Patients should be cautious about using PHRs, but reliance on HIPAA is a
false security.

Austin, Texas — Today the New England Journal of Medicine published multiple articles on Personal Health Records (PHRs). The New York Times also highlighted the warnings of two of the authors of one of the NEJM articles, Drs. Mandl and Kohane, regarding PHRs not being covered by the Health Information Portability and Accountability Act (HIPAA) (“Warning on Storage of Health Records,” New York Times, by Steve Lohr, 4/17/08). Each piece perpetuates a very dangerous and seldom challenged lie: that HIPAA protects your privacy.

Contrary to popular belief, the “P” in HIPAA does not stand for “privacy.” Rather, HIPAA allows millions of healthcare businesses to snoop in our personal health records without our permission for “treatment, payment and operations” (TPO), which allows data mining, marketing and the sale of our electronic records.

Who decides when Americans’ health data can be used? Those holding the data decide. Patients cannot refuse access. No audit trails exist to prove who uses our sensitive information. Patients receive no notice of the use of their information and there is no appeal process. Expanding HIPAA so that it covers PHRs simply expands this loophole and ensures PHR records can be data mined.

PHRs could very well open patients up even further to marketing, false advertising, fraud and perhaps more importantly, discrimination. Patients should very careful and cautious about participating in any PHR. Some PHRs don’t even have a posted privacy policy and the business model for many PHRs is selling your personal health information.

Important Considerations Patients Should Ask of a PHR:

* Does the PHR provider have the rights to own your information?
* Does the PHR provider have the right under its “agreements” to sell or share your information?
* What security does the PHR provide?
* What physical and technical measures are in place to prevent identity theft?
* How do you authorize access to the information? If it does not require more than a password, say “no thanks”.
* Don’t even think about using a PHR offered by an employer or insurer. These are the last people you want to share all your personal health, eating habits and daily activities with.

The only current federal law we should rely on in governing PHRs is the Federal Electronic Communications Privacy Act. The ECPA prohibits publicly-available PHR systems from releasing information to private parties without the consent of the account-holder and should trump the weak protections in HIPAA.

This summer Patient Privacy Rights will roll out a new service for patients that will provide an easy to understand explanation and grade (A-F) of a variety of PHR privacy policies. In the meantime, patients should proceed with caution. A PHR could be “HIPAA compliant” and still be able to own your information, sell or share your information, and have weak security. It would be a grave mistake for patients to trust these HIPAA compliant PHRs. This compliance statement is as meaningless for protecting privacy as a snake’s promise not to bite.

About Dr. Deborah Peel and PatientPrivacyRights.Org

Patient Privacy Rights is the nation’s health privacy watchdog led by cosumers and patients based in Austin TX. The mission of Patient Privacy Rights is to ensure that Americans control all access to their health records.

Dr. Peel, Founder and Chair of Patient Privacy Rights learned first hand about the importance of health privacy throughout her thirty-plus years as a practicing psychiatrist and is known for her straightforward and fiery advocacy. Patient Privacy Rights and Dr. Peel earned the attention of Congress in 2006 by working cooperatively to form the bi-partisan Coalition for Patient Privacy. The Coalition includes nearly 50 organizations from across the political spectrum, including the Family Research Council, the Electronic Privacy Information Center, and the ACLU.

In 2007 Dr. Peel was named #4 of the 100 Most Powerful People in Healthcare by Modern Healthcare magazine.