North Carolina Journal of Law & Technology

“Free” Online Commercial Personal Health Records: Too Good to be True or Just Savvy Opportunistic Business Strategy?

Wednesday, February 11th 2009 by Kathryn M. Marchesini

Within the last year, several non-health care companies have begun electronically storing personal health data for U.S. consumers.  These companies are commonly known as Personal Health Record (PHR) vendors.  According to the U.S. Department of Health and Human Services (HHS), the federal data sharing and protection laws that govern the health care industry do not apply to PHR vendors.  Privacy provisions of the federal economic stimulus legislation (known as the American Recovery and Reinvestment Act of 2009) provide some protection of data stored in PHRs.  Specifically, these include breach notification requirements for Non-HIPAA covered entities.  However, even with these new requirements, certain companies can still store personal health data without much federal oversight of information privacy.  In some cases, information stored in PHRs may be sold, rented, or otherwise shared.  Users have no right to correct inaccurate health information contained in an online PHR, unlike information covered under HIPAA.  The PHR not only has the capability to store and organize an individual’s physical health data, but also “may include information about family relationships, sexual behavior, substance abuse, and even the private thoughts and feelings that come with psychotherapy.”  Consumers’ use of PHRs is voluntary; although, they could become mandatory in the future for some Americans, as the HHS recently unveiled an online Medicare PHR pilot program.     

Non-HIPAA covered entities, such as Google and Microsoft, offer a free, opt-in PHR service.  When registering for a Google Health account, consumers determine who may access their health data and agree to the Google Health Privacy Policy.  This “agreement” seems to create the impression that users have expressed informed consent to the vendor’s processing practices.  For instance, Google “may share [information] without authorization in certain limited circumstances . . . .”  Also, the vendor “might publish trend data similar to what is published in Google Trends.”  While Google does not currently sell advertising within its PHR service, Google has not ruled this out for the futureMoreover, while Google has to adhere to its posted Privacy Policy or risk action from the Federal Trade Commission (FTC), there does not seem to be any laws stopping Google from changing its Privacy Policy. 

Storing data in a PHR creates a feeling of intimacy; health information reveals details about one’s inner self and vulnerabilities.  When consumers self-generate data to be stored in a “private” PHR account, users expect their information to remain private, not realizing the potential for unauthorized sharing of their personal health data.  Since consumers no longer have physical control over personal data, they do not have any assurance that the data they enter will not be used to further a specific goal of the PHR vendor.  For example, a PHR vendor could combine stored health data with its other consumer stored data and sell the aggregated data for marketing or surveillance purposes.  Consumer watchdogs have raised issue with the possibility that PHR vendors could sell patient medical information to advertising clients.  Even if a vendor de-identifies personal data, this potential secondary use of data and sharing of personal health information with a third-party could cause financial, physical, and/or dignitary harm to an individual.

Unlike many other industries, errors in health care delivery could have serious, and sometimes, fatal consequences.  Thus, while PHRs trigger privacy and confidentiality concerns, public interest in the electronic availability of secure health information anytime, anywhere is increasingly strong.  PHRs could improve health care efficiency and quality.  PHRs could provide access to detailed and accurate health and genetic information enabling physicians to dispense personalized medicine, moving consumers toward value-driven health care.  It is widely noted that an online PHR offers enhanced mobility of important health information, allowing individuals to play a more active role in their health care.  Furthermore, PHRs advance the overall business interests of health care.  For example, the current HIPAA Privacy Rule supports the commercial interest of health care by allowing covered entities to use personal health information without patients’ permission.  Similarly, non-HIPAA covered entities could use personalized marketing campaigns targeted at PHR users.

Although, the U.S. Supreme Court has not fully resolved the issue of unwarranted disclosure of consolidated private data, Whalen v. Roe serves as the foundational case for recognizing decisional and information privacy.  While an email address and password may provide individuals control over access to their PHR, there is no guarantee personal information is completely protected.  “[A] person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”  In contrast, “what [a person] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.”  Assuming the PHR vendor has a posted privacy policy, the FTC’s enforcement of unfair and deceptive practices could potentially apply to the privacy policy, ensuring that the vendor keeps it promise.  However, if a promise of privacy does not exist, it is not in the FTC’s jurisdiction.  With loopholes in existing and future federal laws, the disclosure of personal health information stored in PHR accounts hosted by non-HIPAA covered entities seems to be unregulated.  Thus, PHR storage vendors could legally use personal health information as another advertising conduit.

Consumers using an online PHR should be aware of associated privacy and security risks. While privacy concerns may be eclipsed by the benefits of centrally accessible PHRs, health care is a business where inaccurate information could cause severe consequences on patients’ lives.  “In the long-run, we are all dead”.  However, if consumers store health information in an online non-HIPAA covered PHR, they potentially could suffer unintended financial, dignitary, or physical harm, sooner rather than later.  Therefore, the law must evolve to balance consumer health information privacy with the business use of technology in order to transform the U.S. health care industry.

Categories:

Comments

thanks

Submitted by Anonymous on Thu, 09/03/2009 - 19:10.

Thanks for this nice article, it' very useful for me.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Each email address will be obfuscated in a human readble fashion or (if JavaScript is enabled) replaced with a spamproof clickable link.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

User login

Sign-in via ONYEN
 
UNC School of Law

The North Carolina Journal of Law & Technology is a student-published law journal of the University of North Carolina School of Law.

Van Hecke-Wettach Hall, 100 Ridge Rd, Chapel Hill, NC 27599-3380
info [at] ncjolt [dot] org       Fax: (919) 962-1277