Medical-Privacy Alert

When identity thieves come lurking, it’s not just your name, address and Social Security number that might be vulnerable: Increasingly, it’s your private health information as well.

In the past, your medical information was in a paper file that was tucked away in a doctor’s office or hospital. You weren’t in control of it, but the potential that your information might be abused if someone swiped your file was limited by the fact that it couldn’t be easily spread about. That’s changed. Now, you can compile electronically, and theoretically control, a personal health record (PHR), which typically is the collection of all of your medical conditions, illnesses, surgical procedures, treatments, medications and doctors’ notes.  

Information that is kept by your doctor and hospital now might be stored electronically, which, of course, exposes it to data breaches and snooping. But that’s not the only peril: If you store your PHR online through one of dozens of online service providers, your data could be exposed to people who might use your information without your knowledge to, say, obtain medical treatment. They might even sell your information to others. American Health Information Management Association counts at least 84 online PHR providers. Experts tell us that there likely are hundreds, and more on the way, because of the aging population and the trend toward using Web-based services for finance, health care and social networking.

The appeal of having your PHR online is easy to understand, because it serves as a central repository for all of your health information to be available for you to monitor and, through a few keystrokes, quickly share with health-care providers.

But the potential for that information to be stolen is troubling: Privacy Rights Clearinghouse, which is a consumer-privacy watchdog, has cataloged more than 300 incidents of medical-data breaches since 2005, both from stolen devices and from websites that store your PHR. The problem actually is much larger: Department of Health and Human Services’ (HHS) Office for Civil Rights reports that since September 2009, at least 50,000 people have experienced a breach of unsecured electronic health information.

The number of people whose health information has been exposed probably is much higher, because Federal Trade Commission is obligated to post on its website only breaches that affect 500 or more individuals in a single incident, says Chris Apgar of Apgar & Associates, which specializes in electronic-health-information privacy and security. Apgar predicts that the number of breaches will rise, because some online PHR sites don’t encrypt their data, and notebook computers and other portable devices that store PHRs are tempting targets for thieves.

The Health Insurance Portability and Accountability Act (HIPAA), which is the federal law that mandates health privacy, sets standards that companies that store your PHR must follow. But you should know that HIPAA doesn’t apply to all PHR suppliers. You can set up a PHR online through a hospital, doctor’s office, employer or health insurer, as well as through advertising-based websites. The good news is that the majority of those online PHR sites let you store your information for free. Less cheery is the fact that because not all entities that store PHRs have to follow HIPAA guidelines, they can’t guarantee that only you or those whom you designate will see your private medical information.

GET PERSONAL. The use of online PHRs remains relatively low. Only 7 percent of the 1,849 participants in an April 2010 survey said they retrieved, stored and updated their health information through online PHR suppliers. (The survey was conducted by California HealthCare Foundation [CHCF], which supports health-care innovation and technology.) However, if that percentage were applied nationwide, it represents a big jump since 2008, when 2.7 percent of Americans had online PHRs, according to Markle Foundation, which promotes the use of health-care technology.

The CHCF survey also found that those who have online PHRs are more engaged in their health care. The study found that people who use websites to get, keep and update their PHRs took steps to improve their health. For example, some online PHR programs let you track your blood pressure or your glucose levels to help you to monitor your diabetes by graphically displaying the data that you enter. You might even be able to send that information to your doctor, who can interpret the results to better manage your care.

If the use of online PHRs points to better self-care (meaning lower health-care expenses for insurers and providers), don’t be surprised if participation becomes mandatory. Experts say that if consumers eventually are required to store their PHR online, those who choose not to participate might face higher insurance premiums or fewer covered services.

PHRs are not the same thing as EHRs (electronic health records), which are created, updated and used exclusively by your health-care provider. EHRs and PHRs store similar health information, but PHRs allow you to enter and control the information. EHRs do not.

The federal government earmarked $19 billion for medical-records technology to accelerate the adoption of EHRs, so health information can be shared nationwide. The goal is to improve health-care efficiency and health outcomes. President Barack Obama says that by 2014, every person in the United States will have an EHR.

UNHEALTHY RISKS. If your PHR falls into the wrong hands, you could be at risk for a variety of negative financial and personal consequences. For example, if someone steals your medical identity, he/she might be able to obtain prescriptions and medical services and pile up bills in your name by using your health insurance. You could get stuck with the bills and the hassle of convincing your insurer that you didn’t incur the charges. (FTC ruled in January 2008 that health-care providers must let FTC know what measures they have taken to detect and prevent identity theft. Health-care providers who fail to report this information to FTC are subject to fines. The compliance deadline for that rule has been delayed several times. As of press time, enforcement was to have begun Jan. 1.)

Thieves also could expose your medical information on publicly accessible websites that don’t require authentication, says Rainey Reitman of Privacy Rights Clearinghouse. That would make your information an easy target for search engines, and it would make it available to anyone who looks for it, including insurance companies or prospective
employers.

Consequently, you need to be aware of a PHR provider’s privacy policy before you sign up, says Julie Wolter, who is an associate professor of health informatics and information management at Saint Louis University. That means that you must wade through the company’s posted policies online (See “Do Your Own PHR Diagnosis.") to determine what an online PHR provider will do with your information. Wolter, who educates senior citizens who have multiple chronic conditions on the need to create PHRs, advises you to be particularly leery of advertising-supported PHR sites.

“A health-care professional takes an oath to protect sensitive patient information, but a business might not look at it that same way,” she says.

Microsoft says it took a “comprehensive” approach to privacy when it created its free ad-supported PHR website, Microsoft HealthVault. This included consulting privacy advocates and reviewing privacy legislation, so HealthVault’s policies would conform with those laws.

“Our interest is in delivering a service consumers want to use,” says George Scriban of Microsoft HealthVault. “We know that their number-one concern is the privacy of their information.” He admits, however, that the website’s privacy model still isn’t perfect and continues to evolve over time.

HIP ON HIPAA. Although PHRs that are offered by different entities might look the same in terms of functionality, each might provide you with different privacy protections, Apgar says.

PHRs that are arranged through doctors, clinics, hospitals and Veterans Administration are bound by HIPAA regulations. Those that are available through your health plan, Medicare, Medicaid, employers, and other third-party entities or online sites are not.

It’s important to be sure that your PHR is protected by HIPAA, says Pam Dixon, who is executive director of World Privacy Forum, which is a public-interest research group. HIPAA requires all PHR providers that are bound by its rules to abide by privacy and security standards that call for administrative, physical and technical safeguards to secure electronic health information. For example, HIPAA-covered PHRs are required to have physical security for facilities in which they store data and servers. 

PHR service providers that are bound by HIPAA also are required to let you know if your records are subpoenaed. Dixon says this is important, because it allows consumers to argue against the release of those records. If you argue successfully, you can keep your private records out of the public eye.

Dixon advises people to keep their PHR on a flash drive rather than on a PHR website that is not bound by HIPAA rules because of the risk that the data might be breached. If you wanted to access your health data, say, when you travel, you could, and you would avoid the chance that the data might be hacked—although, of course, the flash drive could be lost or stolen. (Experts tell us that online PHR providers’ websites typically are no more susceptible to hacking than is any other reputable financial or retail website).

It’s not always clear which entities are bound by HIPAA. For example, third-party sites are bound by HIPAA as long as they are part of a branding effort by a doctor, hospital or clinic, Apgar says. Branding typically means that the health-care provider pays to have the PHR service provider make its service available to patients. Typically, a branded site includes a specific name that consumers can easily associate with their doctor, hospital or clinic instead of being identified by the PHR site provider. Despite that branding, the service might actually be powered by, say, Google Health—a third-party PHR provider that extracts data from your provider’s EHR and deposits it into your PHR.

But you should know that just because a health-care provider might be able to transfer medical records from its EHR to your PHR at your request—known as a tethered account—that doesn’t mean that your PHR is protected by HIPAA. Your PHR must be “owned,” or branded, by the health-care provider for HIPAA to apply.

Unfortunately, branding is not always apparent. When in doubt, you should always ask your health-care provider to clarify the relationship that it has with a PHR supplier, Apgar says. In particular, you should ask your health-care provider whether it is sponsoring the PHR itself or paying the PHR supplier to provide the service, he says. If the answer to either question is “no,” then look elsewhere. Remember: PHRs are voluntary.

RULED LINES. Some privacy experts say even HIPAA’s protections aren’t enough. They believe that PHRs need one consistent and all-encompassing set of regulations that would hold all providers to the same standards, regardless of whether the PHR is kept by an entity that’s bound by HIPAA, says Harley Geiger of Center for Democracy & Technology, which addresses health-information-technology privacy issues.

Besides, HIPAA is not iron-clad, Geiger says. Although it typically requires consumer authorization for disclosures, there are exceptions. Most important is that when your information is released for treatment, payment and health-care operations (TPO)—the majority of disclosures—you don’t have to be notified. Geiger says he would like to see a separate PHR privacy regulation that puts all disclosures, including those for TPO, under consumers’ control. This action would help to re-establish the overarching goal of the PHR, which is to put consumers in the driver’s seat when it comes to sharing their medical information.

That sounds good to us, but whether your PHR ever will be specifically shielded by law is unclear. A joint study that was conducted by HHS and FTC regarding inadequate PHR privacy protections and recommendations to better protect patient data is months overdue. (It had not been released at press time.)

HHS and FTC do not have the legal authority to extend HIPAA rules to all PHRs. Geiger says the key question is whether HHS and FTC will recommend a comprehensive set of privacy and security protections that are tailored specifically to PHRs. We believe that that’s the best approach.

Despite the confusing HIPAA landscape, regulatory changes now hold all PHR providers accountable to some degree for their privacy practices. A provision of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires that all PHR service providers, regardless of whether they are bound by HIPAA, notify you when a breach occurs. FTC began to enforce the rule in February 2010. Violations can result in fines of up to $1.5 million. (As of press time, FTC hadn’t reported any fines.)

There also is a move afoot to standardize how each online PHR provider states its privacy policy. Office of the National Coordinator for Health Information Technology (ONC), which is the primary federal agency that coordinates the electronic exchange of health information, is devising such a rule. ONC also would require PHR service providers to make their privacy policy clearly visible on their website.

A standardized format would help consumers to more easily compare the privacy policies of different PHR service providers, says Nancy Szemraj, who is an ONC spokesperson. Such information now might be scattered among multiple locations or under different headings, such as “terms of use” or “frequently asked questions.”

This guideline is expected to be released this year—Szemraj couldn’t be more specific—but when it arrives, it won’t be mandatory. ONC’s expectation is that PHR providers will use this tool to gain your trust. But we believe that a toothless guideline leaves a gaping hole for consumers to continue to be confused or misled.

BANKING ON IT. An emerging option on which to store your PHR is a community health-record bank or community health-record trust. These are electronic repositories for your medical records that you control much like you would a bank account. Whenever a patient receives care, the new information that’s generated is deposited into the user’s community health-record bank account, where only he/she can access it and send it to doctors and other medical personnel.

How much that you might pay for such an account varies. We found one community health-record bank that’s subsidized by the government and therefore is free. Another community health-record bank charges a one-time fee of $99. Still others require ongoing fees of up to $5 per month.

But don’t necessarily expect to find a community health-record bank in your backyard quite yet. So far, there is a scattering of community health-record banks in Arizona, Florida and Washington. Dossia Consortium, which includes BP, Intel and Wal-Mart, has developed community health-record banks for several of its corporate members. But other efforts have been stalled by finances or politics, says Dr. William A. Yasnoff, who is president and CEO of Health Record Banking Alliance, which promotes community health-record banks. It likely will be 3 to 5 years before community health-record banks become widespread, he says.

Community health-record banks connect to sources of health records (e.g., doctors, labs, hospitals) in a particular geographic area. If someone from outside of that community signs up, his/her community health-record bank account will be incomplete, Yasnoff says, because the intent is for the records to be kept and updated locally. That might change as these entities expand nationwide.

You should know that even though community health-record banks are not subject to HIPAA, they are protected by a stricter federal law—the Electronic Communications Privacy Act, which requires a consumer’s consent to release information to any private party.

Community health-record banks also are required under HITECH to notify members when a security breach occurs. Unfortunately, no law can guarantee that there won’t ever be a breach. “All computer systems are potentially vulnerable to hacking, including systems of patient records in hospitals and doctors’ offices,” Yasnoff says.

When it comes to online security, that might be so, but consumers still should expect a PHR service provider to have a healthy respect for their privacy.

Lisa A. Eramo has written on health-care regulation, health-information management and medical coding for 6 years. Her stories have appeared in For The Record magazine, The Journal of American Health Information Management Association and Medical Records Briefing.