Privacy of personal health information is a key concern for consumers of PHRs. A 2005 survey conducted by CHCF in collaboration with Forrester Researcher found that two-thirds of the sample of 2,000 consumers (1,000 nationally and 1,000 in California) said they were ‘very concerned’ (36%) or ‘somewhat concerned’ (31%) about the privacy of their health records. Research also suggests that consumers are concerned about the types of information collected and entered into the PHR; how the information is handled internally; and whether and how the information is provided to any external entities. Clearly there is a need for privacy standards and privacy policies for PHRs. However, there is not yet a consensus among PHR service providers about the specific elements that should be in all PHR privacy policies.  Experts have attested that the widespread adoption of PHRs will largely be a function of public confidence and trust that personal health information will be adequately protected.
This section addresses privacy issues related to PHRs. First, we discuss privacy standards and issues related to privacy with respect to personal health information stored in PHRs. Then we present an overview of several PHR privacy policies under development. It is important to note that the privacy standards section and the security standards section are highly related, as many aspects of privacy are entwined with security issues.
Challenges Associated with Developing Privacy Standards for PHRs
There are a number of challenges associated with developing privacy standards for PHRs. In this section, we discuss the following challenges:
- There are no statutes or standards that define PHR service providers’ legal responsibilities.
- Consumers are misinformed about their privacy rights with respect to personal health information under HIPAA.
- Privacy standards for employer-provided PHRs will need to be considered, especially since HIPAA does not cover some employers.
- PHR vendors or third parties that are not covered by HIPAA do not need to notify consumers of their privacy policies and practices related to secondary uses of personal health information. As a result, consumers may be unaware that their personal health information is being used and disclosed to other entities in the U.S. or abroad for secondary.
- States have different laws governing privacy and security of personal health information.
- Privacy standards must balance the needs for privacy and confidentiality, with the need to maintain an accurate medical record.
The first key challenge associated with developing a privacy standard for PHRs is defining the legal responsibilities of PHR service providers, given that they are non-covered entities under the Health Insurance Portability and Accountability Act (HIPAA). The National Committee on Vital and Health Statistics (NCVHS) at the Department of Health and Human Services (DHHS) concluded that there are no statutes or standards that define PHR service providers’ legal responsibilities.
A third issue is that HIPAA does not cover some employers, and thus, privacy standards for employer-provided PHRs will also need to be considered. HIPAA does not consider employers who collect information directly from employees (e.g., for a pre-employment physical, job application, or via an employee assistance or wellness program) to be ‘covered entities.’ Given that PHRs are being developed by certain employers and other entities that are not covered by the HIPAA privacy rule, privacy standards will need to be developed with respect to the use and disclosure of personal health information within employer-provided PHRs. A 2007 CHCF issue brief concluded that employers will need to develop standards that ‘at a minimum address privacy, security, and confidentiality of PHRs.’
A fifth challenge is that states have different laws governing privacy and security of personal health information, and consumers may not be aware of their rights. For example, while California has stringent privacy and security laws governing the use of personal health information that are layered on top of the HIPAA privacy rule, other states have more limited regulations. A February 2008 issue brief by CHCF explored the issue of consumer control over personal health information, and determined that the current legal system ‘falls short as a viable legal framework for health information custodians,’ such as PHRs. Existing federal and state laws will need to be considered when developing PHR privacy standards.
In June 2006, NCVHS released its report titled Privacy and Confidentiality in the Nationwide Health Information Network, which includes recommendations on consumer rights over their personal health information and also covers a host of other issues ranging from regulatory issues to recommendations for maintaining and establishing the public trust. These recommendations were presented to the U.S. Secretary of Health, Michael O. Levitt. The NCVHS recommended that consumers should have a limited right to control their personal health information electronically:
Giving individuals unlimited control is one way to empower them. On the other hand, if individuals had unfettered control, health care providers would likely place less confidence in the accuracy and completeness of their records….For these reasons, if individuals are given the right to control access to their records, the right should be limited.
NCVHS was not prescriptive about the best method to institute limited individual control over health records. NCVHS continues to work on furthering these recommendations. In June 2007, the NCVHS Subcommittee on Privacy and Confidentiality Working Group discussed privacy issues and other issues related to consumer control over PHRs in a working session held in Washington, D.C.
Specifically, the group addressed privacy of health information within the context of the CCR and CCD.  The Committee discussed the merits of masking certain types of data in the CCR or CCD, and the implications of transferring masked data from one provider to another. For example, should certain types of drugs (e.g., mental health drugs) or genetic information (e.g., family history of Huntington’s disease) be masked to protect the account holder’s privacy? One member of the Committee was particularly concerned about the social and ethic ramifications of blinding/masking mental health or genetic information: ‘By treating mental illness separately [and] by treating genetic disorders separately, we may be further contributing to the stigmatization of these conditions and putting into the future the time when there will be no difference between mental illness and other illnesses and so forth.’
Recommendations for PHR Privacy Standards
The NCVHS made several recommendations for the development of PHR privacy standards.  First, standards should be developed to ensure that consumers are always notified of secondary uses of data in PHRs. NCVHS specifically recommended that if HHS or another agency intends to use CMS data in PHRs, then there should be a requirement which ensure that those PHR systems provide notice to consumers of the uses of personally identifiable information. Second, privacy standards for PHRs should be developed within the context of the National Health Information Network (NHIN). Third, consumers should be educated about their rights with respect to privacy and personal health information stored in PHRs. Fourth, if individuals are granted control over the specific content within their health records, that control should be limited by specific factors such as the individuals’ age, treatment/condition, and/or type of provider. Finally, the NCVHS recommended that third party vendors, or other entities not covered by HIPAA, adopt their own privacy policies that are at least equal to those outlined in HIPAA.
- Policy must be required for all PHR vendors;
- Policy must be transparent on secondary data uses;
- PHR vendor must disclose business relationships relating to “handling, processing, data mining, or other management of PHR data” to consumers;
- Policy must provide information about the relationship between the PHR service provider’s policies to HIPAA; and
- Policy must be written at a 6th grade reading level and include a glossary of technical terms used.
The World Privacy Forum released a report on privacy and PHRs in February 2008, which specifically outlines eight areas of concern: ‘privilege, subpoenas, marketing of health care data, linkage of records, security, ability to correct files, consent issues, and the role of privacy policies.’ These areas should be considered when developing privacy standards for PHRs. Finally, the Federal Trade Commission (FTC) is also exploring patient privacy and consumer protection issues in health information technology, which may be relevant to the development of PHR privacy standards. The FTC is holding a public workshop to examine patient privacy in health information technology in April 2008.
Examples of Privacy Statements
While privacy standards for PHRs are still under development, organizations such as Microsoft and Elder Issues have released privacy policies and statements for the use of their PHR products and platforms. A brief discussion of their privacy policies is presented below.
Microsoft recently released a privacy statement for the beta version of HealthVault. The privacy statement specifically applies to data collected by Microsoft through the Microsoft HealthVault beta version, but not data collected through other Microsoft products. The privacy statement begins with an introduction to sharing health information via HealthVault. The second section addresses the collection of personal health information and authentication process. This section indicates that the owner of the account is, by default, the custodian of the record, and therefore has full control over the information.
Given that HealthVault is a platform – not a PHR – Microsoft also urges users to reference the privacy statements of other programs that they use in concert with HealthVault. The third section of the privacy statement explains the utility of the HealthVault Connections Center; users can use the Connections Center to add data to health records in their HealthVault account from other health devices (e.g., heart-rate monitor, etc). The fourth section discusses how users can share health information with other parties or programs, and the process of assigning access. The fifth and sixth sections address how Microsoft will use the personal health information in HealthVault, and the process used to aggregate information and statistics. In addition, the statement explains that personal information collected using HealthVault may be “stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities, and by using the Service, [users] consent to any such transfer of information outside of the U.S.” Microsoft HealthVault’s privacy statement indicates that users’ personal information may aggregated for marketing purposes, but is not associated with an individual account without the users’ opt-in consent.