[Med-privacy] PHRs

[peter marshall]

Ashley Katz
Patient Privacy Rights
(512) 732-033 or (512) 897-6390
akatz@patientprivacyrights.org
http://www.patientprivacyrights.org/=A0

REQUIRING PHRS TO BE HIPAA COMPLIANT PERPETUATES A BIG LIE:
THAT HIPAA PROTECTS PRIVACY

Patients should be cautious about using PHRs, but reliance on HIPAA is a
false security.

Austin, Texas --=A0 Today the New England Journal of Medicine published=20=

multiple articles on Personal Health Records (PHRs).=A0 The New York=20
Times also highlighted the warnings of two of the authors of one of the=20=

NEJM articles, Drs. Mandl and Kohane, regarding PHRs not being covered=20=

by the Health Information Portability and Accountability Act (HIPAA)=20
(=93Warning on Storage of Health Records,=94 New York Times, by Steve =
Lohr,=20
4/17/08).=A0 Each piece perpetuates a very dangerous and seldom=20
challenged lie: that HIPAA protects your privacy.=A0

Contrary to popular belief, the =93P=94 in HIPAA does not stand for=20
=93privacy.=94=A0 Rather, HIPAA allows millions of healthcare businesses =
to=20
snoop in our personal health records without our permission for=20
=93treatment, payment and operations=94 (TPO), which allows data mining,=20=

marketing and the sale of our electronic records.=A0

Who decides when Americans=92 health data can be used?=A0 Those holding =
the=20
data decide. =A0=A0Patients cannot refuse access.=A0 No audit trails =
exist to=20
prove who uses our sensitive information.=A0 Patients receive no notice=20=

of the use of their information and there is no appeal process.=A0=20
Expanding HIPAA so that it covers PHRs simply expands this loophole and=20=

ensures PHR records can be data mined.=A0

PHRs could very well open patients up even further to marketing, false=20=

advertising, fraud and perhaps more importantly, discrimination.=A0=20
Patients should very careful and cautious about participating in any=20
PHR.=A0 Some PHRs don=92t even have a posted privacy policy and the=20
business model for many PHRs is selling your personal health=20
information.

Important Considerations Patients Should Ask of a PHR:
	=95 	Does the PHR provider have the rights to own your =
information?
	=95 	Does the PHR provider have the right under its =
=93agreements=94 to sell=20
or share your information?
	=95 	What security does the PHR provide?
	=95 	What physical and technical measures are in place to =
prevent=20
identity theft?
	=95 	How do you authorize access to the information?=A0 If it =
does not=20
require more than a password, say =93no thanks=94.
	=95 	Don=92t even think about using a PHR offered by an =
employer or=20
insurer.=A0 These are the last people you want to share all your =
personal=20
health, eating habits and daily activities with.

The only current federal law we should rely on in governing PHRs is the=20=

Federal Electronic Communications Privacy Act.=A0 The ECPA prohibits=20
publicly-available PHR systems from releasing information to private=20
parties without the consent of the account-holder and should trump the=20=

weak protections in HIPAA.=A0

This summer Patient Privacy Rights will roll out a new service for=20
patients that will provide an easy to understand explanation and grade=20=

(A-F) of a variety of PHR privacy policies.=A0 In the meantime, patients=20=

should proceed with caution.=A0 A PHR could be =93HIPAA compliant=94 and=20=

still be able to own your information, sell or share your information,=20=

and have weak security.=A0 It would be a grave mistake for patients to=20=

trust these HIPAA compliant PHRs.=A0 This compliance statement is as=20
meaningless for protecting privacy as a snake=92s promise not to bite.=A0

[....]=