Personal Health Records: Introduction
Personal health records – or PHRs – are a relatively new phenomenon in health care today. As discussed here, a PHR is a health record about a consumer that includes data gathered from different sources (e.g., health care providers, insurers, the consumer, and third parties such as gyms and others) and is made accessible, often online, to the consumer and to those authorized by the consumer. Businesses large and small are moving to take advantage of the potentially lucrative new business model PHRs provide, especially as leveraged through the Internet. Some of the newest PHR players include large and well-known technology companies, but some health care providers, insurers, and employers also promote PHRs. There are dozens of different PHR vendors.
As a new type of convenience technology for consumers, PHRs are promoted as giving consumers more knowledge and an opportunity to be more actively engaged in their own health care. Physicians, insurers, laboratories, and others who create or handle a consumer’s health care records can deposit copies of records in the consumer’s PHR. A consumer can also put information in his or her PHR, depending on the PHR system.
One alleged promise of PHRs is that consumers will have more control over their own health care because their information will be more accessible to them. PHRs may offer some benefits for consumers, but there are also potential negative consequences both for consumers and for the health care system at large that have not been carefully examined. It is crucial for consumers to understand the potential privacy consequences that exist before they share sensitive health information outside the health care system.
The role of HIPAA in PHRs
Not all PHRs have equal privacy protections. Some PHRs operate within the health care system and are covered under HIPAA. But some PHRs operate outside of HIPAA, and this is a point of confusion for many consumers.
HIPAA is a federal rule that establishes a baseline for health privacy in the United States. The HIPAA acronym stands for the Health Insurance Portability and Accountability Act. Under the authority of that Act, the Federal Department of Health and Human Services issued a health privacy rule and a security rule. These rules establish minimum privacy and security standards for covered entities. A covered entity is a health care provider, health insurer, or clearinghouse.
Because of the structure of HIPAA, its privacy protections do not generally follow a health record. The applicability of HIPAA’s privacy protections depends on the kind of entity that processes a health care record. The basic idea is that if a health care provider (hospital, physician, pharmacist, etc.) or a health plan maintains a health care record, the record is protected under HIPAA. However, if a person or business that is not a covered entity under HIPAA holds the records, then HIPAA does not apply. This is a highly simplified description of a complicated rule.
For PHRs, the important thing is that unless the PHR vendor is itself a covered entity under HIPAA, the HIPAA health privacy rule does not apply. Even if a covered entity sponsors a PHR, it is still possible that the HIPAA privacy protections will not apply, depending on the circumstances. Many PHRs that have come to public attention are commercial and fall outside of HIPAA.
PHR business models
A variety of intricate business models exists in the PHR world. There are generally three types of commercial PHR business models. In one model, a consumer simply pays for the PHR service. In a second model, a PHR is free to consumers because the service is supported by advertising. In a third model, an employer or health plan might pay for the service, perhaps with the hope of saving money on health care costs. All three funding models could be in play at the same time. For example, a PHR service paid for by an employer, health plan, or consumer may still sell advertising.
It should be noted that in these models, many other technology elements may be present. There may be informational web sites, niche search engines, articles, surveys, software downloads, and a host of other offerings (or not) associated with the PHR system. No matter what the configuration, the pressure to make a profit can place commercial PHRs in conflict with consumers over privacy.
A physician is bound by law and medical ethics to not exploit patient records for personal profit. However, the commercial variety of PHRs not covered under HIPAA generally do not operate under the same legal and ethical traditions. They may not be bound by laws established for the health care sector or by any established medical ethical guidance.
Risk of consumer confusion
Few consumers understand the complex workings of HIPAA. It has always been important for consumers to understand the broad outlines of HIPAA, and especially to understand their rights under HIPAA. But the need for clear consumer understanding has greatly increased due to the high potential for confusion the PHR trend has raised.
This interplay of “is it covered under HIPAA? Is it not covered under HIPAA?” is where the risk of consumer confusion is highest. Consumers may assume that a health care record has special protections in its own right, because this is what they are used to at their doctor’s office. But as discussed, this is not how the federal HIPAA health privacy protection works. HIPAA will not apply to many commercial PHRs, and many state health privacy laws will not apply either. But how many consumers know this?
Roadmap: Personal Health Records – Why Many PHRs Threaten Privacy: I. Introduction