Personal Health Records Roundtable

Understanding the Evolving Landscape

Personal health records (PHRs) have the potential to give individuals more control over their health information — collecting, using, and sharing it as they see fit. On December 3, the Office of the National Coordinator for Health Information Technology (ONC), held a PHR Roundtable to gain a better understanding of PHRs as well as other emerging technologies, and the dynamic and evolving market in which they exist, with a focus on privacy and security. The Roundtable will help inform a congressionally mandated study and a report to Congress on entities not covered by the Health Insurance Portability and Accountability Act (HIPAA). ONC expects to deliver the report to Congress in 2011. 

Dr. David Blumenthal, the National Coordinator for Health Information Technology, introduced the Roundtable by noting that PHRs are likely to grow in importance as more health care providers meaningfully use electronic health records (EHRs). A major objective of incentives encouraging the meaningful use of EHRs is to engage patients and their families in their health care. PHRs and related technologies can further this objective.

Usefulness and Trustworthiness of PHRs

At the PHR Roundtable, four panels of experts and industry representatives explored the growth of PHRs, focusing on the nature and adequacy of privacy and security protections. A key message from the Roundtable was that PHRs grow in value when people find them useful and trustworthy. Their usefulness grows as they are able to readily pull information from EHRs and other sources of clinical information, as well as from monitoring devices and mobile applications. The usefulness increases even more as that information can be organized to help people with their particular health care concerns and can inform clinical decision making.

The Roundtable confirmed that people care about the trustworthiness of PHRs, which includes considerations of privacy, confidentiality, and security. However, often individuals do not have the ability or information to understand or evaluate the trustworthiness of a particular PHR and related service providers. As PHRs merge health information from health care providers with information from other sources and give individuals choices about how to use or disclose that information, the privacy and security issues associated with PHRs increase.

Privacy and Security Protection

During the PHR Roundtable, representatives of the Federal Trade Commission (FTC), HHS Office for Civil Rights, and California Office of Privacy Protection explained how they are active in oversight of PHRs. They provided attendees with an overview of the primary ways that the privacy and security of health information in PHRs is protected under current federal law:

  • HIPAA: PHRs offered by or on behalf of most health plans and health care providers (“HIPAA covered-entities”) are protected by the requirements of the HIPAA Privacy and Security Rules. These rules restrict the way that health plans and health care providers can use and disclose identifiable health information in a PHR. They also require covered entities to have administrative, physical, and technical safeguards in place to ensure that information in PHRs remains secure from unauthorized access and use.  
  • Section 5 of the Federal Trade Commission Act: PHRs that are not offered by or on behalf of a HIPAA-covered entity, including those that are employer sponsored or offered by technology companies or other organizations directly to consumers are subject to Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices. This means that the FTC can hold PHR companies to the statements that they make about privacy and security in their contracts and publicly posted policies (such as privacy notices). The FTC has also used its authority to find that inadequate security practices are unfair to consumers, who expect their information will be adequately protected. The FTC has recently released a staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” which recommends a broad framework for protecting health information in light of new practices and business models that can help inform the discussion of health information privacy and security applicable to non-covered entity PHRs.
  • HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act require that individuals are notified of a security breach that results in the release of their health information, including information stored in PHRs regardless of the type of organization by which they are offered.

A second subpanel of legal experts looked ahead to different approaches to legal or private sector oversight and requirements. At the end of the day, however, it was clear that determining which approach best applies to this dynamic industry is subject to continuing debate and refinement.

Visit the ONC website to view the archived webcast of the PHR Roundtable. Although the comment period associated with the PHR Roundtable closed December 10, we invite you to continue the discussion on PHRs by submitting comments below.


  1. Patrice Kuppe says:

    PHR’s that are populated by health plans (especially Medicare) are not accurate when health plans do not allow providers to report all services on claims or the health plan bundles or unbundles the procedure code(s).

  2. Jacob says:

    Regarding the security issues we would have to think about this in a logical way.
    The medical information would be well protected digitally as required by law.
    Yes, any electronic information can be hacked (eventually) no matter how encrypted it is… to an extent. (This is the problem with electronic voting machines).
    So in order for anyone to get this information, they would have to go through a long and complicated effort.

    (I mentioned in another post) “is this information accessible online to patients?” if so this would bring an entirely different security issue.
    Secured information isn’t secure when the individual’s computer has been compromised (spyware,malware,etc). Let’s face it, many people do not have good security on their own computers.
    The solution to this issue is to have the information available to the patient (at location) on the hospital networks (not on public internet access). This way patients can access their information and know that doing so is safe.

    Next, who would want to access someone else’s information?
    The only situations where I would think someone would want medical information would be in a legal battle. Even if they did somehow manage to get it, the medical information could not be used in court since it was obtained illegally (government or private individual).

    Having a point of access terminal at the hospitals made specifically for patient use with thorough verification processes would absolutely solve a huge chunk (if not all of these issues).

    Hopefully this sets some ease about the “security issues” for the general public.

  3. Steven Turner says:

    I am all about anything that makes storing and sharing my health records and info easier if we can do it safely. My concern is anything that centralizes too much and gives the gov’t too much power over me. I would love this with medical, dental and even financial type records.

  4. Patricia K. Dudek says:

    I would like an insurance card for United Health for some reason there is an error in my
    name. I have been with United Health Insurance for more than l0 years. But this year they decided to misspell my name. I have talked to 5 or more people tried 7 or 8 web sites and still can’t get a correct health card. My name is Patricia Dudek and need ASAP.
    Some please help.

Leave a ReplyComment Policy