Take Control of Your Medical Information: Personal Health Records and Your Privacy

If you established care with a medical office tomorrow, would you be able to give your new doctor a complete copy of your medical records, lab tests and a list of your prescription drugs? If you're like most Americans, your health information is split among your various health care providers. For example, you may have records at a hospital, a physician's office, your dentist, a pharmacy, and an optician's dispensary. 

Since each health care provider maintains its own file on you, it can be challenging to get control of your medical records. However, HIPAA's right to access coupled with the emerging market for the Personal Health Record (PHR) is changing that.

The Privacy Rights Clearinghouse (PRC) recently published a consumer guide on PHRs that discusses privacy and security considerations as well as both California and federal law. The guide, Personal Health Records and Privacy, is part of the PRC’s series on California Medical Privacy. Whether or not you live in California, you will find the tips in this guide to be useful.

Here are some of the highlights:

You have a right to access your medical records.

Under the Health Insurance Portability and Accountability Act (HIPAA), the federal medical privacy law, you have a right to obtain copies of the medical records maintained by your health care providers. This means you can gather information from multiple sources and keep your medical history as a single record. See PRC's sample letter to request your records in writing.

A PHR allows you to keep your own record of your medical history, and is usually an electronic system or software that provides a centralized storage space for your health information. A PHR may also support options such as secure email with your physicians and links to medical informational websites and archives. 

PHRs have the potential to help individuals become better informed about their medical history and more engaged in their own healthcare. However, as with all types of electronic records, PHRs do present certain privacy and security concerns.

Many PHRs are not covered under HIPAA.

A key question when considering the use of a PHR is whether it is covered by HIPAA. Only PHRs offered by a "covered entity" are subject to HIPAA. Covered entities include health care providers, health plans and health care clearinghouses. All other PHRs are not subject to HIPAA. While some commercial PHRs may advertise themselves as “HIPAA-compliant,” the only privacy protections they offer are those in their own privacy notices and policies, which they can change at any time.

PHRs for Californians may be covered by the Confidentiality of Medical Information Act (CMIA), depending upon the interpretation of  California law.  Until the law is tested in court, it may not be completely clear whether PHR vendors are subject to the CMIA's information privacy requirements.

Consider privacy and security when choosing a PHR.

The risk that data will be lost or stolen is inherent to data stored in an electronic format. Hackers are becoming increasingly sophisticated and medical identity theft is a rising problem.

While the PHR's security may be somewhat beyond your control, you should be notified if your data has been breached – under both federal and California law.

HIPAA-covered PHRs have more stringent security and privacy requirements. Until stronger protections are in place for all PHRs, we recommend choosing a HIPAA-covered PHR; however they may limit your ability to centralize records from multiple health providers.

If you are considering using a commercial PHR, read its "notice of privacy practices" and privacy policy first. A notice of privacy practices applies specifically to the PHR product and the information collected in it; a privacy policy explains the company’s overall privacy and security policies.

The following are some questions you should keep in mind when reading a PHR's privacy notice and policy:

  • How will your information's security be safeguarded? Will it be encrypted when it is stored and transmitted? Does the vendor store your medical information in the cloud and how secure is that storage?
  • Is the PHR data stored in the U.S.? If it is not, it will not be protected by any U.S. laws.
  • What does the vendor say about how it may use or disclose your information? Does it mention disclosure of de-identified or aggregate data (an indication that it is selling the data)?
  • Who will have access to your medical information? What control do you have over access to the information in your PHR? Will your information be sold to or shared with third parties, such as marketers? Can you find out who accessed you medical information?
  • Can you cancel the PHR? What happens to the medical information that is in the PHR if you do cancel? Does the vendor keep the data and continue sharing it or does the vendor destroy all the data that is in your PHR?
  • How does the PHR generate revenue? Keep in mind that they are businesses and that monetizing your medical information may be part of their business plan.
  • Do you have any ability to delete information that has already been sent to providers from the PHR?
  • What support does the vendor offer for the PHR? How do you contact customer service and what is the response time?

Not comfortable with electronic PHRs? You can still accomplish the same goal by consolidating printouts or paper copies of your medical records and keeping them in a secure place.

For a more in-depth discussion of PHRs, see California Medical Privacy Fact Sheet 7: Personal Health Records and Privacy.