Personal Health Records: PHRs and Consents for Disclosure

Report home | Read the report (PDF) | Previous section | Next section


Under HIPAA, if a consumer wants to authorize a covered entity to disclose her records, she will usually be obliged to sign an authorization form. The HIPAA rule prescribes the content of the authorization form and its scope. That rule provides some protections because it makes it harder for a consumer to unknowingly sign a form authorizing the disclosure of health records. For example, if a consumer signs a one-sentence form authorizing anyone with records about the consumer to disclose the records to the bearer of the form, it is unlikely that any doctor or hospital would or should honor that form.

What rules apply to PHRs? Most existing laws about authorizing disclosures of health records predate PHRs, and few of those laws will apply. Unless a law applies, the PHR vendor sets the rules for the records it maintains. It can honor a one-sentence authorization form signed five years earlier. It can accept a tick box checked while reading an ad on the PHR website. Suppose, for example, that a PHR contains blood pressure readings for the last few years. An advertisement about blood pressure medicine appears when the consumer reads the PHR record, and it says click here for an analysis of your actual blood pressure results. The PHR accepts that click as authorization, and the effect is that the consumer has unwittingly and irretrievably disclosed his blood pressure and perhaps other personal information to the company that placed the ad. The advertiser who obtained the information with this “consent” may then save, use, and redisclose the information at will, depending on the privacy policy in effect (if there is a privacy policy). In the digital environment, consent can often amount to nothing more than a pre-checked box in small print at the bottom of a lengthy notice. It may be in the interest of the PHR company – but not the consumer – to readily allow disclosures in order to increase advertising revenues.

In the absence of law, a PHR can have any rule that it chooses about disclosing information with consent. It can require affirmative consent (opt-in) on a designated printed form. It can allow disclosure for some activities unless a consumer objects (opt-out) by submitting a letter through postal mail. The PHR vendor can accept a checked box on a website. Whether a PHR’s consent rules and procedures are adequate is for each consumer to evaluate. The process may vary from PHR to PHR and, perhaps, even within the same PHR system depending on the type of disclosure. Those who surf the web routinely know that it can be easy to check a box, forget to uncheck a box, or agree to something unintentionally because the authorization was buried deep in an unread notice. A casual consent to enter a sweepstakes for a one-in-a-million chance to win a t-shirt could obscure a broad authorization for the disclosure of health information. That type of authorization would not comply with HIPAA requirements, but a non-HIPAA covered PHR vendor could accept it.

Many organizations may want to use PHR records for other purposes. Finding old or scattered health records can be challenging in many cases. If the PHR vendor successfully gathers records from many sources, it will be a boon to those outside the health care system who want health information about consumers and have the leverage to obtain some form of consent. Why seek records in a dozen places when someone has nicely centralized them and can share them in digital formats? It is likely that PHR records will be sought by insurance companies for consumers who apply for life insurance or individually underwritten health insurance. Government investigators may also seek PHR records for those seeking a security clearance. An employer may want the records for a post-hiring review of health.

Depending on the configuration of the PHR and how it interacts with any associated web sites and other resources, the PHR and associated records may also reveal information beyond what is found in a standard health record. For example, suppose that a consumer’s daughter has spina bifida. The consumer’s health record maintained by his physician may not reveal that information. But the PHR record or profile may. If the consumer constantly seeks information about spina bifida on web sites associated with the commercial PHR company in some way, the record of PHR usage may reflect the consumer’s interests through a search history, through participation in a discussion group, or from tracking of ads clicked upon by the consumer. There is a high variability of how these kinds of systems can be set up, and there is a equally high variability in how non-HIPAA covered PHR systems may approach privacy controls.



Roadmap: Personal Health Records – Why Many PHRs Threaten Privacy: II. Discussion – PHRs and Consents for Disclosure


Report home | Read the report (PDF) | Previous section | Next section