Skip to content Skip to navigation

PHRs: Read the Fine Print

March 12, 2008
by Reece Hirsch
| Reprints

At a time when personal health record ("PHR") products are being launched by companies like Microsoft and Google with much attendant press, a report by the World Privacy Forum warns that PHR products may expose medical information to new privacy risks. This new generation of PHR products represent the beginnings of a renewed push towards consumer-directed healthcare, which is premised upon providing individuals with greater access to, and control over, their medical information.

But according to a February 20 report issued by the World Privacy Forum and authored by privacy attorney and consultant Robert Gellman, many PHRs will have to rely upon advertising (particularly pharmaceutical company advertising) in order to have a sustainable business model. And the world of online advertising is driven by the collection of personal information in the form of click-throughs, page views and transaction information. The WPF report correctly notes that companies operating PHRs will typically not be subject to regulation by HIPAA. However, a few state laws, such as California's Confidentiality of Medical Information Act, are broad enough to apply to many PHR companies that maintain medical information.

In the absence of applicable privacy and security laws or professional ethical obligations, privacy becomes essentially a matter of contract -- and that contract is the PHR company's privacy policy. A less privacy-friendly PHR company could commercialize medical information in any number of ways, if those uses are permitted under the terms of the company privacy policy. Microsoft and Google are setting an excellent example with explicit, comprehensive privacy policies that emphasize the individual's control over uses and disclosures of their medical information. However, these trend-setters will inevitably be followed into the marketplace by PHR companies that take a more lax approach to privacy policies and practices. And that is when things will get messy ….

Topics

Comments

Eventually there will be so many flavors of PHRs out there that you will need someone to develop PHR Aggregator to create a unified PHR solution. I'm interested to see whether Microsoft or Google will take this approach.

Reece Hirsch

Partner, Morgan, Lewis & Bockius LLP

Reece Hirsch's Health Care Privacy Law Blog offers a lively commentary on a wide range of...