Security and Privacy Concerns
The definition and details of how a PHR should ultimately function are both works in progress. The term "Personal Health Record" has been in use since 1978 and initially was applied to simple, paper records kept by individual patients. Today, it usually implies an electronic database of some kind. There are currently dozens of PHR vendors on the market. Some are internet-based; some are software-based. There are free PHRs open to everyone, and there are private PHRs paid for by employers and only offered to employees of specific companies. Some PHRs are internet applications that can connect and share information with your local pharmacy; others are Radio Frequency Identification (RFID) chips that are implanted under your skin and can only be read with special scanners (the "VeriChip," produced by a company called PostiveID Corp). And that's just a sampling of the possibilities.
Why, then, has the public been so hesitant to embrace PHRs? Recent surveys suggest that only about 2.7% of American adults (about 6.1 million) are actually using electronic PHRs. It may be that the wide range of PHRs is in fact the very reason they have been so slow to catch on: the lack of standardization across the world of PHRs is a serious cause of concern among many. Unlike electronic health records, which are kept at the offices of providers and are federally regulated by the Health Insurance Portability and Accountability Act (HIPAA), PHRs exist in an unregulated consumer market. For example, the two largest PHR vendors Google Health and Microsoft Healthvault both claim that they are not "covered entities" according to HIPAA.
Lack of HIPAA coverage means that:
- Identifiable health information may leak out of a PHR into the marketing system or to commercial data brokers.
- The information in a non-HIPAA covered PHR may be sold, rented, or otherwise shared.
- It may be easier for consumers to accidentally or casually authorize the sharing of records in a PHR.
- Consumers may think they have more control over the disclosure of PHR records than they actually do.
- Privacy protections offered by PHR vendors may be weaker than consumers expect and may be subject to change without notice or consumer consent.
- PHR records can be more easily subpoenaed by a third party than HIPAA-covered health records.
*Source: World Privacy Forum
Progress vs. Fear
This is not to say that PHRs are by necessity unsecure. The point, rather, is that there are no established guidelines as to the required security measures, or even functionality, of a PHR.
"Buyer beware" applies as much in the PHR market as in any consumer market. However, as in other markets, consumers of PHRs do have some assurances and guarantees. As Evans correctly emphasizes, no matter what HIPAA says, PHR vendors are deliverers of a consumer good and makers of a consumer promise and are thus dependant on the regulatory scope of the Federal Trade Commission. "The FTC is a lot more aggressive [than HIPAA] when it comes to protecting consumers from organizations that would dupe them or misuse their data," says Evans.
Hwang, for his part, warns that although security risks are a valid concern, progress should not be impeded by fear. He offered another example for perspective, pointing to the concerns over security when ATMs were first introduced. "A lot of people said it was nuts," says Hwang. "They thought people would screw up their bank accounts when trying to handle transactions without the presence of a teller. Now ATMs and online banking are such a convenient option that we don't think twice about it." Hwang says it's imperative to make the technology available and to give people the option to use it. The market will decide what is to the benefit of the public.
The bottom line is that PHRs are a bourgeoning technology, offering intrepid patients and healthcare consumers an opportunity to start to take control of their healthcare out of the hands of "professionals" and into their own. A PHR may not be for everybody, but for the right person, it can be a valuable tool in improving the quality and lowering the overall cost of healthcare.