Mar

10

PHRs:  No Consumer Protections

It’s time to circle back to personal health records (PHR) given the new identity theft protection language included in the American Recovery and Reinvestment Act of 2009 (ARRA), Title XIII, Subpart D. A significant consumer concern relating to the use of PHRs is the privacy and security of their health information stored in those PHRs. Also, there is a concern that their health information may be used for marketing. Alas, ARRA did not address those concerns to any great extent.

Now if you live in California, privacy and security protections and a prohibition against using consumer health information for marketing have been around for over a year now. California law regarding breach notification did somewhat make its way into ARRA to the benefit of consumers. The new identity theft protection language included in ARRA does now require PHR vendors notify consumers if their health information was breached and notify the Federal Trade Commission (FTC). When breach reports are filed with the FTC, the FTC is required to also report the breaches to the US Department of Health and Human Services (HHS). This does add some protections for consumers but does not go as far as the California laws and require appropriate security measures be implemented to prevent the breach in the first place.

It is in the best interest of the PHR vendor to implement appropriate security measures to prevent breaches because of potential liability, FTC reporting and loss of business related to loss of consumer trust but it is not a regulatory requirement. As has been seen in other areas of healthcare and other industries, often times organizations look at what is a regulatory requirement and if it’s not there, does little to avoid the damages that could be caused by other than a federal or state agency stepping in and levying fines.

It is interesting that business associates are now required to live up to the requirements of the HIPAA Security Rule and the use and disclosure provisions of the Privacy Rule but no such language was included requiring PHR vendors storing similar consumer health information live up to any set privacy or security regulations. It remains a buyer beware environment or do you really trust the PHR vendor. I’m the cynic and the paranoid privacy and security guy who avoids entrusting my health care information to a PHR vendor just because of the lack of regulatory oversight and any real requirements to implement appropriate security practices (and I can’t count on California law given I live in Oregon).

What is also interesting is specific language was added that further restricts the use of consumer health information for marketing and what a covered entity can be paid for in return for providing a consumer’s health information to another entity, but the language only applies to covered entities. This does not prevent PHR vendors from using consumer health information for marketing purposes. It’s highly advisable to check the fine print before signing up for a PHR to make sure the vendor provides assurances your health care information will not be used for marketing and even then, it comes down to whether or not you trust the vendor, even if the PHR is offered through your health plan or health care provider.

PHRs can and should be valuable tools to help individuals better manage their health care, especially individuals with chronic conditions. PHRs can be helpful as a tool to collect health information from providers and health plans to make sure the information in their records is correct. Also, PHRs help individuals maintain all or most of their health information in one place so they can make it available to new providers or take with them when they move to another city or state.

Until the issues relating to privacy and security are adequately addressed through regulation versus one where I need to trust the vendor to “do the right thing,” I myself am reluctant to use a PHR. I’m not comfortable knowing my only recourse in the event of a security breach is to file a civil suit that may be difficult to fight given I need to prove harm. Unless I can demonstrate my health information was used for identity or medical identity theft, I was harmed because the information disclosed prevented me from obtaining employment, etc., I’m out of luck. It’s too bad Congress did not take advantage of the opportunity to include privacy and security requirements for PHR vendors when expanding the number of organizations who now must live up to HIPAA requirements.