A personal health record (PHR) is a patient's medical information collected from all electronic resources, including health insurers, pharmacies and providers, such as doctors, dentists and all the hospitals used for in-patient or out-patient care. It also includes information from labs, claims and administrative information sources. A PHR will include a patient's demographic, clinical and financial information related to his/her medical care and treatments.
The most likely place you will find a PHR is from your health insurer and your employer. By maintaining all this information in one place they hope a PHR will:
- Reduce duplicate care;
- Reduce medical errors;
- Manage chronic medical conditions; and
- Establish medical efficiencies.
This will also help to save the health care industry money, which, in turn, could help to keep you and your family's medical insurance premiums low.
No matter how the PHR is provided, the data held in it is an individual patient's data and will need privacy and security protections including those stated in the HIPAA regulations. The safeguards need to include all the privacy protections so that a patient's PHI will not be used or disclosed inappropriately. All the HIPAA security requirements found in the security rule must be followed, including:
- Notice to you, the patient, of the existence and purpose of the PHR record keeping systems;
- Safeguards for confidentiality, integrity and availability of your information.
Since this is your confidential medical and payment information that is moving between several electronic databases there must be transmission security. In other words the data must move by a private technical system, be accessed through a protected website or be encrypted when it travels electronically. Additionally, the 4 'A's of security safeguards need to be in place:
- Access permission to see and use your confidential information;
- Authorization to use and disclose your confidential information;
- Authentication and verification that the person or entity asking for access to your confidential information is the one claimed; and
- Audit Trail to record and examine activity in your confidential information.
No matter who offers you a PHR, you need to be assured that only appropriate people have access to your confidential medical data and that there is a way to keep out people who are not authorized to have access. You also need to be notified if unauthorized people have caused a breach or security incident that can be found, tracked and/or mitigated. When you are offered a PHR ask about the security and privacy standards currently in place. Ask who will have access to your data and for what reason. If you think additional protections should be in place offer your ideas to your employer, health plan and provider. It is your information and you can also help keep it safe.