Wednesday, December 16, 2009

New Study Rates Privacy Protections of Electronic Health Record Systems

I want to alert everybody to a study recently published by Patient Privacy Rights (PPR) that rates the various Personal Health Record (“PHR”) systems currently available to consumers. A PHR can collect and store official records, labs, tests, and claims data directly deposited by providers.

In fact, as the article by Ashley Katz of (PPR) in the California Progress Report notes, A PHR can also store other health-related data such as heart rate, glucose levels, medications, allergies, exercise habits, lifestyle, sexual history, personal notes and other data you create. Most PHRS are online; some are programs that can be downloaded to your home computer. Many are free.

PHRs are designed for and marketed directly to you, the patient. You are most likely to be using a PHR right now if:

a) your employer offered it to you, or b) your insurance company offered it to you.

Before I get to more of that article about PPR's recent study, let me go back to some of what I have written hear about our nation's transition to electronic health records in the past. From a privacy perspective, the question is how "safe" will our VERY personal health data be in the coming cyber world of electronic health records, or more specifically, "Where is my data and who has access to it?"

Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?" According to a recent study by two computer scientists at the University of Texas at Austin, "re-identifying" customers was a lot easier than expected, and contradicts claims made by company's promising individual anonymity (in this case by NetFlix).

In other words, just because a customer's name, address, and other specific identifying information were not connected to their movie choices, the researchers were still able to correctly match them up through a process called "de-anonymization". Such a technique raises concerns that the same process could be used to do the same thing to individuals and their health records.

One of the most important challenges for privacy advocates has been making sure that the transition to electronic medical records includes ironclad data safeguards along with it. We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

Specific privacy guidelines for this transition were recently provided by The Center for American Progress, the Markle Foundation's Connecting for Health Initiative, the Center for Democracy and Technology, and others.

But for today's post, let's focus on how well the PHR systems that exist today rated with Patient Privacy Rights (PPR).

In an article today in the California Progress Report, PPR's Executive Director Ashley Katz writes:

PHRs and how the information stored in PHRs is used are not protected by any federal law. Your information can be used in many ways. Marketing is the obvious likely annoyance. But what if your employer could also see your sexual history? What if your insurance company knew how much alcohol you consumed this year or if you ate enough fruits and vegetables?

Patient Privacy Rights (PPR) sampled five PHRs and did our best to decode their privacy policies. The resulting Privacy Report Card spells out in plain English what control you actually have over your information with each PHR. The Privacy Report Card is available at and explains how each PHR earned their grade of A – F.


The bad news is other companies do not allow patients to control their PHRs. That is a scary thing when you consider that PHRs can store sensitive health information as well as lifestyle habits such as what you eat, how much you drink, and how often you exercise. This information can easily get into the wrong hands, especially if your PHR is offered by an employer or insurer. All PHRs claim to be “patient-centric” and claim that “privacy is important”, but it’s simply not true.

What grades did the PHRs earn?

CapMed’s ICE PHR: C

Google Health: D – Platform F - Partners

Microsoft HealthVault: B – Platform F - Programs

NoMoreClipboard: A

WebMDs: C

PHRs offered by Employers/Insurers: F


1) Know that if your PHR is sponsored by your employer or insurer, the odds are VERY GOOD that they have access to all your information. This was quite clear after reviewing a form privacy policy for employer/insurer sponsored PHRs. Sure, not every company is out there to take advantage but personal health information can be used to discriminate, damage reputations and harm opportunities.

2) Every company and product has their own privacy policy. Even if you feel comfortable with a PHRs policy and website, click on a link and leave the site, all bets are off. Any third party that touches your data may not be held to the same standard. This is a key lesson for the Google and Microsoft tools.


So what can be done?

1) The public needs to wake up and pay attention. Our personal health information is everywhere and being passed from one company to the next, without our permission or knowledge. If we don’t demand control, we will lose it forever.

2) We need federal laws that make Fair Information Practices the rule for all health information, including PHRs. Data shared for one purpose should be used solely for that purpose unless the patient gives consent for any new use. No single piece of data should be allowed to go to an employer, insurer or other entity without patient permission.

Click here to read the article in its entirety.

Granted, regulations alone will never be the end all solution when it comes to privacy in the information must be coupled with public awareness and the pressure that consumer choice can put on industry. '

But as it stands today, there still aren't uniform standards or even minimum standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as those in the new stimulus bill.

But key protections are still absent. The prohibition on the sale of medical records is weak and full of loopholes, nor does it apply to vendors like Microsoft or Google. Both companies have agreed to contracts that say they won't release your information, but there is no law mandating that they don't sell the information. If we've learned anything about corporate behavior in recent years, its that without ironclad, legal requirements, we shouldn't expect them to behave the way we'd expect from say, a human being.

Similarly, the breach provisions requiring companies to notify patients when electronic medical records are accessed does apply to Google and Microsoft, however, there are safe-harbor provisions that let companies off the hook from the notification requirement if the breach occurred in "good faith."

The federal law on the books only requires that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.

In other words, there's a lot of work still to be done on this issue. The study by PPR I have highlighted today further validates these concerns, particularly in light of Google's scores of a D and F and systems offered by employers and insurers also receiving an F. These are two HUGE providers of what will be the electronic health record "industry" that are still failing us.


geriatric emr said...

It is important to make sure that all of your medical records are safe and secure.With electronic filing system, records are password-protected – keeping unauthorized parties out of the private records of patients.

neurology emr | psychiatry emr

Emr reviews said...

think one of the greatest hurdles is overcoming misconceptions in the minds of regulators, doctors and patients alike. I just returned from a trip to Germany and colleagues there are amused about America's 3rd World-like medical records situation.