Privacy Rights Clearinghouse
A personal health record (PHR) is a tool for collecting, tracking, and sharing information about your health. Most PHRs are Internet-based and enable the patient to create, review, or maintain a record of any aspect of their health. Typically, this may include such information as:
- illnesses and hospitalizations
- surgeries and other procedures
- laboratory test results
- family medical history
In addition to storing an individual's personal health information, some PHRs provide additional services such as drug interaction checking or messaging between patients and medical providers.
Some PHRs are marketed directly to the consumer by the hosting site, which may charge a fee. Other PHRs are offered by health care providers such as hospitals. Still others are offered at no charge by such online powerhouses as Google and Microsoft. Many are advertising supported. Here are some examples of PHRs:
- Microsoft's HealthVault
- Google Health (Google Health will cease operations on January 1, 2012. However, data will be available for download through January 1, 2013.)
- Revolution Health
Because medical records are among the most sensitive type of personal information, we at the Privacy Rights Clearinghouse have some concerns about PHRs. PHRs may not necessarily be private and may not be secure, despite what the hosting site tells you.
Some PHRs are covered under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s Privacy Rule applies only to three categories of "covered entities" -- health care providers, health plans, and health care clearinghouses. Thus, PHRs that operate within the health care system are bound by the HIPAA privacy rule.
Other PHRs may be sponsored by third parties, and therefore outside the health care system. These types of PHRs may not be a “covered entity” under HIPAA. Some PHRs that are not “covered entities” protected by HIPAA may state that they are “HIPAA compliant”. The phrase “HIPAA compliant” can be misleading because it does not necessarily mean that the PHR is actually a “covered entity” under HIPAA. It is possible that you may not have any rights under the HIPAA Privacy Rule if you utilize a PHR that is only “HIPAA compliant”.
Another major concern is the hosting site’s security protocols. When users store their data on the host’s hardware, they lose a degree of control over their sensitive information. The responsibility for protecting that information from hackers and data breaches falls into the hands of the hosting company rather than the individual user. So there is a security risk in putting your sensitive medical data in someone else's hands. Obviously, the safest approach is to maintain your medical records under your own control.
It is important to note that PHRs are not the same as electronic health records (EHRs), which are designed for use exclusively by health care providers. EHRs are closed systems kept by doctors' practices, hospitals, and networks. PHRs are records that are used mainly by consumers. However, PHRs may include data gathered from doctors, insurers, and pharmacies. The information in a PHR is available to the consumer and in some cases to the medical providers that the consumer authorizes.
For consumers interested in compiling a complete medical history, we recommend maintaining your own offline medical records. For forms to create your own personal health records, visit http://www.myphr.com/resources/choose.aspx . If you just want to track your medications, see “My Medicine Record” at http://www.fda.gov/Drugs/ResourcesForYou/ucm079489.htm  . It can be used to keep track of your prescription medicines, over-the-counter medicines, and dietary supplements.
For additional extensive resources on PHRs, see the World Privacy Forum’s Personal Health Records Page at http://www.worldprivacyforum.org/personal_health_records.html . Another useful resource is the California Office of Privacy Protection's publication "Is a Personal Health Record Right for You?" at http://www.privacy.ca.gov/cis13english.htm .