While personal health records are still very much in the infancy stage, PHR vendor privacy and security policies are embryonic at best, at least according to a review of 30 publicly available policies presented Jan. 10 to the consumer empowerment work group of the American Health Information Community HHS advisory panel.
The review, conducted by the Ann Arbor, Mich.-based Altarum Institute, analyzed the policies and found there was little said about disclosure of secondary uses of data, little attention paid to ownership of data after a business relationship is ended, a lack of definition for essential legal terms such as "personal health information" or "de-identified" patient information, and a lack of formal mechanisms to enforce written policies.
The review concluded that "existing policies are incomplete and there are no consensus privacy requirements."
The policies were judged according to 31 selected criteria, which included data-sharing policies for marketing, law enforcement, business associates, research, and for family members. The highest number of criteria included in a single PHR was 18, and the other 29 covered less than half of the 31 items.