Personal Health Records: PHRs and Privacy Policies

Report home | Read the report (PDF) | Previous section | Next section


For a non-HIPAA covered PHR, the privacy policy becomes a key document, if it is available. The privacy policy of a PHR vendor may tell consumers how the vendor plans to use personal information. It is possible that a commercial or advertising-supported PHR will do a good job of protecting its clients from uninformed or casual disclosures of personal or health information. It is also possible that a cautious client will not be able to evaluate a PHR vendor’s policy or practice.

Privacy policies and terms of service may, if read carefully, reveal something about the bona fides of the PHR vendor. Here are a few questions to consider.

• Does the PHR vendor disclaim all liability for the availability or accuracy of information?

• Does the policy say that the user must pay the PHR’s expenses in case of a lawsuit arising from use of the service?

• Is a user’s ability to recover damages limited or excluded in case of harm?

• Does the PHR collect personal information about consumers from other sources (e.g., data brokers)?

• Does the PHR say that it has no control over the use of personal third-party advertising networks?

• Are a consumer’s searches stored over time so that the PHR vendor has a search use profile that can be used or shared?

• Does the website reveal when someone else paid the PHR vendor to display information? Are paid links identified?

• What happens to personal information if a user stops using the service? • Is the user’s information completely deleted upon request?

• Can the PHR vendor transfer identifiable information to another country where there are no privacy or security protections?

• Can the vendor transfer information to another company without express permission?

• How many separate privacy policies and terms of service apply to the PHR vendor, and how do they overlap?

• How long are these policies?

• Are the policies comprehensible to anyone other than a lawyer?

• Does the PHR vendor clearly state its relationship to HIPAA? If so, does the vendor say that it is “covered under HIPAA”? That statement is much more meaningful than if the PHR vendor says that it is “compliant with HIPAA.” The term HIPAA-compliant is sometimes used by PHR companies that are not covered by HIPAA. This term can be confusing to consumers who do not clearly understand the difference between HIPAA-covered and HIPAA compliant.

One thing likely to appear in every PHR vendor’s privacy policy is the vendor’s right to change the policy. PHR vendors are likely to reserve the right to change the policy at any time, without notice, and without the user’s ability to object. What that means is that even if a PHR vendor has a current set of policies that protect privacy, the vendor can change those policies at will and with retroactive effect on previously collected information. If a PHR vendor finds that it is not making a profit, it can amend its rules about sharing information with marketers and try to increase its revenues. It is unlikely that PHR users will have the right to consent before a commercial PHR system changes its privacy policy. As the PHR industry consolidates, there could be a race to the bottom because the vendors who share information more broadly have the best chance to survive.



Roadmap: Personal Health Records – Why Many PHRs Threaten Privacy: II. Discussion – PHRs and Privacy Policies


Report home | Read the report (PDF) | Previous section | Next section