Robert Belfort, Project HealthDesign Regulatory and Assurance Advisory Group, Manatt, Phelps & Phillips, LLP
As more individuals begin to use personal health records (PHRs) to manage their personal health information, it is important that they be aware of PHR companies’ privacy and security policies. This is something that we at Project HealthDesign know well. Because of a new PHR Model Privacy Notice (Model Notice) created by the Office of the National Coordinator for Health IT (ONC), we hope that others will soon appreciate the importance of knowing how PHR companies use their data.
ONC released the Model Notice on September 12, 2011. It is a standardized template that a web-based PHR company can use to inform consumers about its privacy and security policies. According to ONC, consumers should think of the Model Notice as similar to a nutrition facts label for food: it succinctly provides important facts that consumers should know before using a PHR. The Model Notice is meant to provide information to consumers in a uniform format they can understand, compare and use to make an informed decision about which PHR they would like to use.
The Model Notice has two sections: (i) the “Release” section; and (ii) the “Secure” section. Both tell consumers what the PHR company may do with their data. The “Release” section tells consumers whether the PHR company releases their data and for what purposes (e.g., for marketing and advertising). It also describes any data release restrictions the PHR company may have in place and explains whether the PHR company will stop releasing a consumer’s data once they close or transfer their PHR. The “Secure” section includes three points to help consumers identify the PHR company’s data security practices. Specifically, it identifies that the PHR company implements security measures; whether the PHR company stores PHR data in the United States only; and whether the PHR company keeps activity logs that record who accesses a consumer’s PHR and when.
ONC was likely motivated to release the Model Notice, at least in part, because many PHRs are not covered by existing health information privacy laws and regulations (e.g., the Health Insurance Portability and Accountability Act’s Privacy and Security Rules). Thus, there are no clear rules for them to follow when handling consumers’ health information. This is a significant gap in the country’s privacy laws. Although voluntary use of a Model Privacy Notice will not solve the problem, it is a step in the right direction.
ONC released a helpful document titled, “Consumer Guide to Understanding and Using the PHR Model Privacy Notice on PHR Company Data Practices,” which does exactly what its title suggests. We recommend it for anyone who uses a PHR. Additionally, the PHR Model Privacy Notice is available for PHR companies to begin using.
Let us know what you think about the Model Notice. Does it include enough information to be helpful? Would the participants in your projects be able to understand what it says? Can you think of any ways that you can employ the concepts behind the Model Notice in your projects?