Personal Health Records: PHRs and Security
Security is an important part of privacy. Are PHR records more secure? The answer depends on who maintains the PHR and whether the security of the PHR is sufficient. Information held by health care vendors and insurers is subject to the HIPAA health record security rule. For what it is worth, the HIPAA security rule has attracted less criticism than the HIPAA privacy rule. Whether any given health record keeper is actually doing a good job of complying is hard to say.
But — the HIPAA security rule does not apply to a PHR vendor that is not a HIPAA covered entity. The security a commercial PHR vendor supplies could be better than required by HIPAA, or it could be worse.
Can consumers trust big Internet or technology companies to protect health record security? It is clearly in the interest of these companies to protect their customers’ records. Nevertheless, recent history is replete with examples of data breaches and security gaffes by big organizations with sophisticated security mechanisms. Most software and operating systems in use today are significantly vulnerable to hackers and others.
In the end, however, even if protected by state-of-the-art technology, it is difficult to argue that a PHR vendor enhances the overall security of health information. At best, another organization that did not have the information before now maintains it in yet another location, whatever that configuration may be — whether that be a networked database or otherwise. If the security is truly good, than a consumer may be no worse off than before. However, the uncertainty about the security, about the transmission of data between a person’s computer and the PHR, or about the security of any information downloaded from the PHR to a personal computer remains. Nothing will ever eliminate security concerns when a third party is holding data.
Roadmap: Personal Health Records – Why Many PHRs Threaten Privacy: II. Discussion – PHRs and Security