Personal health records have great potential to empower patients to manage their own health care. Through PHRs, people can monitor chronic conditions, explore treatment and insurance options, ensure their health information is correct, share data with others to gain insight and support, and hold health care providers to high standards of accountability. However, as a 2010 California HealthCare Foundation survey recently demonstrated, the success of PHRs will depend in substantial part on whether consumers trust that their sensitive information is protected.
To preserve this trust, the Center for Democracy and Technology (CDT) believes PHRs should be subject to a comprehensive policy framework comprised of a mix of legal requirements and voluntary best practices. CDT will be recommending baseline rules in a report on PHRs to be released this month; this piece provides a summary of those rules. CDT further urges that the best practices be modeled closely on the Markle Common Framework for Networked Personal Health Information. The Markle Foundation's Common Framework was developed and supported by a diverse group of 56 organizations, including leading technology companies, consumer organizations and representatives of HIPAA-covered entities.
A PHR is essentially an electronic tool that enables consumers to store, manage, use and share their personal health information. A key characteristic of PHRs is the high degree of control the individual consumer -- not the health care provider -- has over the service, including what data are uploaded to the PHR and with whom they are shared. Although about half of U.S. adults express some interest in using a PHR (according to the California HealthCare Foundation survey), actual consumer adoption of PHRs today is less than 10%.
Numerous studies indicate that privacy is a top reason for consumer reluctance to adopt PHRs. This concern is not unfounded. Many PHRs are not covered by major privacy and security oversight regulations for health information. For consumers, this means fewer assurances that their information is properly safeguarded. For industry, inconsistency or ambiguity in regulations can chill investment and innovation that can improve the quality of PHR services. A comprehensive policy framework for PHRs is the most effective means of providing greater protection for consumers and clarity for the marketplace.
New Regulatory Framework Needed
No single federal statute clearly or adequately applies to all forms of PHRs. HIPAA has the clearest and broadest applicability to PHRs, but only when those PHRs are offered by HIPAA-covered entities (such as health providers or payers) or their business associates (a PHR vendor is a business associate only when offering a PHR on behalf of a covered entity, per the HITECH Act and recent proposed rules from HHS). In recent years, however, many PHR-related platforms and services have been offered by entities that fall outside the bounds of the traditional health system and thus outside the coverage of HIPAA, including software manufacturers, search engines, online health sites and financial institutions.
Extending HIPAA to cover all PHRs is not the right solution. The HIPAA privacy rule was created to regulate the sharing of medical information in control of providers and does not translate well to PHRs designed for consumer control. For example, HIPAA permits personal health information to flow without patient consent for treatment, payment and health care operations. These categories, especially with regard to operations, are much more expansive than most patients would expect. Such policies are entirely inconsistent with the concept of PHRs as tools operated at the consumer’s direction.
Rather than simply expanding HIPAA, CDT believes that a better approach would be to construct new regulatory policies adapted specifically to PHRs that draw from HIPAA and other sources. These rules should protect consumers by restricting PHR vendors from engaging in certain practices, or by providing individuals with certain rights that go beyond those currently provided under HIPAA. The regulatory framework should also provide incentives for PHR vendors and related entities to engage in best practices based on the Markle Common Framework.
Tailor-Made Policies for Personalized Products
CDT's report, "Building a Strong Privacy and Security Policy Framework for PHRs," recommends baseline PHR privacy rules and urges the adoption of comprehensive best practices based on the Markle Common Framework. CDT's proposals are primarily directed at Congress and federal regulatory agencies seeking to initiate protections for consumers using PHRs. Among other things, CDT recommends regulators:
-
Require consumer consent to collect, use and disclose data in a PHR: The baseline standard for collection, use and disclosure of personal health information in the PHR should be a clear opt-in consent that is not conditioned on the use of the service. Specific consent should be required for any data collections, uses or disclosures of personal information that would be unexpected or considered sensitive by a reasonable consumer. However, relying too heavily on notice and consent often places the onus of privacy protection on consumers and confers the bulk of the bargaining power with service providers. CDT, therefore, urges the regulators to be vigilant of, and take action to prohibit, unfair marketing practices in the PHR space.
-
Establish a safe harbor to encourage best practices: A safe harbor should not just encourage mere compliance with legal requirements, but rather promote industry best practices that are more comprehensive than what the law requires. Safe harbor strategies grant favorable treatment, such as exemption from certain liabilities or penalties, to actors who meet the safe harbor standards. The requirements should mirror the policy and technology expectations in the Markle Common Framework, which go beyond CDT's proposed PHR regulations. The safe harbor regime must have independent approval and oversight components.
-
Require PHR providers to be transparent about their relationships with third-party applications and websites: The same federal policies that apply to PHR providers should be extended to their third-party applications and websites. PHR providers also should clearly communicate to users the precise nature of their relationships with these applications and websites. PHR providers should state clearly what privacy and security protections the PHR provider takes responsibility for, and what responsibilities are left to the discretion of the third-party applications and websites.
-
Require PHRs to adopt reasonable security and oversight mechanisms: PHR providers should adopt reasonable security protections, including technical, administrative and physical safeguards. In particular, PHR providers should adopt strong user authentication policies and immutable audit trails.
-
Prohibit the re-identification of aggregate or de-identified data from a PHR: PHR rules should include a strong prohibition against unauthorized re-identification of data obtained from PHRs, including penalties for those who inappropriately re-identify. PHR vendors should be required to use rigorous methods to prevent re-identification.
-
Require strong and consistent enforcement of rules: An effective enforcement scheme for PHRs should, at a minimum, include authorization to both federal and state consumer protection authorities to enforce the provisions, criminal and civil penalties set at a level that provides a strong incentive for compliance with the law, clear audit authority, regular public reports to Congress by federal regulators on enforcement, and a limited private right of action.
Enabling a Tool for Action
PHRs could help bring about significant changes in health care, providing consumers with an effective way of storing, managing and sharing their health data and giving them tools to be more engaged in their own health. For PHRs to flourish, consumers must trust that data they store in and share via their PHR is appropriately protected from misuse. Yet federal law today offers only a patchwork of protections at best, and does not effectively respond to the risks confronting consumers who use these tools.
The Markle Common Framework, already supported by many industry stakeholders and consumer advocates, provides the comprehensive set of policy and technology expectations PHRs need to preserve public trust. CDT calls on regulators to enact rules and incentives for industry best practices that will bring clarity and consumer protection to the PHR marketplace.