California Medical Privacy Fact Sheet C7:
Personal Health Records and Privacy
Send to Printer
Privacy Rights Clearinghouse
- What is a PHR and what information does it contain?
- What privacy protections apply to PHRs?
- What other concerns are raised by PHRs that are not covered by HIPAA or the CMIA?
- What can a PHR's business model tell you about how it protects the privacy of your medical information?
- What should you look for to help you choose a commercial PHR or decide that a PHR is not for you?
Your health care providers probably maintain your records at their place of business, and you likely have many different health care providers. For example, you may have records at a hospital, a physician's office, your dentist, a pharmacy, and an optician's dispensary.
HIPAA gives you the right to nearly total access to information maintained by health care providers. This means you can gather information from multiple sources and keep your medical history as a single record.
A personal health record (PHR) is a means of storing, managing, and sharing your personal medical information. There are several types of PHRs (described below) but this Fact Sheet principally addresses online PHRs.
Individuals have the ability to manage their own PHRs. This is one factor that distinguishes a PHR from an EHR (electronic health record). An EHR is one of many individual records contained in an electronic records system that your health care provider controls and populates with information.
With a PHR you have control over what information you put into it and share with others. But this does not mean that you have exclusive control over who can see your medical records or how they are used. Those records all exist elsewhere, in either paper or electronic form, under the control of your health care providers. Both federal and state law govern what health care providers can do with your personal health information (PHI). (HIPAA Privacy Rule is at 45 CFR Part 160 and Subparts A and E of Part 164; Confidentiality of Medical Information Act (CMIA), Cal. Civ. Code §§ 56–56.16)
To learn more about these laws, see California Medical Privacy Fact Sheet C1: Medical Privacy Basics for Californians.
PHRs are meant to benefit consumers by encouraging them to take a more active role in their own health care and become better informed about it. PHRs are a place to store your own health information, and they may also have tools that can, for example, assist you in managing your prescriptions or a chronic medical condition. Unlike PHRs, EHRs' primary purpose is to benefit health care providers by giving them more complete medical histories for treating patients. In theory, this should improve the quality of patient care.
The features that PHRs offer vary, but some common ones include the ability to store and transmit:
- information about your medical history;
- information about your prescriptions, including dosages and refills;
- diagnostic test results, both laboratory and imaging;
- drug alerts;
- your immunization records;
- your physicians’ treatment plans for you.
A PHR may also support options such as secure email with your physicians and links to medical informational websites and archives.
Keep in mind that none of this information goes into your PHR automatically. HIPAA regulations and California law give you the right to request copies of your medical records, and that is what you must do with all of your health care providers in order to get the paper or electronic records you need to create your PHR. Californians have a broad general right to access their medical records:
[E]very person having ultimate responsibility for decisions respecting his or her own health care also possesses a concomitant right of access to complete information respecting his or her condition and care provided.
(Cal. Health & Safety Code § 123100)
Under HIPAA, you can request your medical records (with some exceptions) in the format you specify (paper, electronic, microfilm) and receive them at a reasonable cost. If your request is denied, there is a process to appeal the denial. (45 CFR § 164.524)
The government is encouraging health care providers to adopt electronic medical records. Recently updated law requires health care providers with EHR systems to give you an electronic copy of your record on request and charge only for the labor cost of responding (because there are no reproduction costs). You may also request that electronic copies be sent directly to a PHR. (42 U.S.C. § 17935(e)) Privacy Rights Clearinghouse has a sample letter for requesting copies of your medical records.
a. What types of PHRs are available?
PHRs can be paper based or electronic. Electronic records can be kept on different media, including personal computers, “smart” cards, thumb drives, CDs, or web-based applications. Of the two types, paper records may be easier to secure, but electronic records are more convenient. They are easier to update and maintain and also easier to access and share.
- Paper. You may already have your own
paper-based PHRs—folders filled with records from doctors, pharmacies,
hospitals, and insurers. These may
include copies of diagnostic test results, drug notices that accompany
prescriptions, or treatment invoices and Explanations of Benefits from
providers and insurers. Folders like
these—locked in a secure filing cabinet—offer a good, if limited, snapshot of
your medical history. What they lack is accessibility. For instance, if you
want to share lab test results between doctors, you will need to copy a form
and fax or mail it, or carry hard copies around with you.
- Personal Computer. You can install a PHR
application on your computer where you may input information, download files,
and scan documents you receive from your healthcare providers. The information
is stored locally on the computer, on a CD, on a thumb drive, or on another
storage device. You control it and have the ability to update and print it.
An example of this type of PHR is MyMedsPHR, which records your medications and reminds you when to take them. However, if you have a medical emergency, nobody will be able to access your medical history through your PHR unless you carry an up-to-date CD or thumb drive with you and can tell the ER staff where it is—and they have a means of reading it.
- Internet. Most PHR products are Internet based—similar
to a local application on your computer, but accessible online when you log in
with a user name and password. Microsoft’s HealthVault is an example of this type of PHR. An
online PHR lets you manage your records from wherever you are—you can update
and transmit the information, and give others access.
Internet-based PHRs make your medical information available in non-emergency situations, and also in emergencies as long as you’re able to provide your user name and password.
Internet-based PHR security depends on the security of the devices you use to store and transmit your information, whatever is built into the PHR application itself, and the security of the networks the information travels along.
- Smartphone mobile application. Mobile applications
(apps) for smartphones are being created so rapidly that it is almost
impossible to keep up with them. The
same holds true for PHR and PHR-type apps. These may eventually become the
default Internet-based PHR application, in part because they are extremely
Mobile applications have a variety of different features. For example, you can maintain and manage your medical information. This information may include medical history and conditions, diagnostic test results, food and medication allergies, travel history and immunizations, and medication names, doses, frequency, and start/end dates. You can also send information and receive medical information from health care providers and insurers.
Because many smartphones have touch screens, an app may be able to measure vital signs—like heart rate and blood pressure—and update your PHR continuously. The applications may even give you the option of sharing your data using social media. These applications present numerous privacy and security concerns, which are compounded when they link to social media.
The Food and Drug Administration (FDA) is in the process of developing regulations for some types of mobile medical apps, but not the ones that act as PHRs. Only those that are either accessories to a regulated medical device (such as an app that monitors an insulin pump) or that transform a mobile platform into a regulated medical device (for example, an app that uses a phone’s touch-screen capability to monitor vital signs) are currently being considered for FDA regulation. For consumer information, see FDA Proposes Health ‘App’ Guidelines.
- PHR smart card. A number of vendors offer a secure PHR smart card that stores medical information. With the aid of a card reader, both you and your doctor can access your records on a computer screen and also update the card. Problems with this type of PHR may be how universally available card readers are and how secure the card really is, in case you lose it.
If you are considering using a PHR to maintain your health records, you may want to look at AHIMA’s (American Health Information Management Association) list of 12 Questions Consumers Should Ask When Choosing a PHR. AHIMA also has a website that can help you choose a PHR based on your age and other health requirements. These questions cover issues of content, ownership and use of information, access and security, portability, and cost.
The privacy protections that apply to PHRs depend on where the PHR originates. A PHR that a doctor or a health plan provides would fall under the laws that protect medical privacy and set standards for maintaining the security of your medical information. This would include both HIPAA and the Confidentiality of Medical Information Act (CMIA). In addition, modifications to HIPAA impose data breach notification requirements and penalties on PHRs, The same breach notification requirements and penalties apply to vendors that advertise on a PHR company’s website—regardless of whether the vendor is a health care provider covered by HIPAA or is a commercial vendor.
While helpful, breach notification requirements only come into play after your data has actually or potentially been compromised. California law may offer broader privacy protections for medical information in PHRs. However, the statutory revision intended to include all PHRs under California's CMIA—regardless of whether they come from a health care provider or a commercial vendor—is ambiguous and has not yet been tested in court. For more information, see below, section 2.c. Does California’s Confidentiality of Medical Information Act (CMIA) protect consumers who have PHRs?
a. What types of PHRS does HIPAA
cover, and what does it mean for you?
For HIPAA to apply to a PHR, a HIPAA-covered entity must provide it. This generally would be a health care provider or a health plan that offers a PHR as one of its services. If that is the case, the PHR comes under the federal privacy and security rules that protect your medical records.
This type of PHR is typically linked to the provider’s EHR system, and is sometimes referred to as a “tethered” PHR, although, the PHR product itself may be offered and managed by a third party. The HIPAA term for a third party that performs services for a health care provider or health plan that require the use or disclosure of medical information is a "business associate." Business associates are covered by the HIPAA Privacy and Security Rules, including the data breach notification requirements.
Some common characteristics of this type of PHR include the following:
probably won't give you access to all of the medical records your physician has
for you, and may not automatically update your PHR. However, the PHR may give
you the option to allow automatic updates.
probably won't automatically link to or sync with PHRs you have with other
providers. Even if you try to combine
your information from multiple PHRs, you may find that the information is not
available in a format that is fully compatible across PHRs.
your PHR allows you to enter your own information in your record and update it
yourself, your entries will be distinguished from those a physician makes.
- Finally, a PHR that’s offered by a health care provider or health plan may not be portable, so it could be of no use to you if you change doctors or health plans—you would have to start over again.
The fact that HIPAA applies to a PHR gives you certain protections and rights. These are discussed in detail in California Medical Privacy Fact Sheets C1: Medical Privacy Basics for Californians; C2: How Is Your Medical Information Used and Disclosed—With and Without Your Consent; C3: Your Medical Information and Your Rights. For a start, you must receive a notice of privacy practices informing you of protections and rights regarding your medical records. People often mistake this for a consent form, but it is not.
To summarize, the notice must:
- tell you how your doctor or health plan can use and share your medical records, and that your consent is not required to do this for purposes of treatment, payment, or health care operations;
- tell you that a provider or health plan is legally responsible for maintaining the privacy and security of your health information;
- inform you of your rights concerning your medical information—to access and copy your records and to amend them (which in reality most likely means entering a statement of disagreement with something in your record);
- tell you how to file a complaint about what you believe is an abuse of your privacy rights with the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS); and
- tell you who to contact for more information about the provider or health plan’s privacy policies.
The HIPAA Privacy Rule also gives you a right to know who has accessed or received information from your PHR (called an “accounting of disclosures”). However, it is unclear how this works with PHRs since you would generally be the one accessing your own PHR, and anyone else who accesses it would need your permission. It has been suggested that providers who offer PHRs include a functionality that lets you view an access log.
Some additional protections you have with a HIPAA-covered PHR are not described in the notice of privacy practices. Recent updates to HIPAA require your provider or health plan to notify you if there is a breach of your medical records. (42 U.S.C. 17932(g)) Depending on the type of breach, there is a schedule of fines, ranging from $100 to $1.5 million.
There are indications that OCR is taking its data breach enforcement responsibilities seriously. It fined Alaska’s Department of Health and Human Services $1.7 million and Blue Cross Blue Shield of Tennessee $1.5 million. More tellingly, OCR fined a cardiac group practice in Phoenix $100,000 for failing to implement adequate policies and procedures to safeguard patients’ information even though no breach was known to have occurred.
As this Fact Sheet discusses below, the breach notification requirements and fines (but not the privacy and security regulations) also apply to commercial PHR vendors and others that offer products and services through a PHR vendor’s website. The Federal Trade Commission has jurisdiction over data breaches involving non-HIPAA-regulated PHRs.
HIPAA does not give you the individual right to sue whoever is responsible for the breach of your medical records. Only an attorney general can bring a legal action. California does give individuals this right, as discussed below in Section 2.c., Does California’s Confidentiality of Medical Information Act (CMIA) protect consumers who have PHRs?
b. What types of PHRs are not covered
by HIPAA and what protections apply?
If your employer offers a PHR, the PHR typically won't be covered by HIPAA regulations. However, the PHR will be covered by HIPAA if it is part of an employer-sponsored health plan. An example of a PHR offered by employers is Dossia, which was created by a nonprofit consortium of major companies like AT&T, BP America, and Pitney Bowes, and is currently used by Walmart for its employees.
Just like most PHRs offered by employers, PHRs from commercial vendors, including mobile medical application vendors, will not be covered under HIPAA regulations. While some commercial PHRs may advertise themselves as “HIPAA-compliant,” the only privacy protections they offer are those in their own privacy notices and practices, which they can change at any time. To give you an idea what to look for in a commercial PHR vendor’s privacy practices, the Office of the National Coordinator (ONC) at the Department of Health and Human Services (HHS) has a model notice of privacy practices for commercial PHR vendors.
Although HIPAA doesn’t cover this type of PHR and the information it contains, it still applies to your medical information before it can be transferred to the PHR. In other words, your health care provider needs your written authorization before disclosing your medical records directly to a PHR vendor. Alternatively, you may request your records from your health care provider and then provide those records to a PHR vendor.
Although a commercial PHR may not be covered by the HIPAA regulations (but may be covered by the CMIA, depending upon the interpretation of Cal. Civ. Code § 56.06) it is still subject to breach notification requirements. A PHR vendor or a business that offers products and services through the vendor's website is liable for a breach of unsecured (unencrypted) health information, and must notify the affected individuals, the media if the breach involves 500 or more individuals, and the Federal Trade Commission (FTC). (42 U.S.C. § 17937) The FTC has helpful information for vendors about who falls under this rule, what kind of incident requires a breach notification, and the specifics of notice (whom to notify, when, by what means, and with what information).
The FTC regulations do not give individuals the right to sue a PHR vendor for a breach of medical information, but California law does. And even if you cannot prove you were actually harmed by the breach, you are still entitled to nominal damages of $1000. (Cal. Civ. Code § 56.36(b))
The FTC forwards notices of PHR breaches that it receives from vendors to the HHS Office for Civil Rights (OCR). However, the FTC has enforcement authority over commercial PHRs. OCR has enforcement authority over HIPAA-covered PHRs. OCR maintains a list of all health-related data breaches that affect more than 500 individuals.
If you are considering using a commercial PHR, you should read its privacy notice and decide whether you are comfortable with the protections and rights the product offers. The following are some questions you should keep in mind when reading a PHR's privacy notice.
- How will your information's security be safeguarded? Will it be encrypted when it is stored and transmitted? Does the vendor store your medical information in the cloud and how secure is that storage?
- What does the vendor say about how it may use or disclose your information? Does it mention disclosure of de-identified or aggregate data (a sure indication that it is selling the data)?
- What control do you have over access to the information in your PHR?
- Can you cancel the PHR? What happens to the medical information that is in the PHR if you do cancel?
Also, a PHR vendor may, in some cases, share your health information with its contractors or other business partners. If that is the case, you’ll want to know whether these contractors or business partners will be limited in how they use or disclose the individual’s health information.
The California legislature modified the CMIA in 2008 to bring businesses like PHR vendors under the laws intended to protect individuals’ medical information. To accomplish that goal the legislature simply deleted one word from the existing statute:
Any business organized for the primary purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of this part.
(Cal. Civ. Code § 56.06(a))
It is not clear whether this revision accomplished its goal. For example, a PHR vendor like Microsoft Health Vault might say that Microsoft is not "organized for the purpose of maintaining medical information." Until the law is tested in court, it may not be completely clear whether the California legislature accomplished its goal of making PHR vendors subject to the CMIA's information privacy requirements.
The drawbacks to commercial PHRs extend beyond privacy policies that may be subject to change without notice. You must also consider who may have access to your information, in addition to you and those you decide to share it with, like your doctors. There is nothing to prevent the sale of your medical information in either identifiable or statistical form to marketers, researchers, employers, insurers, or drug companies, for example. The vendor’s notice of privacy practices should make it very clear in what ways it may share—or sell—your data.
There is also the patient-physician privilege to consider. Depending on state law, the patient-physician privilege, which protects confidential communications between you and your doctors, can prevent a doctor from having to testify about certain information that you share. However, it is possible to waive this privilege if you disclose the information to someone other than your doctor—that is, to a third party, like a PHR vendor. To waive the privilege in California, you must disclose information voluntarily, knowingly and with awareness of the consequences. (see San Diego Trolley, Inc v. Superior Court)
Although there are many varieties of PHRs, there are only three general business models. Before you choose to use a PHR, you should ask who or what pays for the service.
- A PHR that is “tethered” to a health care provider’s EHR is technically free to patients. However, the application and system that run the PHR are included in the provider’s operating costs. Operating costs are generally passed through to patients.
- A PHR that charges consumers a monthly or annual fee may rely solely on that fee to generate revenue. It may also sell advertising on its website, sell identifiable or statistical PHR data, or do both in addition to charging a fee.
- A PHR that advertises itself as “free” to consumers probably relies on advertising—and consumers clicking through advertising links—to support the service. Like a fee-based PHR, it may also sell identifiable or statistical data. This same could be true of a PHR sponsored by an employer or health plan, which might pay for the service because it believes the PHR will result in savings on health care costs, and sell data to subsidize the cost.
Any of these models may include other revenue-generating features. These might be offerings that are not part of the PHR, but are paid for by vendors who want consumers’ attention when they use their PHR. Some examples would be links to medical or pharmaceutical informational websites, niche search engines (such as those related to a specific disease, condition, or medication), articles, surveys, and software downloads.
So while PHRs can be useful and convenient, keep in mind that they are businesses and that monetizing your medical information may be part of their business plan. A patient-centric PHR would:
- make it easy to assemble a comprehensive record;
- support interaction and communication between a patient and all of his or her health care providers;
- be controlled by the patient to whom the information pertains; and
- implement with the best security controls available.
So far, this model does not exist.
a. Notice of privacy practices
A PHR’s notice of privacy practices should really tell you everything you need to know about the product, including how much control the vendor allows you to have over your medical information. The Department of Health and Human Services has some very helpful information about how to evaluate this notice, based on its own model notice of privacy practices for PHR vendors. A Consumer Guide that accompanies the notice thoroughly explains the important sections about what information the vendor says it will or will not release and what control you have over the information in your PHR, along with what security measures the vendor takes.
A notice of privacy practices should be clear about what information a PHR vendor will release, and in what form, either as personally identifiable medical information or statistical information that does not contain personal identifiers. At minimum, the notice of privacy practices should include information about whether the vendor will release either personal or statistical information for the following purposes:
- marketing and advertising;
- medical and pharmaceutical research;
- reporting about company and customer activity (for example, customer-satisfaction reports for marketing purposes or reports to industry analysts or stockholders);
- to your insurer and/or employer (this would apply only to an employer- or insurer-sponsored PHR);
- developing software applications (that is, does the vendor share personal or statistical data with developers of improvements or add-on applications for the PHR?).
Next, the notice should tell you whether the PHR vendor has agreements with third parties that limit what the third parties may do with personal or statistical data the PHR vendor shares. Finally the vendor should tell you what happens to your data if you cancel or transfer your PHR. Does the vendor keep the data and continue sharing it according to the notice or destroy all the data that is in your PHR?
The notice should have a security section that assures you that the vendor has security measures in place that are reasonable and appropriate, or meet industry standards, or that are HIPAA compliant. It should tell you that the vendor will protect the information in your PHR from any unauthorized access, disclosure, or use. It should tell you that your PHR data is stored in the U.S., because if it is not, it will not be protected by any U.S. laws. And it should tell you if it keeps activity logs of who has accessed your PHR and when, and whether you have access to this information yourself.
PHRs have the potential to help individuals become better informed about their medical history and more engaged in their own healthcare. An obvious corollary of this benefit is the potential to overwhelm with too much information, and especially with information that a non-professional is not qualified to analyze. The problems with PHRs, as with all types of electronic records, have to do with privacy and security.
At this point in the convoluted development of medical information privacy, it might be best if the government or industry adopted guidelines for building security into PHRs and their add-on applications and into the mobile devices that are likely to become indispensible to health care. Thoughtful and strong security offers better hopes for protecting privacy than hundreds of pages of privacy regulations.
Look for a PHR that gives you the benefits of the HIPAA Privacy and Security Rules. If you are considering a PHR, for the time being, look for one that is part of a health care provider’s electronic health record (EHR) system or that is offered by a company that is a business associate of the covered entity. For purposes of PHRs, a covered entity would most likely be either your health care provider or insurer. A business associate is a company that has a contract with a covered entity to provide a service that involves handling your personal health information. The nature of the relationship and the information bring the business associate under the HIPAA Privacy and Security Rules.
Questions to ask about any PHR you’re thinking of using:
- Who will have access
to my medical information?
- What control will I
have over how my information is shared, how it is shared, and in what form
(personally identifiable or statistical/de-identified)?
- Can I find out who accessed
my medical information?
- Do I have
authorization power over access to my information and how does the
authorization process work? Can I revoke my authorization once it’s been given?
- Do I have any ability
to delete information that has already been sent to providers from my PHR?
- What security
measures are in place to protect my information, including encryption in
transmission and storage.
- Where is my
information stored—in the U.S.? in the cloud?
California Office of Privacy Protection (COPP), PHR fact sheet, “Is a Personal Health Record Right for You”: http://www.privacy.ca.gov/consumers/cis13english.pdf (Please note that the COPP has been merged into the Privacy Enforcement and Protection Unit in the California Department of Justice.)
Department of Health and Human Services – Office of the National Coordinator
Office of the National Coordinator for Health Information Technology
U.S. Department of Health and Human Services
200 Independence Avenue S.W.
Washington, D.C. 20201
PHR model Notice of Privacy Practices: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=3770
“Consumer Guide to Understanding and Using the PHR Model Privacy Notice on Company Data Practices”: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=3781
of Health and Human Services – Office for Civil Rights (OCR)
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free: 1-877-696-6775
To file a complaint about what you believe is a privacy violation regarding your PHR: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
If you have a complaint about a PHR vendor that is not covered by HIPAA, you can contact the FTC at 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. To file a complaint with the FTC, this is the best place to begin: https://www.ftccomplaintassistant.gov/ The FTC keeps a database of complaints in the Consumer Sentinel Network, which helps many civil and criminal law enforcement investigators with their research.
American Health Information Management Association (AHIMA)
233 N. Michigan Avenue, 21st Floor
Chicago, IL 60601-5809
Main Number: (312) 233-1100
Customer Relations: (800) 335-5535
AHIMA has extensive information on PHRs, including how to decide which one might be right for you: http://www.ahima.org/resources/phr.aspx
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.