They’re not quite here yet, but they’re coming. PHRs. Personal Health Records. And they sound like the greatest thing since the proverbial sliced bread.
You’ll love them, until you don’t.
You probably think your medical record is yours. You probably believe that all the information contained in all the records maintained by all the docs, dentists, shrinks, chiropractors, etc., that you’ve ever been treated by, belong to you. All those other people are just keeping your records for “safekeeping.” But really, if you wanted them, you could have them. After all, they’re about you, right?
So along comes a nice web-based company, a big one, one you’ve heard of and boy, are they legit. You trust them. They wouldn’t be that big and have such a huge Internet presence if they weren’t on the up and up, right?
And this nice big company has a new service: a Personal Health Record, a PHR. For a modest fee, you can arrange to have your docs, and dentists, and shrinks, and all the rest of them, download your health records into the PHR. Now all your information is yours, all yours, right?
Or, maybe your employer has arranged for all its employees to store their health records, and those of their families, in a PHR. Free! You won’t pay a dime!
Not so fast.
Let’s take a look at all the pros (very short list) and all the cons (very long list) of the fabulous new internet-based PHR.
Oh, wait, actually there are no pros, only a lot of cons.
1. Physical and electronic safety and security
First, it’s possible that something could happen to the computer where your PHR is stored. Fires, hurricanes, tornados, and other disasters really do happen; so do mistakes in server rooms (the secure places where the computers live) when the fire alarm system malfunctions and sprays all the servers with water or halon or whatever they use in server rooms. Oh, well. Stuff happens.
But the company that is storing your PHR probably has a disaster recovery plan. Well, you hope they do, anyway. You also hope that they perform daily backups (make copies of the data), and store the backups of your information on a server at a separate location. And, even more, you hope that they test their backup and recovery routines – and make sure that if there is a disaster and they have to download a copy of your PHR from that other location, the new downloaded copy really works. Because if it doesn’t, well, too bad about your PHR, it’s gone.
And, of course, you hope that your PHR company, because they’re such a giant, well-known organization, has a terrific Internet Security Policy, and a practically impenetrable firewall around their servers so that no hackers can electronically access your PHR without authorization. Well, you hope the firewall is strong, but really, even the federal government’s computers are sometimes hacked, and they have the best security of all. And there have been hundreds of breaches of servers that hold consumer information; just use google to look up “privacy breaches” and see what you get. My personal favorite for this kind of information is www.pogowasright.org.
But what if the worst happens, and your kid’s personal health information is breached and stolen from the family PHR. Does the PHR company owe you anything beyond a notification and an apology? What’s in the fine print in that contract you signed with them? Your kid may suffer legitimate damages – her credit may be scarred even though she’s only eight years old, but you’re going to have to clean it up so that it doesn’t affect her ability to get student loans in about ten years. Can you sue the PHR on behalf of your child and recover damages? Just what did that pesky fine print say about all that?
Let’s make it even worse – what if the PHR is being paid for by your employer? What if you never even saw the fine print, because the contract is between the PHR and your company? Who is going to make your daughter’s credit whole again? If you get a “too bad, so sad” comment from the PHR company or your employer, who do you sue? Both of them, neither of them?
Or, how about this scenario: what happens if your kids get hold of the password to your PHR? Let’s say your tweener tries to log on to your PHR, but can’t get past the password. He clicks “Forgot Your Password?” And then he goes to your email account and gets the instructions to set a new password. He sets the new password, and then trolls through the PHR. The next time you log onto the PHR, you enter your password but it doesn’t work, so you think nothing about it other than you just don’t remember the password.
There is no federal requirement that a PHR tell you should they change their privacy policies. Do you read the privacy policies that your bank, and your credit card companies send every year? Thought not. Do you think you’ll read your PHR’s privacy notice each year? Probably not.
Believe it or not (and I know how hard this is for some of you to believe), your health records are a lot more secure in your various providers’ offices than they are in an online storage scheme like a Personal Health Record. Your providers are required to protect your records, and they have a lot of incentives to do so. A for-profit company doesn’t have those same requirements.
2. What if some information in your PHR is wrong?
Let’s say that recently you were treated for a minor condition at one of your health providers, and you’ve downloaded a copy of your health record from your PHR to review the information about your latest problem. But there’s a mistake. Instead of a note about your case of hives, you see a note about your ongoing recovery from your recent hip replacement.
Nope, nothing about your recent issues with urticaria (those pesky hives), but lots of info about the hip replacement, your upcoming physical therapy, blah blah blah.
Did your provider accidentally upload another patient’s health information? Or did the PHR system have a bug and upload the correct information to the wrong internal file? Who made the mistake? Who do you call? If you call your provider, will his office manager insist that they did not make the mistake? If you call the PHR, will they insist that your provider did indeed make the mistake? They said, they said. Where will that leave you? How many hours will you have to spend on hold, waiting for a representative to talk with you about this problem?
And what about the other patient? Who is going to inform them of the very clear privacy breach that occurred?
The HIPAA Privacy Rules have a process that the provider must follow whenever you obtain a copy of your health records and find an error. But the PHR doesn’t have to follow the HIPAA Privacy Rules. You’ll probably have to follow your PHR’s rules, whatever they are. Whether they will help you or not is just unknown at this point.
I know of a patient who thought that he’d be able to get greater benefits from his employer if he was diagnosed with a serious mental health condition. He filed a request to have his medical record amended to include a diagnosis of schizophrenia. He claimed that during a visit to an ER at some point in the past, someone in the ER asked him if he’d ever been diagnosed with schizophrenia. A review of his records for that ER visit revealed that no such question had ever been raised, nor was there any evidence in his records that he’d ever been evaluated for or diagnosed with that disease. His request for the amendment to the record was, of course, denied.
But what if that same patient had a PHR, and had the ability to amend his health records himself? What if his record suddenly showed a diagnosis of schizophrenia? What if he were now able to obtain federal or state benefits? Probably wouldn’t happen, because in this extreme case he would be examined by other providers to determine whether or not he did suffer from schizophrenia prior to treatment. But what about someone else, who puts a far less serious diagnosis in their PHR? These things can all be checked and verified, but how much extra time and effort will have to be taken? And when these kinds of things become more common than not, will health providers even trust PHRs?
3. Who will be able to get a copy of your PHR? And, will they tell you when they do?
Right now, there are a number of instances in which your health provider may give a copy of your records to a third party without your prior authorization. But in all of those instances the provider is required to keep a record of those disclosures, and you can see the record of those disclosures any time you want – requesting an “accounting of disclosures” from your providers is one of the specific rights that the HIPAA Privacy Rules give you.
But PHRs are not required to follow the HIPAA Privacy Rules, and they don’t necessarily have to tell you when they share or disclose your health records with a third party.
Let’s say your PHR company accepts advertising. You’re looking at your records online, and up comes an ad for a cholesterol lowering drug. Makes sense, right? After all, you’re in your 40s, and your cholesterol is a little high.
What?! How is it possible that an ad for a statin drug just happened to pop up when you’re online?
It happened because your PHR shared your health information with their advertisers. No one told you that your health information would be shared, if not outright sold, for marketing purposes. Must have been something about it in the fine print of that contract you forgot to read (or your employer forgot to give you a copy of).
The HIPAA Privacy Rules prohibit the disclosure or sale of your health information for marketing purposes without your written authorization. But PHRs are not required to follow the HIPAA Privacy Rules. You think all those ads on TV for Viagra® and other medications are annoying? Just wait till they follow you online and become personalized. As far as the advertising partners of your PHR are concerned, you’re not a patient, you’re a consumer.
And then there are the cases where you believe that a health provider made a mistake with your care or treatment, and you believe you are entitled to damages. Can opposing counsel get a copy of your records without your even knowing about it? Maybe. Depends on your PHR, of course, and their policies.
Or, maybe you were accused of, say, a DUI. In most cases the courts require that a subpoena be utilized in order to obtain your records. Okay. Under the HIPAA Privacy Rules you have a right to know when your records are being obtained by the use of a subpoena. But your PHR doesn’t come under the HIPAA Privacy Rules, hence you may never know that your records have been subpoenaed and your attorney will not have the opportunity to contest the subpoena. Not so great.
There are other questions to consider, too. If the PHR is owned by your employer, will they snoop? If the PHR is owned by your insurance company, will they snoop? What happens if your PHR is privately owned (you pay them a fee to store your records), and is subsequently sold to an overseas company? Will they care about American privacy laws? I could come up with lots of other what ifs. You probably can, too.
Mr. Robert Gellman is very helpful in his white paper for the World Privacy Forum, Personal Health Records: Why Many PHRs Threaten Privacy(1), with the following tidbit:
“A 2007 study of PHR privacy policies conducted for the Department of Health and Human Services found that only 3 percent, or one in 30, of PHR privacy policies state that explicit consumer consent (is) necessary prior to the vendor sharing any of the data in the PHR.”(2)
Three percent, huh? Not so great.
4. Who really owns the health information in your PHR?
What if your employer owns your PHR? Does this mean that Human Resources can learn whether you’re a diabetic, morbidly obese, or a smoker, and subsequently raise your health insurance rates, or make weight loss a condition of your continued employment?
What happens to your health data when you move on to another job? What if your new employer doesn’t have a PHR? Will you have to pay for a private PHR? Or will your data just be erased – and what proof will you have that your health information was really “erased”?
What if your insurance company owns the company that stores your PHR? No authorizations needed here – the insurance company will have instant access to everything about you. And so will every other insurance company. What happens when your new employer offers you health insurance from the company that owned your PHR at your last company? And what happens if they refuse to insure you based on information they’ve gathered, without your consent or knowledge?
Not so great.
5. Provider-Patient Confidentiality
Questions about provider-patient confidentiality are not rhetorical. Will that confidentiality exist, in a legal sense, when you or your provider upload your health information to a commercial PHR?
Mr. Gellman makes a great point about this in Personal Health Records: Why Many PHRs Threaten Privacy: “. . . it seems certain that a prosecutor or another person who wants a consumer’s health record will argue that the consumer” – that’s YOU – “waived any privilege by sharing the record with a third party. A court is likely to agree that the patient waived the privilege by consenting to the disclosure (to the third party).”
Once again, you’re just another consumer, no longer a patient. And your provider-patient confidentiality rights may fly right out the window the first time you utilize a PHR.
* * *
Look, HIPAA may not be the most robust protection for health information, but it’s better than nothing. Trusting your health information to a PHR means that you’ve got nothing – no federal, and probably no state, health privacy protection laws. Sure, maybe the FTC might get involved in a dispute, but what do they know about health privacy?
At some point you’re going to be approached about utilizing a PHR. It may be free, or it may be one that you pay for. It may be sponsored by your employer, or by some other third party. When that time comes, here’s my advice: Just say NO. Once you open your most private information, and that of your children, to a commercial enterprise, that genie will be out of the bottle, and you and your family may suffer greatly as a result.
1. Original publication February 20, 2008 at http://www.worldprivacyforum.org. Document URL: http://www.worldprivacyforum.org/pdf/WPF_PHR_02_20_2008fs.pdf. Also, see:
2. See R. Lecker at al, Review of Personal Health Record (PHR) Service Provider Market, Jan 5 2007, www.hhs.gov/healthit/ahic/materials/01_07/ce/PrivacyReview.pdf ).