As the healthcare industry continues its progress toward adoption of electronic health records, another type of electronic record garnered big headlines over the last couple of years: the personal health record (PHR). Where does the PHR fit in our evolving universe of networked, interoperable electronic health information?
The PHR: What is it?
Whether paper or electronic, fundamentally the PHR is information about an individual’s health compiled and maintained by the individual consumer. The American Health Information Management Association recommends maintaining several types of essential health information in the PHR, including contact information, immunizations, allergies, and current medications.
As electronic health records developed, electronic PHRs also emerged. In 2006, several major employers created a consortium known as Dossia to allow employees to collect data from insurance claims and healthcare providers and save it in a portable electronic database. In 2007, the BlueCross and Blue Shield Association and America’s Health Insurance Plans announced development of a model health plan-based PHR, with portability standards to allow consumers to transfer their health data when they changed plans. Healthcare providers also introduced PHRs as consumer gateways to certain information in their electronic health records. Some independent companies offered web-based PHRs with data supplied by the consumer. Finally, entrance of the technology giants Microsoft and Google into the PHR arena gave consumers the option of using their platforms to populate an electronic PHR with data from healthcare providers, insurers and other entities.
The PHRs developed by insurers, providers and technology companies have distinct features and standards. In its 2006 report, the National Committee on Vital and Health Statistics found that there was “no uniform definition of ‘personal health record’ in industry or government”. To facilitate meaningful discussion of what role PHRs may play in our overall system of electronic health information, the National Alliance for Health Information Technology (NAHIT) recommended adopting a consensus definition of “personal health record” (along with other relevant terms). The NAHIT defined a Personal Health Record as:
An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be drawn from multiple sources while being managed, shared, and controlled by the individual. [emphasis added]
The distinction between the NAHIT definition of a PHR, and its definition of an Electronic Health Record, rests on the locus of control. The individual consumer controls the information in his/her PHR. Under the NAHIT definition, if an individual has electronic access to information through a healthcare provider or payor but cannot control the information, the portal is not a PHR.
With a consumer-controlled PHR, a networked environment allows the consumer to draw information from various sources into the PHR. This is the system envisioned by the Markle Foundation’s “Connecting for Health Common Framework” . The Common Framework assumed that consumer access services would emerge to act as intermediaries in aggregating personal health information, or authenticating the consumer’s identity to allow the consumer to participate in a health information exchange. Google Health and Microsoft HealthVault are examples of consumer access services; both allow a user to create a health profile and link to various other entities.
Finally, a definition of the PHR is contained in the American Recovery and Reinvestment Act (ARRA), popularly known as the stimulus bill. The ARRA defines “personal health record” as “an electronic record of PHR identifiable health information … on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual.”
Privacy and Security and the PHR
When consumers are allowed to access information held by a health plan or a health care provider, the information itself is subject to the confidentiality protections of the Health Insurance Portability and Accountability Act (HIPAA), since health plans and those health care providers who use electronic transactions are “covered entities” under HIPAA. However, HIPAA does not apply to uses and disclosures of information by PHR providers that are not covered entities (such as Google).
Prior to enactment of the ARRA, the only confidentiality obligations that the PHR provider owes to the consumer were those promises made by the PHR provider in its published privacy and security policies. At present, however, many PHR providers have inadequate privacy policies. A study done in 2007 for the Office of the National Coordinator by the Altarum Institute reviewed thirty-seven privacy policies of PHR providers, and found a wide variation, with none addressing most of the criteria considered appropriate.
Evolving industry standards for protecting the confidentiality of PHR information are exemplified by the Connecting for Health Common Framework for Networked Personal Health Information. The Common Framework includes sixteen components, including policies on consumer consent to collection, use and disclosure of information; notification of misuse or breach; and information security. As of June 2009, 56 organizations, including Google, Microsoft, WebMD, the U.S. Department of Veterans Affairs, the American Association of Retired Persons, America’s Health Insurance Plans, Cisco Systems and several health care providers and insurers have endorsed the Common Framework.
Security Breach Notification Requirements under the ARRA
Unlike health care providers and health plans (which are HIPAA covered entities), PHR providers have largely operated in an unregulated environment. With passage of the ARRA, this has changed. The ARRA includes security breach notification requirements for HIPAA covered entities and business associates, and also for vendors of PHRs, PHR-related entities, and third party service providers to vendors of PHRs. If a breach of PHR identifiable health information occurs, the PHR vendor or related entity must notify each individual whose personal information was acquired by an unauthorized person. If more than 500 persons in a state are affected, notice must also be published in prominent media outlets. The PHR vendor or related entity must also notify the Federal Trade Commission of all security breaches. The notification requirements do not apply if the affected information was encrypted.
Interoperability Standards for the PHR
The NAHIT’s definition of a PHR requires that the PHR conform to “nationally recognized interoperability standards”. At present, there are two competing standards: the Continuity of Care Record (CCR) standard and the Continuity of Care Document (CCD) standard. The CCR standard was developed by ASTM International, in collaboration with the American Academy of Family Physicians, the American Medical Association, the American Academy of Pediatrics, the Massachusetts Medical Society, the Patient Safety Institute, and the Health Information Management Systems Society. The CCD standard is part of the Health Level 7 (HL7) standards known as the Common Document Architecture (CDA). The practical difference between the CCR and the CCD standards is that the CCR is simpler and more structured.
The Future Direction of PHRs: Standard-Driven or Market-Driven?
Standard-setting initiatives for PHRs are not without controversy. In March 2007, members of the AHIC Consumer Empowerment Workgroup disagreed about whether HHS should encourage a certification process for electronic PHRs. While the majority felt that certification could be helpful in the areas of PHR privacy and security policies and interoperability, five Workgroup members dissented, believing that the risk that certification would discourage innovation outweighed potential benefits.
PHRs offer fertile ground for innovation, especially in development of specialized personal health applications that can be used in connection with PHRs to improve wellness and manage chronic health conditions. For a glimpse of what the future may hold, the projects supported by Project HealthDesign are tantalizing examples. They include, among others:
- A PHR system allowing diabetic patients to record blood glucose levels, blood pressure, food intake and exercise levels and upload the readings over a cell phone to their health care providers, to improve medication management between office visits;
- A personal medication management system for children with cystic fibrosis including an age-appropriate “skin” for the patient to wear that reminds children to take medication and can notify parents if there is no response to a reminder, and enables 2-way communication between the application and the PHR; and
- A PHR tool for sedentary adults that uploads data from a pedometer or accelerometer and generates a customized plan to increase activity levels.
The challenge for PHR developers over the coming years will be to combine innovations that offer consumers ease of use and respond to individual needs, with safeguards that give consumers confidence that the privacy of their personal information will be protected. Whether this will be achieved through consumer confidence in an individual PHR provider’s “brand”, through voluntary standards, or through mandated legal protections remains to be seen.
 National Committee on Vital and Health Statistics, Personal Health Records and Personal Health Record Systems, Feb. 2006.
 The National Alliance for Health Information Technology, Report to the Office of the National Coordinator for Health Information Technology on Defining Key Health Information Technology Terms, April 28, 2008.
 The NAHIT defines an “Electronic Health Record” as “An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one health care organization.” Id., p. 6.
 Connecting Americans to Their Health Care: A Common Framework for Networked Personal Health Information, Markle Foundation (Dec. 2006).
 Pub. L. No. 111-5, Section 13400(11).
 Altarum Institute, “Review of the Personal Health Record (PHR) Service Provider Market: Privacy and Security”, March 2007.
 ARRA Section 13402 (HIPAA covered entities and business associates); Section 13407 (PHRs).
 Project HealthDesign is funded by the Robert Wood Johnson Foundation and the California HealthCare Foundation. The grantee projects for Project HealthDesign are described at http://www.projecthealthdesign.org/.
About the Author
Patricia King is a health care attorney in Illinois, and principal of the web-based business Digital Age Healthcare LLC (http://www.digitalagemd.com/).