.	HOME \| RESEARCH & TOPICS \|WORKPLACE\| MEDICAL \| ABOUT US \| RESOURCES \| PRIVACY POLICY

The Personal Health Records Page

About PHRs, World Privacy Forum Publications on PHRs and privacy, and other resources

What are Personal Health Records (PHRs)?

Personal Health Records, or PHRs, are essentially medical files or health records about a person. The term PHR has been coined by the health care sector to mean records that are used or controlled mainly by consumers, instead of records mainly used or controlled by doctors. PHRs can include data gathered from different sources; for example, a PHR may have information from doctors, insurers, and gyms, among others. The information in a PHR may be made available to the consumer and in some cases to those a consumer authorizes. Some PHRs are online tools, but not all are.

PHRs have been promoted in recent years as being an empowering panacea of benefits for consumers, but there has been little meaningful discussion of the complex and serious privacy issues PHRs can raise. For example, very few consumers know that not all PHRs are protected by HIPAA, the federal privacy rule that applies to medical files held at, for example, hospitals.

PHRs can have varying levels of privacy protections. Some PHRs operate within the health care system and are bound by the HIPAA privacy rule, like other medical files held at hospitals. Other PHRs may be sponsored by employers or other third parties, and may be entirely outside the health care system. Some PHRs fall outside of HIPAA and its protections. Privacy practices can vary widely among PHRs, as can security mechanisms. For this reason, it is essential that consumers know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting.

The World Privacy Forum has published a consumer advisory about PHRs, available here, as well as a report analyzing privacy issues in PHRs.

REPORT: Personal Health Records: Why Many PHRs Threaten Privacy

Released February 20, 2008

Author: Robert Gellman

Read the analysis of the privacy risks of PHRs Personal Health Records: Why Many PHRs Threaten Privacy (PDF, 16 pages)

This report is a legal analysis of PHRs and what privacy issues are at stake in PHRs, especially PHRs that exist outside of HIPAA, the federal privacy rule. Very few consumers know that medical files can be handled outside of HIPAA, and all that can mean. This report analyzes the legal landscape in this area.

CONSUMER ADVISORY: The Potential Privacy Risks in Personal Health Records Every Consumer Needs to Know About

Released February 20, 2008

Read the Consumer Advisory: The Potential Privacy Risks in Personal Health Records Every Consumer Needs to Know About (PDF, 5 pages)

Key recommendations for consumers in the advisory include:

Don't assume your medical records are protected no matter where they are: HIPAA privacy protections generally do not follow the health care files
Look before you share: the details are in the fine print
If the PHR is not covered by HIPAA, the health information may be handled in ways you do not expect
It is crucial to pay attention to what consent forms you are signing or checking off in any PHR
All PHRs are likely to make some disclosures of information
Reading the fine print of advertising-supported PHRs is essential
When accessing any PHR, practice good computer hygiene

Other PHR Resources (External links)

Study: Review of the Personal Health Record Provider Market: Privacy and Security, January 2007.
http://www.hhs.gov/healthit/ahic/materials/01_07/ce/PrivacyReview.pdf

NCVHS Recommendations: Personal Health Records and Personal Health Records Systems, February 2006.
http://www.ncvhs.hhs.gov/0602nhiirpt.pdf