Spotlight on New PHR Model Privacy Notice

by Helen Pfister and Susan Ingargiola, Manatt Health Solutions

Personal health records can help consumers play a more active role in their health care by enabling them to coordinate and manage their health information. However, PHR adoption is subject to a number of obstacles, including consumer privacy concerns.

Recognizing this, the Office of the National Coordinator for Health IT recently released a new PHR Model Privacy Notice (Model Notice) to help providers of Web-based PHRs alert consumers to their data sharing and privacy and security policies. The goal of the Model Notice is to help consumers make more informed decisions when choosing a PHR. 

Background

For the purposes of the Model Notice, ONC defines a Web-based PHR as an electronic health data application that can help a consumer collect, manage and share his or her health information. It is important to distinguish between a PHR and other tools that electronically store patient health information, such as electronic health records.

An EHR is an electronic version of a patient's medical history that is maintained by a health care provider. An EHR generally includes all of the key administrative and clinical data relevant to the patient's care, including demographics, progress notes, immunizations and laboratory reports. Patients may sometimes view the electronic information that their health care provider maintains about them through an online patient portal, which is like a window into the health care provider's EHR. A PHR, in contrast to an EHR, is maintained directly by a consumer and generally consists of whatever information the consumer chooses to include.

The Model Notice applies only to PHRs, not EHRs or patient portals. A PHR may be offered by a hospital, insurance company, employer, commercial vendor or other organization. PHRs provide a number of benefits, including the ability to store one's complete medical history in a single, easily accessible place. Once a consumer's health information is in a PHR, the consumer can share all or portions of the PHR with health care providers, thereby helping to improve coordination of care. PHRs can also make it easier for consumers to involve their family members and other caregivers in their care.

According to an April 2010 California HealthCare Foundation survey, Americans who have access to their health information through PHRs report that they know more about their health, ask more questions and take better care of themselves. CHCF publishes iHealthBeat.

Why the Model Notice Is Important

PHR adoption is growing, albeit slowly. A recent Markle survey found that PHR use has grown from 3% of consumers in 2008 to 10% in 2010. Further, to receive incentives for adopting and meaningfully using EHRs under the HITECH Act, health care providers must electronically share health information with patients, criteria that could pave the way for more PHR use.

Meanwhile, legal protection for information stored in PHRs currently is limited. There is no single federal law that covers all forms of PHRs. HIPAA, which sets a federal baseline of privacy and security protection for patient health information, only applies to PHRs when the PHRs are offered by HIPAA-covered entities or by business associates of HIPAA-covered entities. HIPAA-covered entities are health plans, health care clearinghouses and most health care providers that submit health care claims electronically. Some companies contract with HIPAA-covered entities to provide PHRs and thus are governed by HIPAA as business associates of the covered entity. However, many PHRs are provided independently by companies that are not subject to HIPAA, such as software manufacturers and others. 

The HITECH Act sought to provide additional protection for consumers who use PHRs, for example, by requiring a PHR company that is not subject to HIPAA to notify consumers and the Federal Trade Commission if consumers' information is breached. Another law that relates to the privacy and security policies of PHR companies is the FTC Act, which provides that "unfair or deceptive acts or practices in or affecting commerce ... are ... unlawful." Under the FTC Act, it is illegal to violate promises made in privacy or security policies or other assurances to consumers. Thus, PHR companies that advertise they keep consumers' data private but fail to do so could be held liable under the law. 

Several other federal and state laws and regulations may also apply to PHRs in certain instances. But even together, they still leave gaps in the protection of the data consumers store in PHRs. While the Model Privacy Notice will not solve the problem completely, it will help consumers better understand what happens to their information when they use a PHR.

How the Model Notice Works

According to ONC, consumers should think of the Model Notice as similar to a nutrition facts label for food. The Model Notice is a standard template that is meant to provide information to consumers in a uniform format they can understand and compare. It succinctly provides important facts that consumers should know before using a PHR. Use of the Model Notice by PHR companies is voluntary.

The Model Notice has two sections: 1) the "Release" section; and 2) the "Secure" section. Both tell consumers what the PHR company may do with their PHR data. 

PHR data refers to any information a consumer submits or that is collected while a consumer uses a PHR. PHR data consist of "personal data" and "statistical data." Personal data are any PHR data that are "linked to the consumer as an individual person, computer or device." This includes name and contact information, medical history and treatments, health care claims information, demographic information and Internet protocol address, among other information. In contrast, statistical data are PHR data that are aggregated and de-identified.  For example, statistical data may include the average age of PHR users with diabetes.

The Release Section

The Release section of the Model Notice tells consumers whether the PHR company releases their personal or statistical data (or both) for any of the following purposes:

  • Marketing and advertising, which includes the release or sale of data to marketing and advertising organizations seeking data to design more effective and specific ads about medications or other treatments;
  • Medical and pharmaceutical research, which includes the release or sale of data to medical and pharmaceutical companies seeking to analyze the effectiveness of medications or other treatments or to identify adverse reactions;
  • Reporting of company and customer activity, which includes a PHR company monitoring how its PHR is used by consumers so it may inform other consumers with similar characteristics that its PHR may be helpful to them;
  • Sharing with an insurer or employer, which includes the release of data to a consumer's past, current or prospective insurer or employer; and
  • Software application development, which includes sharing data with software application developers that create software that works with the PHR.

In addition, the Release section describes whether the PHR company has in place any contracts that restrict what third parties can do with consumers' personal data (e.g., further release the data to any other company). Finally, the Release section indicates whether the PHR company stops releasing personal data once the consumer closes or transfers his or her PHR.

The Secure Section

The "Secure" section indicates whether the PHR company implements data security measures and answers the following two questions.

  • Does the PHR company store PHR data in the U.S. only? A PHR company operating in the U.S. also may have business operations in other countries. If a PHR company answers "no" to this question, it means that the PHR company could store some or all of its users' PHR data outside of the U.S., which could affect whether U.S. laws apply to the protection of the data.
  • Does the PHR company keep PHR data activity logs for users' review? If a PHR company answers "yes" to this question, it means that the company tracks activity, such as data access, updates and data transfers, and allows consumers to see a copy of the logs.

Development of Model Notice

In 2008, ONC began a three-phase process to develop the Model Notice. As part of the process, ONC collected input from privacy experts and public and private stakeholders and conducted in-depth consumer testing to inform the Model Notice's content and design.

ONC now is seeking feedback from early adopters of the Model Notice, as well as consumers. The office intends to update the Model Notice based on the feedback it receives. 


to share your thoughts on this article.