Privacy issues make personal health records a risky proposition, according to two reports released by the World Privacy Forum.
In terms of privacy risk, PHRs fall into two main categories, those offered by "covered entities," defined by the Health Insurance Portability and Accountability Act of 1996 as providers, payers and claims clearinghouses, and those that don't, said Robert Gellman, a Washington-based lawyer and privacy consultant. Gellman wrote Personal Health Records: Why Many PHRs Threaten Privacy, which at 16 pages is the longer of the two reports.
The other, World Privacy Forum Consumer Advisory: The Potential Risks in Personal Health Records Every Consumer Needs to Know About is a more consumer-digestible five pages co-written by Gellman and Pam Dixon, executive director of the World Privacy Forum.
Gellman said neither class of PHR provides patients with complete protection, but of the two, HIPAA-covered ones provide some protections that the others do not. Even so, he warned, HIPAA by itself is not the magic word, since some PHR vendors, while not being HIPAA-covered, tout their wares as being HIPAA-compliant. What that means legally is that, for the time being, a HIPAA-compliant vendor voluntarily agrees to follow the HIPAA rules. Gellman warned that virtually all PHR vendors have fine print in their privacy policy disclaimers that states they are free to change the terms of those policies, including the pledge to comply with HIPAA, at any time without prior notice.
And even those PHRs provided by covered organizations require buyers to beware, Gellman said. Vendors of both HIPAA-covered and -compliant PHRs may have advertising as a key part of their business model.
"I believe the PHRs based on advertising are essentially devices to wheedle people out of their consent to obtain information they couldnt get if they were subject to HIPAA," Gellman said. "Enter an odd click here, or even if there is no click, and your information could go all kinds of places. Once your information is disclosed to the data brokers, theres no retrieving it. You can buy lists of people by every disease you can think of."
"You're clearly better off in a HIPAA-covered PHR, but even in a HIPAA one, if it's advertising-supported, it's just not that hard wheedling consent out of people. The consequence of sharing records is still the same."
The World Privacy Forum is a not-for-profit, nonpartisan 501(c)(3) public interest research group based in San Diego.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.