms of service apply to the PHR vendor, and how do they overlap?
• How long are these policies?
• Are the policies comprehensible to anyone other than a lawyer?
• Does the PHR vendor clearly state its relationship to HIPAA? If so, does the vendor say that it is “covered under HIPAA”? That statement is much more meaningful than if the PHR vendor says that it is “compliant with HIPAA.” The term HIPAA-compliant is sometimes used by PHR companies that are not covered by HIPAA. This term can be confusing to consumers who do not clearly understand the difference between HIPAA-covered and HIPAA compliant.
Roadmap: Personal Health Records – Why Many PHRs Threaten Privacy: II. Discussion – PHRs and Privacy Policies