Lora Bentley spoke with Ashley Katz, the executive director for Patient Privacy Rights, a national non-profit consumer health privacy watchdog, just before the organization released its privacy report cards for five personal health record systems that are available for consumer use. The goal, she says, is to inform the public how the data is being used, as well as give regulators a tool with which to determine how best to regulate the emerging market for PHRs.
Bentley: Tell us about Patient Privacy rights.
Katz: Well, Patient Privacy Rights is a 501(c)(3) organization most frequently described as a consumer health privacy watchdog. We focus exclusively on protecting Americans' right to medical privacy. More than the philosophical reasons why privacy is important, we're concerned about how medical information is being used today and how that trickles down into people's opportunities and their well-being-whether they can get and keep jobs, be insured, get a bank loan. Personal health information is quite sensitive and revealing. More and more of it is going out there, which means more and more of it is being used. We really don't think the public has any idea how widely used it is.
"... I feel confident that everyone we've graded is going to make at least one change based on this feedback. That's really what you want. You want people to do the right thing rather than just shame them."
Bentley: Is that how the PHR Report Card project came about?
Katz: It's actually a specific grant-funded initiative. The Rose Foundation has a consumer and privacy fund. Part of the deliverables for our grant included putting out the PHR Report card. There were a couple of reasons for why we wanted to do that. One is we think it's a great way to educate the public, by giving them something tangible and specific.
Personal health records are pretty new. They're really not regulated. Generally, there really aren't any laws that apply directly to them, and Congress is just starting to try and figure out what to do with them. HIPAA doesn't really apply to PHRs-and we don't really want it to because we think HIPAA gives too much discretion as it is. So we refer to PHRs as the Wild West of electronic health records. It's a changing marketplace. There's a wide range of practices and a wide range of sophistication among all of the different players, so we saw this as a key way to inform the public and to give another tool to Congress and other regulators to say, "OK, this is what's out there. This is what some are doing, what some are not, and what others are capable of doing."
Katz: And I should say that, in addition to educating the public, the equal goal here is to identify companies that are doing good things, highlight those good things, and pressure everybody else to model them. And where no one is doing something good, to pressure the industry to step up to the plate and do better.
Bentley: Have you had good responses from the vendors whose systems you reviewed?
Katz: With the exception of one company that we just haven't been able to reach, everyone has been very responsive. And I feel confident that everyone we've graded is going to make at least one change based on this feedback. That's really what you want. You want people to do the right thing rather than just shame them.
Bentley: Which vendors did you include?
Katz: We included Microsoft HealthVault and Google Health, which are technically platforms that house PHRs. You can have an account with Microsoft or with Google, by which they offer to connect you to other services. Some are PHRs, some are, like, heart rate monitors that you can upload into your account. So they're not a straightforward PHR, but they're in the same category.
We also did a card for WebMD's basic PHR, where you can store information and collect it, but you can't really share it.
Then there's a company called No More Clipboard that has a basic PHR. You can go online, you can enter stuff. Your doctor can fax or e-mail lab results or whatever, and if you accept them, you incorporate them into the record. And you can share it as well. They do allow you to e-mail or fax that information to outside parties.
Then there's the CapMed In Case of Emergencies (ICE) PHR. Their concept is you have a card that you carry with you, and should you show up in the ER, you could hand that over and they could pull up your record.
They all have different levels of sharing, different bells and whistles, and different capabilities.
Bentley: So their privacy policies and practices are different as well. What should the consumer be looking for, or beware when choosing a PHR system?
Katz: Well, for all of them, consumers have to proactively sign up before they can have an account. All of them promise to protect your privacy, and everyone says that privacy is very important, but what privacy policies actually are are detailed explanations of how the information can be used. Some of them set out how they actually protect it, but it's really more of a list of "This is what we can do" with your information, and you can take it or leave it. But it really varies. Some you can opt out of, some you can't.
Bentley: So are the vendors in control of how the information is shared or are the consumers?
Katz: That's a great question. And that's really the point of the report card: The level of control you have over your own information varies greatly. Especially when it comes to de-identified data, the consumer really has no control There's this thinking out there that as long as it's anonymous, no one will ever figure it out.
The problem is that when you have amassed as much information as is out there, it's not so much that anonymous data is easy to identify. It's when you couple it with any other data set that's readily available, then all of a sudden it's not so innocent. And that's happening.