Consumer Tips: The Potential Privacy Risks in Personal Health Records
World Privacy Forum Consumer Advisory:
or Read the Consumer Advisory below
The Potential Privacy Risks in Personal Health Records Every Consumer Needs to Know About
February 20, 2008
Personal Health Records – or PHRs – are a new trend in health care. A PHR is a health record about a consumer that includes data gathered from different sources (e.g., health care providers, insurers, the consumer, and third parties such as gyms and others) and is made accessible, often online, to the consumer and to those authorized by the consumer. PHRs are often touted as a tool for consumer empowerment. But the privacy risks of PHRs have not been widely discussed. Consumers need to know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting.
In PHRs, important information about privacy procedures and policies is contained in the fine print, and the fine print really matters. That’s because some PHRs are covered under HIPAA privacy protections, but many PHRs are not covered under HIPAA privacy protections. Few consumers understand that their health care files are not always protected under HIPAA when their files are in a PHR.
Even PHRs that are covered under HIPAA can present potential privacy issues. However, HIPAA does provide some baseline privacy protections.
Here is additional information about PHRs and privacy.
Not all PHR records are private in the same way as other health information
Not all PHRs have the same levels of privacy protection. Some PHRs are covered under the federal privacy rule known as HIPAA, but many are not. HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal rule that establishes a baseline for health privacy in the United States. The HIPAA rules establish minimum privacy and security standards for covered entities. A covered entity is a health care provider, health insurer, or clearinghouse.
Records in PHRs that are covered under HIPAA have built-in standards for privacy and security, including standards governing disclosure, access, correction, and other privacy elements. Many experts believe HIPAA’s protections are weak. It is true that HIPAA is not a privacy cure-all. But even the weak HIPAA standards still supply some protections.
Don’t assume your medical records are protected no matter where they are: HIPAA privacy protections generally do not follow the health care files
HIPAA’s protections generally do not “travel” with or follow a medical record that is disclosed to a third party outside the health care treatment and payment system. If a health care provider (such as a hospital or a pharmacy, etc.) or a health plan maintains a health care record, the record is protected under HIPAA. But if a third party that is not a covered entity under HIPAA obtains the records, then HIPAA does not usually apply.
Look before you share: the details are in the fine print
PHR privacy policies may contain key phrases that can sometimes give you clues about whether a PHR is covered under HIPAA or not.
- Look for the phrase HIPAA covered, or HIPAA-covered entity.
HIPAA covered or covered under HIPAA or HIPAA-covered entity are phrases a health care provider or health plan may use when describing a sponsored PHR. This phrase usually means that the PHR is covered under HIPAA.
If you have any doubts or questions about whether or not a PHR you are considering using is a covered entity under HIPAA or not, ask the sponsor if the PHR is a covered entity under HIPAA.
If the PHR is not covered by HIPAA, the health information may be handled in ways you do not expect
After you have disclosed your health care information to a PHR outside the privacy protections of the health care system (HIPAA), your information can be used or redisclosed by the PHR in ways that would not be permitted for the same information if held by your doctor or health plan.
It is crucial to pay attention to what consent forms you are signing or checking off in any PHR
Pay close attention to how all PHR vendors obtain consent, and for what purpose. You may be asked to consent at varying times when you use a PHR. How this happens will vary widely depending on the PHR system.
Pay close attention to the registration pages. These pages may include check boxes that, if checked, will allow greater use and sharing of your data. Sometimes, check boxes are pre- checked and are located in out of the way places, for example, at the bottom of a page. Just signing up to for a PHR may constitute consent for some disclosures of your information.
If you decide to allow greater use or sharing of your information, find out what specific data will be shared, and how you can control that sharing. Remember that once you allow your information to go to a third party, any privacy protections may disappear. That third party may be able to use your data without restriction, depending on the applicable policies.
Read all PHR privacy policies very carefully to find out how consent works at the PHR, and find out how you can withdraw your consent if you decide to later on. See if it is possible to withdraw your entire record from the PHR so that no traces remain.
All PHRs are likely to make some disclosures of information
If the PHR is covered under HIPAA, covered entities may still disclose your files without your consent under some circumstances. These circumstances are determined by HIPAA, and may be strengthened by some state laws. The rules for files in PHRs will not usually be very different from the rules that already apply to your health care records.
Reading the fine print of advertising-supported PHRs is essential
In some cases, PHRs may also have tools like specialized search engines, articles on health conditions, and discussion groups as part of their PHR product offerings. Be aware of the policies regarding what happens to the search terms you type in and how your browsing history and other activities are handled. If, for example, you search for a rare genetically-based disease while at a PHR provider’s search engine, then read a series of articles there about the same disease, order a genetic test online from an advertiser, and then store the results of the test in your PHR, those activities can say a lot about you by inference. All of that information about your searching, testing, and test results may vulnerable to use and disclosure by the PHR.
Make sure that all of your activities at PHRs are as private as you want them to be. Check and re- check the fine print. If the fine print doesn’t tell you everything you need to know and establish policies that protect your privacy, take your business and your records elsewhere.
When accessing any PHR, practice good computer hygiene
Avoid accessing your health care information online from computers at your place of employment or in a public computer terminal with multiple users, such as at a public library. If the PHR displays online ads in the PHR itself or on nearby pages, be very aware of what information is flowing to the advertiser before you click on an ad or offer. Don’t click if you don’t know the details.
Alternatives to third party PHRs
If you are nervous about giving your health information to a PHR provider, one alternative is to maintain your own records. You have the right to obtain a copy of your health records from your health care providers and health insurers, and this is something that is generally a good idea. There are software tools that you can use on your own computer to help keep your records organized, or if you wish, you can store your files in other formats, such as paper or on discs. The American Health Information Management Association has a helpful and useful site on this topic, http://www.myphr.org/.
For more detailed information about privacy and PHRs, see Personal Health Records: Why Many PHRs Threaten Privacy.
February 20, 2008 at
Robert Gellman and Pam Dixon.