But often, Katz says, those policies don't spell out how they're going to protect that information. Instead, they are a "detailed list" of what those vendors can do with your information -- in other words, a detailed list of exceptions to the rule that they won't share user information with third parties without permission. And sometimes, even the list of exceptions can be so fraught with references to other policies and related rules that they can become incomprehensible even to those who aren't intimidated by legal jargon and contractual language. Or sometimes they're vague enough that the user has no real idea how or under what circumstances certain information will be shared. (Yahoo's practices regarding cooperating with law enforcement are similarly vague, according to IT Business Edge blogger Don Tennant.)
That's one of the reasons Katz and her colleagues at Patient Privacy Rights graded five different personal health records providers on their privacy and security practices. They want to increase public awareness regarding how health information is used. Said Katz:
We're concerned about how medical information is being used today... Personal health information is quite sensitive and revealing. More and more of it is going out there, which means more and more of it is being used. We really don't think the public has any idea how widely used it is.
The nonprofit consumer health information privacy watchdog released report cards for each of those PHR vendors last week so that the public could have "something tangible and specific" to reference.
Also of importance, according to Katz, is the opportunity to provide Congress and other regulators with a reference point as they try to decide how to handle this as-yet-unregulated market of personal health records. "HIPAA doesn't apply to PHRs," Katz told me, "and we really don't want it to because we think HIPAA gives [information custodians] too much discretion as it is." Hence, the PHR report card is "the perfect tool to hand to regulators to say 'OK, this is what is out there. This is what some companies are doing, what some are not, and what some are capable of'," she says.
The bonus for Patient Privacy Rights is that most of the vendors that were graded have responded well to the feedback found in the report cards. Said Katz:
I feel confident that everyone we've graded is going to make at least one change based on this feedback. That's really what you want. You want people to do the right thing.