PHRs have been promoted in recent years as being an empowering panacea of benefits for consumers, but there has been little meaningful discussion of the complex and serious privacy issues PHRs can raise. For example, very few consumers know that not all PHRs are protected by HIPAA, the federal privacy rule that applies to medical files held at, for example, hospitals.

New publication | PHRs and privacy — The World Privacy Forum has published a new legal and policy analysis examining Personal Health Records — or PHRs — and the privacy issues associated with them. This analysis, Personal Health Records: Why Many PHRs Threaten Privacy, was prepared by Robert Gellman for the World Privacy Forum. The analysis finds that significant, serious threats to privacy exist in some PHRs.

Version 1: October 16, 2007   The World Privacy Forum, as part of its ongoing in-depth research into medical identity theft issues and responses, has outlined 8 best-practice responses to the crime by the health care sector. These best practices are based on interviews with victims, providers, and other stakeholders. These 8 best practices are

Medical identity theft | AHIMA — Executive director Pam Dixon spoke to thousands of AHIMA delegates in Philadelphia sharing the latest information on medical identity theft and outlining 8 best practice responses to the crime for the health care sector. Dixon specifically asked for the creation of national guidelines for helping medical identity theft victims, the ability for victims to set red flag alerts in their health care files, that providers train and have dedicated personnel to help medical identity theft victims, “john and jane doe” file extractions, a focus on addressing insider access to patient information, risk assessments specifically for medical identity theft, and educational efforts. The information in the speech was based on the latest World Privacy Forum research in the area of medical identity theft.

Medicare – CMS — The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.