In recent years, there has been growing demand by patients for access to their own health information via tools like Personal Health Records [1]. The Markle Foundation [2] defines the Personal Health Record (PHR) as an electronic application through which individuals can access, manage and share their health information in a secure and confidential environment. PHRs are emerging and consolidating as an effective tool for patients to maintain their own health-related information. Healthcare Organizations (HCOs) and e-health services covered by HIPAA face the problem of implementing effective and cost-efficient security and privacy policies, while constantly demonstrating compliance with HIPAA regulations. To this end, HCOs must implement system-wide policies, standards, guidelines and procedures for safeguarding the organization's information including Electronic Medical Records (EMR) and Electronic Health Records (EHR), in conjunction with HIPAA mandates [3]. Similar security and privacy issues also apply to PHRs, as patient information must be protected under HIPAA regulatory requirements. PHR applications were initially provided by single vendors as a module (with limited functionality) within a Hospital Information System (HIS). But with growing use of Web 2.0 technologies, PHRs have also evolved as web-based solutions provided by business parties, leveraging "anywhere anytime" accessibility made possible by the internet. Although business third parties providing PHR solutions are not subject to HIPAA regulations, nonetheless security and privacy for PHRs are critical issues - both for the patients using the PHR and for the providers themselves. In this context, this paper focuses on existing PHR applications and functions, classification of PHRs based on their business and technical environments, privacy features, privacy policies and coverage, and privacy policy notification issues. Furthermore, in order to verify privacy policy coverage and notifications offered by web-based PHRs, an evaluation of such privacy policies against already established and well-researched evaluation criteria was conducted.
The two main PHR platforms used for evaluation in this research include Microsoft HealthVault and GoogleHealth. The objective is to highlight existing vulnerabilities in PHR privacy policy coverage and gaps in privacy policy notification mechanisms, while investigating the lack of availability of tools that enable patients to adequately protect their personal health information.
[1]
S. Sastry,et al.
Security and Privacy Issues with Health Care Information Technology
,
2006,
2006 International Conference of the IEEE Engineering in Medicine and Biology Society.
[2]
J. Frost,et al.
Social Uses of Personal Health Information Within PatientsLikeMe, an Online Patient Community: What Can Happen When Patients Have Access to One Another’s Data
,
2008,
Journal of medical Internet research.
[3]
A. Policy.
Review of the 2002 Department of Health and Human Service Notice of Proposed Rule Making for The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations
,
2002
.
[4]
Practice brief. The role of the personal health record in the EHR.
,
2005,
Journal of AHIMA.
[5]
L. Sher.
Hippocratic Oath
,
1996,
The Lancet.
[6]
J. Stoker,et al.
The Department of Health and Human Services.
,
1999,
Home healthcare nurse.
[7]
Ludwig Edelstein,et al.
The Hippocratic oath
,
1943
.
[8]
A ALDAMA.
[National committees of vital and health statistics].
,
1955,
Boletin de la Oficina Sanitaria Panamericana. Pan American Sanitary Bureau.