Despite ONC's Effort, Comparing PHR Privacy Policies Still Challenging

by Kate Ackerman, iHealthBeat Managing Editor

To date, personal health record adoption has been somewhat limited, but the market is expected to get a big boost from Stage 2 of the meaningful use incentive program.

Deven McGraw -- director of the Health Privacy Project at the Center for Democracy & Technology -- said, "The market for those tools has been a little soft I think because people have really had to hand enter in the data or scan [them] in, as opposed to being able to feed [the information] directly from a provider's electronic health record, unless they happen to be a patient at Kaiser or part of a system that already offers them that tool." However, she said, "That's going to change in 2014 when a lot of the early adopters in the HITECH incentive program begin Stage 2 and start actively encouraging patients to view and potentially download and transmit their data."

But is the industry ready when it comes to privacy and security regulations?

Survey data show that consumers routinely cite privacy and security as top barriers to personal health record adoption. A 2010 survey from the California HealthCare Foundation found that 75% of U.S. adults without a PHR cited concerns about the privacy of their information as the top barrier to using a PHR. CHCF publishes iHealthBeat.

Jeff Donnell, president of PHR provider NoMoreClipboard, noted that consumers have been exposed to privacy and security issues in the financial services industry. He said, "So they take a look at that and recognize, 'Okay, often times information is used for nefarious purposes,' and people want to make absolutely certain that their data [do not] somehow get stolen or wiped and end up being used by identity thieves." He added, "It's not uncommon to hear about ... a major breach where thousands or hundreds of thousands or in some cases even millions of patient records walk out of an office on a laptop or unencrypted disc, and then those things disappear or get stolen. ... And, that gives people cause for concern."

Further, when consumers are considering PHRs sponsored by health plans or employers, they want to "make absolutely certain" that their data is not visible to their boss and that their health plan cannot use their information to deny coverage, according to Donnell.

Despite the survey data, McGraw said that in practice, convenience and usefulness -- not privacy -- are likely top of mind when consumers are deciding which PHR tool to adopt.

Donnell agreed. "Certainly there are going to be some people who rightfully are going to be very concerned about why would someone want my health information. You know, if I'm George Clooney or Brittney Spears, I'd be worried because I know people are going to try to get at that data," he said. 

However, he said, "If I'm an individual with diabetes or I'm taking care of an aging parent with congestive heart failure, you know what? I'm not all that worried about privacy and security. I'm worried about making sure that I have ready access to information that I'm able to easily manage it, share it with the people who need the data to properly care for me or my family member. So all of a sudden, those privacy concerns while they don't go away, they become very, very minimal in terms of importance."

Donnell said that the data analytics on NoMoreClipboard's website and application show that fewer than 1% of users actually take the time to click through and read the firm's privacy policy.

McGraw added that there is a lot of confusion among the general public about whether health data stored in PHRs are protected. She said, "Sadly, I think a lot of people assume that because it's health data that HIPAA will apply to the health data and give [them] some minimum protections, and that's not true for personal health records that are offered directly to consumers by commercial entities that are not doing so on behalf of a health care provider."

McGraw said that "the law is not necessarily ready for the" looming explosion in the PHR market, "but it's going to happen so the better prepared those of us on the consumer advocacy side can be at sort of advising people about making good choices, the better off we'll be, absent of getting Congress to get its act together and pass baseline privacy legislation."

Comparing PHR Privacy Policies

"Finding, understanding and comparing privacy and security practices of many PHR providers can be challenging, so it's not surprising that some people have trouble reaching a decision," Sean Nolan -- chief architect and distinguished engineer for Microsoft HealthVault -- said.

For a study published in August in the Journal of Medical Internet Research, researchers at the University of Murcia in Spain conducted a systematic review of the privacy policies of Web-based and no-cost PHR systems. The researchers found that the majority of the 24 PHR systems studied did not provide an in-depth description of the security measures they use.

The researchers then gave each tool a security score and a privacy score.

Microsoft HealthVault and NoMoreClipboard received the highest scores among the PHR systems that still are available. (Note: Google Health -- which received the second-highest privacy and security scores -- was discontinued in 2011.)

Experts say consumers should look for clarity and transparency when comparing the privacy policies of different PHR tools.

Nolan said consumers should "understand what they are agreeing to and what features are available to them to make privacy choices."

Donnell said consumers should look at whether the PHR or patient portal's privacy and security policies are easily accessible. "Is it on their website? Do you have to make 15 clicks to find it all? Or is it very, very apparent?" he asked. In addition, the actual policy should be specific and easy-to-understand, Donnell said. "Is it presented to you in plain consumer language? Is it easy to see how your data [are] and [aren't] going to be used? And, if it's not, if you're not comfortable or if you can't clearly see if it is, then you probably ought to keep looking."

McGraw noted that there usually are some clauses in the privacy policies that allow the company to have access to patients' data for certain business purposes. "And, I would look very carefully at what those are," she said.

"Are they spelled out clearly or are they in general terms, like, 'From time to time, we will access and use your data in order to improve our service to you'?" McGraw asked, adding, "To me, that doesn't say very much, and I would look for a policy that's much more specific about how the company uses data and ideally a policy that's transparent enough to parse the difference between data that identifies you and data that is de-identified or anonymized in some way."

McGraw said, "It's unfortunate that sometimes this can be quite a challenging task to get a clear picture of what the companies' policies are."

Could ONC's PHR Model Privacy Notice Be a Game Changer?

In 2011, the Office of the National Coordinator for Health IT unveiled a PHR Model Privacy Notice to help providers of Web-based PHRs alert consumers to their data sharing and privacy and security policies. The model privacy notice aims to help consumers make more informed decisions when choosing a PHR. The notice is modeled after a nutrition facts label for food, with the idea being that a standard template can help consumers understand and compare information.

McGraw said, "ONC did a lot of work in terms of surveying consumers about what they would look for and testing the label to make sure it was understandable," adding, "It's certainly the place where I tell people to go if they're looking in the marketplace for a PHR, and they have concerns about privacy and security, which I hope they do."

Use of the model notice is voluntary. And more than a year after its release, only two vendors -- Microsoft HealthVault and NoMoreClipboard -- are using it, according to an ONC spokesperson. The spokesperson said that ONC is in conversations with other PHR vendors but that it would be premature to say more.

Nolan said, "We are very supportive of ONC's work in this area and display our privacy notice prominently on [our] homepage. Unfortunately, adoption of the format by other PHR providers has been limited to date, so it's difficult to really assess the impact the program can have."

McGraw said that "ONC's comparison tool is a good one, and I wish more companies would sign up for it and use it. I think it would be incredibly helpful to consumers to be able to compare privacy policies."

Donnell said that NoMoreClipboard sees the model notice as a competitive advantage "because when people see the way we treat their data, compared with how other people do it, that'll be a plus [for us]."

Donnell added that he would like to see use of the PHR model privacy notice become mandatory.

McGraw said that while she'd like more vendors to use the tool, she's not sure "there's a vehicle for making it mandatory" without an act of Congress, noting that the Federal Trade Commission, not HHS, regulates PHRs.

However, she said that the federal government should step up promotion of its resources.

McGraw said, "One option, for example, is to use the regional extension centers to reach out to doctors to make the URL for the label known to their patients who are looking for ways to download their data that they're going to have the right to get and that they're going to be encouraged to get as part of Stage 2." She added, "If patients are being directed to the resource then that's going to, I think, provide a great incentive for personal health record vendors to be on that."

McGraw said, "Even without a mandate, that's one way that the federal government can encourage people to use a tool that they spent taxpayer dollars creating. And, that is a good tool." 

to share your thoughts on this article.