Literature Review and Environmental Scan: Evaluation of Personal Health Records Pilots for Fee-for-Service Medicare Enrollees. PHR Privacy Policies and Standards


Privacy of personal health information is a key concern for consumers of PHRs. A 2005 survey conducted by CHCF in collaboration with Forrester Researcher found that two-thirds of the sample of 2,000 consumers (1,000 nationally and 1,000 in California) said they were ‘very concerned’ (36%) or ‘somewhat concerned’ (31%) about the privacy of their health records.[187] Research also suggests that consumers are concerned about the types of information collected and entered into the PHR; how the information is handled internally; and whether and how the information is provided to any external entities.[188] Clearly there is a need for privacy standards and privacy policies for PHRs. However, there is not yet a consensus among PHR service providers about the specific elements that should be in all PHR privacy policies. [189] Experts have attested that the widespread adoption of PHRs will largely be a function of public confidence and trust that personal health information will be adequately protected.[190]

This section addresses privacy issues related to PHRs. First, we discuss privacy standards and issues related to privacy with respect to personal health information stored in PHRs. Then we present an overview of several PHR privacy policies under development. It is important to note that the privacy standards section and the security standards section are highly related, as many aspects of privacy are entwined with security issues.

Challenges Associated with Developing Privacy Standards for PHRs

There are a number of challenges associated with developing privacy standards for PHRs. In this section, we discuss the following challenges:

  1. There are no statutes or standards that define PHR service providers’ legal responsibilities.
  2. Consumers are misinformed about their privacy rights with respect to personal health information under HIPAA.
  3. Privacy standards for employer-provided PHRs will need to be considered, especially since HIPAA does not cover some employers.
  4. PHR vendors or third parties that are not covered by HIPAA do not need to notify consumers of their privacy policies and practices related to secondary uses of personal health information. As a result, consumers may be unaware that their personal health information is being used and disclosed to other entities in the U.S. or abroad for secondary.
  5. States have different laws governing privacy and security of personal health information.
  6. Privacy standards must balance the needs for privacy and confidentiality, with the need to maintain an accurate medical record.

The first key challenge associated with developing a privacy standard for PHRs is defining the legal responsibilities of PHR service providers, given that they are non-covered entities under the Health Insurance Portability and Accountability Act (HIPAA). The National Committee on Vital and Health Statistics (NCVHS) at the Department of Health and Human Services (DHHS) concluded that there are no statutes or standards that define PHR service providers’ legal responsibilities.

Under HIPAA, ‘covered entities’ are asked to provide consumers with information about their privacy policies and practices. Covered entities include health plans, health care clearinghouses, and health care providers that engage in electronic transactions for which HIPAA standards have been adopted.[191] Entities such as PHR vendors, employers, certain types of insurers, providers that do not engage in electronic transactions for which HIPAA standards have been adopted, and third-party data warehouses are all not covered by HIPAA, and thus not required to comply with HIPAA regulations.[192] Privacy policies will need to clearly outline whether the PHR vendor is covered by the HIPAA privacy policy.

A second challenge is that research suggests that consumers are misinformed about their privacy rights with respect to personal health information under HIPAA.[4] For example, when PHR vendors state that they are ‘compliant with HIPAA’ this does not mean that they are ‘covered under HIPAA’. This is an important distinction that consumers may not understand.[193] Such a distinction may be confusing, and further necessitates the development of a PHR privacy policy and privacy standards, more generally.

A third issue is that HIPAA does not cover some employers, and thus, privacy standards for employer-provided PHRs will also need to be considered. HIPAA does not consider employers who collect information directly from employees (e.g., for a pre-employment physical, job application, or via an employee assistance or wellness program) to be ‘covered entities.’[194] Given that PHRs are being developed by certain employers and other entities that are not covered by the HIPAA privacy rule, privacy standards will need to be developed with respect to the use and disclosure of personal health information within employer-provided PHRs. A 2007 CHCF issue brief concluded that employers will need to develop standards that ‘at a minimum address privacy, security, and confidentiality of PHRs.’[195]

A fourth challenge is that non-covered entities, such as PHR vendors, do not need to notify consumers of their privacy policies and practices (e.g., secondary uses of data for other purposes, such as marketing, population health purposes, other purposes) with respect to personal health information.[196] The NCVHS concluded that: ‘The Committee is unaware of any requirement that compels PHR vendors not covered by HIPAA to provide to consumers the terms and conditions governing the privacy of their personal data.’[197] Thus, consumers may be unaware that their personal health information is being used and disclosed to other entities in the U.S. or abroad for secondary purposes. This is a major concern for consumers with a PHR service provider that involves an outside business partner like a third party data warehouse. Lecker et al. (2007) studied PHR privacy policies for the Department of Health and Human Services and found that only 3% (one in 30) of PHR privacy policies indicated that consumers needed to explicitly consent before the PHR vendor could share the data in their PHRs.[198] None of the privacy policies studied identified the PHR vendor’s third party partners. This study demonstrates that even though consumers have not given explicit consent to share their personal health information with a third party or for other purposes such as marketing, consumers may still be at risk due to the construct of the PHR vendor’s privacy policy. [199]

A fifth challenge is that states have different laws governing privacy and security of personal health information, and consumers may not be aware of their rights. For example, while California has stringent privacy and security laws governing the use of personal health information that are layered on top of the HIPAA privacy rule, other states have more limited regulations.[200] A February 2008 issue brief by CHCF explored the issue of consumer control over personal health information, and determined that the current legal system ‘falls short as a viable legal framework for health information custodians,’ such as PHRs.[201] Existing federal and state laws will need to be considered when developing PHR privacy standards.

A final key challenge associated with developing a privacy policy for PHRs is balancing the need for consumer privacy and confidentiality, with the need for an accurate medical record. Experts have debated the issues of access and control from a privacy standpoint. What degree of control should consumers have over the information in their PHR? Some believe that account holders should have the ability to prevent access to certain aspects of the record or ‘blind’ sensitive information within the PHR. Others are concerned about enabling consumers to blind or delete health information, as omissions may lead to deleterious clinical implications.

In June 2006, NCVHS released its report titled Privacy and Confidentiality in the Nationwide Health Information Network, which includes recommendations on consumer rights over their personal health information and also covers a host of other issues ranging from regulatory issues to recommendations for maintaining and establishing the public trust.[202] These recommendations were presented to the U.S. Secretary of Health, Michael O. Levitt. The NCVHS recommended that consumers should have a limited right to control their personal health information electronically:

Giving individuals unlimited control is one way to empower them. On the other hand, if individuals had unfettered control, health care providers would likely place less confidence in the accuracy and completeness of their records….For these reasons, if individuals are given the right to control access to their records, the right should be limited.[203]

NCVHS was not prescriptive about the best method to institute limited individual control over health records. NCVHS continues to work on furthering these recommendations. In June 2007, the NCVHS Subcommittee on Privacy and Confidentiality Working Group discussed privacy issues and other issues related to consumer control over PHRs in a working session held in Washington, D.C.[204]

Specifically, the group addressed privacy of health information within the context of the CCR and CCD. [205] The Committee discussed the merits of masking certain types of data in the CCR or CCD, and the implications of transferring masked data from one provider to another. For example, should certain types of drugs (e.g., mental health drugs) or genetic information (e.g., family history of Huntington’s disease) be masked to protect the account holder’s privacy? One member of the Committee was particularly concerned about the social and ethic ramifications of blinding/masking mental health or genetic information: ‘By treating mental illness separately [and] by treating genetic disorders separately, we may be further contributing to the stigmatization of these conditions and putting into the future the time when there will be no difference between mental illness and other illnesses and so forth.’[206]

The Subcommittee did not come to a consensus on a privacy standard for PHRs. Specifically, the Committee concluded that it would be optimal to wait for Congress’s definition of ‘genetic information’ under the Genetic Information Nondiscrimination Act (GINA). A Congressionally mandated definition of genetic information could dictate whether and what type of genetic information can/should be masked in a CCR or CCD. Despite these challenges, deciding upon the principles and components of a privacy policy for PHR service providers is a critical and necessary step to ensuring consumers and PHR service providers under their rights and responsibilities.

Recommendations for PHR Privacy Standards

The NCVHS made several recommendations for the development of PHR privacy standards. [207] First, standards should be developed to ensure that consumers are always notified of secondary uses of data in PHRs. NCVHS specifically recommended that if HHS or another agency intends to use CMS data in PHRs, then there should be a requirement which ensure that those PHR systems provide notice to consumers of the uses of personally identifiable information. Second, privacy standards for PHRs should be developed within the context of the National Health Information Network (NHIN). Third, consumers should be educated about their rights with respect to privacy and personal health information stored in PHRs. Fourth, if individuals are granted control over the specific content within their health records, that control should be limited by specific factors such as the individuals’ age, treatment/condition, and/or type of provider.[208] Finally, the NCVHS recommended that third party vendors, or other entities not covered by HIPAA, adopt their own privacy policies that are at least equal to those outlined in HIPAA.[209]

Additional recommendations for a PHR privacy policy were developed by Altarum, a non-profit research institute, in early 2007. Altarum was contracted by the Office of the National Coordinator for Health Information Technology (ONC), in support of the American Health Information Community (AHIC) Consumer Empowerment (CE) Workgroup, to review existing privacy policies for PHRS and make recommendations.[210] Recommendations for characteristics of a PHR privacy policy included:

  • Policy must be required for all PHR vendors;
  • Policy must be transparent on secondary data uses;
  • PHR vendor must disclose business relationships relating to “handling, processing, data mining, or other management of PHR data” to consumers;
  • Policy must provide information about the relationship between the PHR service provider’s policies to HIPAA; and
  • Policy must be written at a 6th grade reading level and include a glossary of technical terms used.[211]

The World Privacy Forum released a report on privacy and PHRs in February 2008, which specifically outlines eight areas of concern: ‘privilege, subpoenas, marketing of health care data, linkage of records, security, ability to correct files, consent issues, and the role of privacy policies.’[212] These areas should be considered when developing privacy standards for PHRs. Finally, the Federal Trade Commission (FTC) is also exploring patient privacy and consumer protection issues in health information technology, which may be relevant to the development of PHR privacy standards. The FTC is holding a public workshop to examine patient privacy in health information technology in April 2008.[213]

Examples of Privacy Statements

While privacy standards for PHRs are still under development, organizations such as Microsoft and Elder Issues have released privacy policies and statements for the use of their PHR products and platforms. A brief discussion of their privacy policies is presented below.

Microsoft recently released a privacy statement for the beta version of HealthVault. The privacy statement specifically applies to data collected by Microsoft through the Microsoft HealthVault beta version, but not data collected through other Microsoft products.[214] The privacy statement begins with an introduction to sharing health information via HealthVault. The second section addresses the collection of personal health information and authentication process. This section indicates that the owner of the account is, by default, the custodian of the record, and therefore has full control over the information.

Given that HealthVault is a platform – not a PHR – Microsoft also urges users to reference the privacy statements of other programs that they use in concert with HealthVault. The third section of the privacy statement explains the utility of the HealthVault Connections Center; users can use the Connections Center to add data to health records in their HealthVault account from other health devices (e.g., heart-rate monitor, etc). The fourth section discusses how users can share health information with other parties or programs, and the process of assigning access. The fifth and sixth sections address how Microsoft will use the personal health information in HealthVault, and the process used to aggregate information and statistics. In addition, the statement explains that personal information collected using HealthVault may be “stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities, and by using the Service, [users] consent to any such transfer of information outside of the U.S.”[215] Microsoft HealthVault’s privacy statement indicates that users’ personal information may aggregated for marketing purposes, but is not associated with an individual account without the users’ opt-in consent. [216]

Microsoft also refers users to its general privacy policy, ‘Microsoft Online Privacy Statement’, as this policy explains how credential information is used when the user signs in to Microsoft sites, including HealthVault.[217]

The next few sections discuss account access and controls, sharing records with other programs/ services, deleting records, and archiving health information. Microsoft describes the process for sharing records with other service users. The lower levels of access are view-only access and view-and-modify access; both are time-limited. Custodial access is the highest level of access, as the custodian of the health record can read, change, and delete the record. The custodian of the account can also grant and revoke different levels of access to others.[218] Other components of the privacy statement include: Microsoft’s TRUSTe certification; enforcement of the privacy statement; use of cookies; use of web beacons; changes to the privacy statement; and contact information for more information.

LifeLedger has a privacy policy comprised of five components: treatment of personally identifiable information; sharing of information with third parties; security technology and procedures; cookies; and the consumer’s role in protecting health information.[219] The privacy policy indicates that Elder Issues will not share personally identifiable information internally or with a third party. Access to personally identifiable information can be granted to a care-manager or proxy by the account holder. The policy describes the encryption practices used to secure sensitive data. In addition, the privacy policy encourages users of LifeLedger to protect the password information. Contact information is provided if users have additional questions or concerns about the confidentiality of their personal health information.

View full report


"litreview.pdf" (pdf, 998.47Kb)

Note: Documents in PDF format require the Adobe Acrobat Reader®. If you experience problems with PDF documents, please download the latest version of the Reader®