The Security Scrutinizer with Howard Anderson

Protecting Personal Health Records

HHS Weighs Privacy Issues, Asks for Recommendations
Protecting Personal Health Records

American consumers need to know that personal health records must follow government-mandated guidelines for ensuring privacy and security, just as is the case for electronic health records. Otherwise, the use of PHRs may never become widespread.

A survey earlier this year found that only about 7 percent of Americans have used a personal health record. And of those who don't have one, "worry about the privacy of my information," was the biggest barrier, cited by 75 percent.

So it's good to finally see some action in this arena as the Department of Health and Human Services takes initial steps toward preparing a report to Congress on PHR privacy and security issues, as mandated under the HITECH Act. The Act required that the report from HHS, in collaboration with the Federal Trade Commission, be submitted by last February. But the HHS Office of the National Coordinator for Health IT says the report won't be ready until early next year.

Unlike an electronic health record, which is a provider organization's official record of treatment, a personal health record is controlled by an individual and can include information from a number of sources, including hospitals, clinics and pharmacies, as well as information the individual enters.

Google, Microsoft and many other firms offer various flavors of PHRs and PHR platforms. These vendors do not have to comply with the HIPAA privacy and security rules, which apply to organizations using electronic health records. But should PHR vendors be required to comply with HIPAA?

In written testimony prepared for a Congressional hearing held Sept. 30, Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, called for stronger protection of personal health records, but not through HIPAA. She argued that HIPAA, which permits disclosure of personal health information without patient consent for a number of circumstances, wouldn't provide adequate protection for PHRs, which are controlled by the patient.

Instead, she said that the Markle Foundation's Common Framework for Networked Personal Health Information would provide a good starting point. She notes that it outlines "a uniform and comprehensive set of meaningful privacy and security policies for PHRs."

As HHS tries to make up for lost time, it certainly should take a close look at the Markle Foundation's framework as a potential foundation for a PHR privacy and security policy.

What's your opinion? It's time to make your voice heard. HHS is soliciting comments on the issue of PHR privacy and security. You can submit comments to the ONC website through Dec. 10.

Also, HHS is hosting a day-long event focused on PHR privacy and security on Dec. 3, when it will hear from panels of experts addressing the issues. That live event in Washington is completely booked, but you can still sign up to listen online.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.