Understanding the Evolving Landscape

Personal health records (PHRs) have the potential to give individuals more control over their health information — collecting, using, and sharing it as they see fit. On December 3, the Office of the National Coordinator for Health Information Technology (ONC), held a PHR Roundtable to gain a better understanding of PHRs as well as other emerging technologies, and the dynamic and evolving market in which they exist, with a focus on privacy and security. The Roundtable will help inform a congressionally mandated study and a report to Congress on entities not covered by the Health Insurance Portability and Accountability Act (HIPAA). ONC expects to deliver the report to Congress in 2011. 

Dr. David Blumenthal, the National Coordinator for Health Information Technology, introduced the Roundtable by noting that PHRs are likely to grow in importance as more health care providers meaningfully use electronic health records (EHRs). A major objective of incentives encouraging the meaningful use of EHRs is to engage patients and their families in their health care. PHRs and related technologies can further this objective.

Usefulness and Trustworthiness of PHRs

At the PHR Roundtable, four panels of experts and industry representatives explored the growth of PHRs, focusing on the nature and adequacy of privacy and security protections. A key message from the Roundtable was that PHRs grow in value when people find them useful and trustworthy. Their usefulness grows as they are able to readily pull information from EHRs and other sources of clinical information, as well as from monitoring devices and mobile applications. The usefulness increases even more as that information can be organized to help people with their particular health care concerns and can inform clinical decision making.

The Roundtable confirmed that people care about the trustworthiness of PHRs, which includes considerations of privacy, confidentiality, and security. However, often individuals do not have the ability or information to understand or evaluate the trustworthiness of a particular PHR and related service providers. As PHRs merge health information from health care providers with information from other sources and give individuals choices about how to use or disclose that information, the privacy and security issues associated with PHRs increase.

Privacy and Security Protection

During the PHR Roundtable, representatives of the Federal Trade Commission (FTC), HHS Office for Civil Rights, and California Office of Privacy Protection explained how they are active in oversight of PHRs. They provided attendees with an overview of the primary ways that the privacy and security of health information in PHRs is protected under current federal law:

• HIPAA: PHRs offered by or on behalf of most health plans and health care providers (“HIPAA covered-entities”) are protected by the requirements of the HIPAA Privacy and Security Rules. These rules restrict the way that health plans and health care providers can use and disclose identifiable health information in a PHR. They also require covered entities to have administrative, physical, and technical safeguards in place to ensure that information in PHRs remains secure from unauthorized access and use.  
• Section 5 of the Federal Trade Commission Act: PHRs that are not offered by or on behalf of a HIPAA-covered entity, including those that are employer sponsored or offered by technology companies or other organizations directly to consumers are subject to Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices. This means that the FTC can hold PHR companies to the statements that they make about privacy and security in their contracts and publicly posted policies (such as privacy notices). The FTC has also used its authority to find that inadequate security practices are unfair to consumers, who expect their information will be adequately protected. The FTC has recently released a staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” which recommends a broad framework for protecting health information in light of new practices and business models that can help inform the discussion of health information privacy and security applicable to non-covered entity PHRs.
• HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act require that individuals are notified of a security breach that results in the release of their health information, including information stored in PHRs regardless of the type of organization by which they are offered.

A second subpanel of legal experts looked ahead to different approaches to legal or private sector oversight and requirements. At the end of the day, however, it was clear that determining which approach best applies to this dynamic industry is subject to continuing debate and refinement.

Visit the ONC website to view the archived webcast of the PHR Roundtable. Although the comment period associated with the PHR Roundtable closed December 10, we invite you to continue the discussion on PHRs by submitting comments below.