WPF Resource Page: Personal Health Records

About PHRs, World Privacy Forum Publications on PHRs and privacy, and other resources


What are Personal Health Records (PHRs)?

Personal Health Records, or PHRs, are essentially medical files or health records about a person. The term PHR has been coined by the health care sector to mean records that are used or controlled mainly by consumers, instead of records mainly used or controlled by doctors. PHRs can include data gathered from different sources; for example, a PHR may have information from doctors, insurers, and gyms, among others. The information in a PHR may be made available to the consumer and in some cases to those a consumer authorizes. Some PHRs are online tools, but not all are.

PHRs have been promoted in recent years as being an empowering panacea of benefits for consumers, but there has been little meaningful discussion of the complex and serious privacy issues PHRs can raise. For example, very few consumers know that not all PHRs are protected by HIPAA, the federal privacy rule that applies to medical files held at, for example, hospitals.

PHRs can have varying levels of privacy protections. Some PHRs operate within the health care system and are bound by the HIPAA privacy rule, like other medical files held at hospitals. Other PHRs may be sponsored by employers or other third parties, and may be entirely outside the health care system. Some PHRs fall outside of HIPAA and its protections. Privacy practices can vary widely among PHRs, as can security mechanisms. For this reason, it is essential that consumers know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting.

The World Privacy Forum has published a consumer advisory about PHRs, available here, as well as a report analyzing privacy issues in PHRs.


REPORT: Personal Health Records: Why Many PHRs Threaten Privacy

Released February 20, 2008

Author: Robert Gellman

This report is a legal analysis of PHRs and what privacy issues are at stake in PHRs, especially PHRs that exist outside of HIPAA, the federal privacy rule. Very few consumers know that medical files can be handled outside of HIPAA, and all that can mean. This report analyzes the legal landscape in this area.

Download the report (PDF)

Read the report


CONSUMER ADVISORY: The Potential Privacy Risks in Personal Health Records Every Consumer Needs to Know About

Released February 20, 2008

Key recommendations for consumers in the advisory include:

  • Don’t assume your medical records are protected no matter where they are: HIPAA privacy protections generally do not follow the health care files
  • Look before you share: the details are in the fine print
  • If the PHR is not covered by HIPAA, the health information may be handled in ways you do not expect
  • It is crucial to pay attention to what consent forms you are signing or checking off in any PHR
  • All PHRs are likely to make some disclosures of information
  • Reading the fine print of advertising-supported PHRs is essential
  • When accessing any PHR, practice good computer hygiene

Download the Consumer Advisory (PDF)

Read the Consumer Advisory


Other PHR Resources (External links)