On September 12, 2011, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (“ONC”) unveiled a model privacy notice for personal health records (the “PHR Model Privacy Notice”). The PHR Model Privacy Notice was developed by ONC in collaboration with consumers and vendors of personal health records (“PHRs”). The PHR Model Privacy Notice is intended to enable consumers to “understand privacy and security policies and data sharing practice information, compare PHR company practices, and make informed decisions.”
The PHR Model Privacy Notice contains a list of relevant terms and focuses on “PHR Data,” which is defined to include a wide variety of data elements such as an individual’s name, address, phone number, email address, medical history, medications, healthcare claims, health plan account number, age, gender, ethnicity, occupation, IP address and “cookie” preferences. PHR Data is grouped into two broad categories: (1) “Personal Data,” which is any PHR Data that identifies an individual, such as “names, health conditions, and other identifiers,” and (2) “Statistical Data,” which is PHR Data that is grouped so as to not connect to a specific individual and has names and other identifiers removed or altered.
The PHR Model Privacy Notice requires PHR vendors to address two areas of concern: how they release data and how they secure data. In the “Release” section of the notice, vendors must indicate whether they disclose the two categories of PHR data for any of the following purposes: (1) marketing and advertising, (2) medical and pharmaceutical research, (3) use by an individual’s insurer or employer, (4) reporting about the PHR vendor and its customer activity, and (5) developing software applications. The “Release” section also requires PHR vendors to indicate whether they require “Limiting Agreements” that restrict what third parties can do with PHR Data and whether they will stop releasing an individual’s PHR Data if an individual closes his PHR with that vendor or transfers it to another PHR vendor.
In the “Secure” section of the PHR Model Privacy Notice, PHR vendors must specify whether they (1) use security measures to protect PHR Data from unauthorized access, disclosure, or use, (2) store PHR Data exclusively in the United States, and (3) retain PHR Data activity logs that individuals may review.
The ONC indicates that using the PHR Model Privacy Notice is voluntary and “not intended to address legal requirements that may apply to a PHR company.” Nevertheless, the Federal Trade Commission has the authority to take enforcement actions against PHR vendors that do not adhere to the privacy and security commitments stated in their PHR Model Privacy Notice.