Report: Personal Health Records – Why Many PHRs Threaten Privacy

This report is a legal analysis of PHRs and what privacy issues are at stake in PHRs, especially PHRs that exist outside of HIPAA, the federal privacy rule.

Personal health records – or PHRs – are a relatively new phenomenon in health care today. As discussed here, a PHR is a health record about a consumer that includes data gathered from different sources (e.g., health care providers, insurers, the consumer, and third parties such as gyms and others) and is made accessible, often online, to the consumer and to those authorized by the consumer. Businesses large and small are moving to take advantage of the potentially lucrative new business model PHRs provide, especially as leveraged through the Internet. Some of the newest PHR players include large and well-known technology companies, but some health care providers, insurers, and employers also promote PHRs. There are dozens of different PHR vendors.

The HIPAA privacy rule provides a degree of privacy protection for covered health records. The rule has problems and gaps, but it does establish minimum national privacy standards for disclosure, access, correction, and other elements of fair information practices. State laws that provide additional privacy protections remain in effect and can provide additional legal protections for privacy.

Many people are aware that health information may be privileged, but few – including some physicians – fully understand what that means. The physician-patient privilege (and the sometimes separate psychotherapist-patient privilege) offers some protections for confidential communications between physician and patient.

Health records, like just about any other record containing personal information held by a third party, can be subpoenaed under a variety of circumstances. For example, a consumer’s records could be sought in a tort suit (e.g., auto accident or medical malpractice), in a divorce or other family lawsuit, or sought if the records are relevant to someone else’s lawsuit. The rules governing subpoenas for health records are complex, and HIPAA includes some significant procedural protections.