After the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, the interest in storing and accessing health information online increased, prompting increased concerns about the privacy and security of such information.  In September 2011, the Office of the National Coordinator for Health Information Technology (ONC) released a Personal Health Record (PHR) Model Privacy Notice for public use.  This Model Notice meets ONC’s initial goal in a multi-phased, consumer project to increase consumer awareness of PHR companies’ data practices.  The next phase seeks to empower consumers by providing them with an easy way to compare the data practices of two or more PHR companies. 

Web-based PHRs allow individuals to document and store online their health information, such as medical histories and prescription records. It is important to note that electronic or web-based PHRs are not electronic health records (EHRs), as defined by the HITECH Act. This is because the information in a PHR is entered and controlled by individual consumers rather than by their doctor, hospital or other health care provider.  Importantly, many PHRs are not protected by the privacy and security rules set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

HIPAA regulates the privacy and security of health information maintained by health care providers and health insurers who are “covered entities” under HIPAA. As a result, information in PHRs offered by such “covered entities” will be governed by HIPAA.  However, many PHRs are maintained by companies that are not “covered entities” under HIPAA. As a result, such information is not afforded the protection of HIPAA. In such cases, the privacy and security policies of the PHR company will control access by third-parties to information in the PHR.  For that reason, the ONC believes it is important for individuals “to be aware of PHR companies’ privacy and security policies and data sharing practices.”

The ONC has designed the PHR Model Privacy Notice as a template that PHR companies may use to inform consumers about key elements of their privacy policies. ONC is developing a website where PHR companies can answer questions online to generate a company-specific PHR Model Privacy Notice and place it on the vendor’s homepage. When this website goes live, the public will be able to access it here.

ONC has also created an Implementation Guide to assist PHR companies in completing the PHR Model Privacy Notice template and in displaying the notice on the company’s website. 

Use of the Model Notice is voluntary, and there are no right or wrong answers when completing the template.  However, completion of the template must be carefully considered because the PHR company’s failure to comply with its own Notice could subject the company to enforcement action by the Federal Trade Commission (FTC).  The HITECH Act granted the FTC regulatory and enforcement authority over companies that offer on-line PHRs. Accordingly,  if a PHR company has failed to adhere to the commitments in its PHR Privacy Notice, the FTC can challenge the company’s Notice as false or misleading in violation of the FTC Act.  Although the FTC has not challenged a PHR Privacy Notice, it has challenged the privacy notices of, and taken enforcement action against, two well-known pharmacy companies that promised, but failed, to maintain the privacy of health information. These FTC complaints and its enforcement action is detailed on the FTC Health Privacy webpage (see Case Highlights under the “Health Privacy Legal Resources” section).

In exercising its authority under the HITECH Act, the FTC issued a Health Breach Notification Rule. This Breach Notice Rule requires PHR companies who have a security breach to:

1.   Notify everyone whose information was breached;

2.   In many cases, notify the media; and

3.   Notify the FTC.

The Breach Notice Rule, issued on August 25, 2009, explains who is covered by the Rule and what these companies must do in case of a breach.  More information about this Rule is available on the FTC Health Breach Notification website.