Lorenzo Martino
ABSTRACT
In recent years, there has been growing demand by patients for access to their own health information via tools like Personal Health Records [1]. The Markle Foundation [2] defines the Personal Health Record (PHR) as an electronic application through which individuals can access, manage and share their health information in a secure and confidential environment. PHRs are emerging and consolidating as an effective tool for patients to maintain their own health-related information. Healthcare Organizations (HCOs) and e-health services covered by HIPAA face the problem of implementing effective and cost-efficient security and privacy policies, while constantly demonstrating compliance with HIPAA regulations. To this end, HCOs must implement system-wide policies, standards, guidelines and procedures for safeguarding the organization's information including Electronic Medical Records (EMR) and Electronic Health Records (EHR), in conjunction with HIPAA mandates [3]. Similar security and privacy issues also apply to PHRs, as patient information must be protected under HIPAA regulatory requirements. PHR applications were initially provided by single vendors as a module (with limited functionality) within a Hospital Information System (HIS). But with growing use of Web 2.0 technologies, PHRs have also evolved as web-based solutions provided by business parties, leveraging "anywhere anytime" accessibility made possible by the internet. Although business third parties providing PHR solutions are not subject to HIPAA regulations, nonetheless security and privacy for PHRs are critical issues - both for the patients using the PHR and for the providers themselves. In this context, this paper focuses on existing PHR applications and functions, classification of PHRs based on their business and technical environments, privacy features, privacy policies and coverage, and privacy policy notification issues. Furthermore, in order to verify privacy policy coverage and notifications offered by web-based PHRs, an evaluation of such privacy policies against already established and well-researched evaluation criteria was conducted.
The two main PHR platforms used for evaluation in this research include Microsoft HealthVault and GoogleHealth. The objective is to highlight existing vulnerabilities in PHR privacy policy coverage and gaps in privacy policy notification mechanisms, while investigating the lack of availability of tools that enable patients to adequately protect their personal health information.
- Journal of Medical Internet Research. 2008. Social uses of personal health information within PatientsLikeMe, an online patient community: what can happen when patients have access to one another's data. Jeana H Frost, Michael P Massagli Volume: 10, Issue: 3, Pages: e15 PubMed ID: 18504244Google Scholar
- Connecting for Health. The Markle Foundation. http://www.connectingforhealth.org/resources/final_phwg_report1.pdfGoogle Scholar
- Qualys On Demand Vulnerability Management. CASE STUDY: Geisinger Health System--Bringing HIPAA Compliance to an Electronic Medical Record System. http://www.qualys.com/docs/geisinger.pdfGoogle Scholar
- Center for Information Technology Leadership {CITL}. 2008. Value of Personal Health Records. Center for Information Technology Leadership. ISBN: 978-0-9800697-4-7Google Scholar
- The Markle Foundation. Press Release. October 11, 2005. http://www.markle.org/resources/press_center/press_releases/2005/press_release_10112005.phpGoogle Scholar
- National Committee on Vital and Health Statistics. http://ncvhs.hhs.gov/Google Scholar
- The Hippocratic Oath. http://www.indiana.edu/~ancmed/oath.htmGoogle Scholar
- The Code of Fair Information Practices 1974. http://www.consumerprivacyguide.org/law/pa.shtmlGoogle Scholar
- The Patient Privacy Rights Foundation. http://www.patientprivacyrights.orgGoogle Scholar
- Health Insurance Portability and Accountability Act of 1996. Department of Health and Human Services. Retrieved from: http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdfGoogle Scholar
- Gellman, R. Personal Health Records: Why Many PHRs Threaten Privacy. World Privacy Forum. The World Privacy Forum - A Legal and Policy Analysis. www.worldprivacyforum.org/Google Scholar
- Lisa A. Gallagher, HIMSS Director, Privacy and Security. Privacy and Security Issues for PHRs. Consumer Organization Outreach TF (March 28, 2007). http://www.himss.org/content/files/PHRPrivSecCOO-LGV1.0.pdf?src=enews20070411Google Scholar
- San Diego Tribune. 2008. Health records shared online pose dilemma. Keith Darcé. March 5, 2008. http://www.signonsandiego.com/uniontrib/20080305/news_1n5web.htmlGoogle Scholar
- World Privacy Forum. 2008. http://www.worldprivacyforum.org/testimony/NCVHStestimony_092005.htmlGoogle Scholar
- PHRPrivacy.com. 2008. The Foundation for Healthcare Excellence. http://phrprivacy.com/index.php?option=com_content&task=view&id=41&Itemid=139Google Scholar
- Security and Privacy Issues with Health Care Information Technology. Marci Meingast, Tanya Roosta, Shankar Sastry. Department of Electrical Engineering and Computer Sciences, University of California, Berkeley. http://robotics.eecs.berkeley.edu/~roosta/EMBC06.pdfGoogle Scholar
- Health Privacy Project at http://www.healthprivacy.org/Google Scholar
- Review of the Personal Health Record (PHR) Service Provider Market: Privacy and Security. ALTARUM Research. January 5, 2007. http://www.hhs.gov/healthit/ahic/materials/01_07/ce/PrivacyReview.pdfGoogle Scholar
- Detailed PHR Privacy Report Cards. Patient Privacy Rights Foundation. 2010. http://patientprivacyrights.org/detailed-phr-privacy-report-cards/#MSHVGoogle Scholar
- User Centric. 2010. http://www.usercentric.com/publications/2009/02/02/google-health-vs-microsoft-healthvault-consumers-compare-online-personal-heaGoogle Scholar
- e-HIM Personal Health Record Work Group. "The Role of the Personal Health Record in the EHR." Journal of AHIMA 76, no. 7 (July-August 2005): 64A--D.Google Scholar
- The HITECH Act and HIPAA. 2010. HIPAA Survival Guide. http://www.hipaasurvivalguide.com/hipaa-survival-guide-21.phpGoogle Scholar
- HITECH Act -- Interim Final Rule. 2009. http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdfGoogle Scholar
Index Terms
- Privacy policies of personal health records: an evaluation of their effectiveness in protecting patient information
Recommendations
Privacy in mobile technology for personal healthcare
Information technology can improve the quality, efficiency, and cost of healthcare. In this survey, we examine the privacy requirements of mobile computing technologies that have the potential to transform healthcare. Such mHealth technology enables ...
Evaluating the Privacy Policies of Mobile Personal Health Records for Pregnancy Monitoring
A mobile personal health record (mPHR) for pregnancy monitoring allows the pregnant woman to track and manage her personal health data. However, owing to the privacy and security issues that may threaten the exchange of this sensitive data, a privacy ...
Design and Implementation of a Privacy Aware Framework for Sharing Electronic Health Records
ICHI '15: Proceedings of the 2015 International Conference on Healthcare InformaticsPrevalent EHRs (Electronic Health Records) present an opportunity to provide a safer, efficient and patient-centered care environment, but this may also cause the disclosure of patient privacy information without the patient authorization, in particular,...
Comments