At a time when personal health record ("PHR") products are being launched by companies like Microsoft and Google with much attendant press, a report by the World Privacy Forum warns that PHR products may expose medical information to new privacy risks. This new generation of PHR products represent the beginnings of a renewed push towards consumer-directed healthcare, which is premised upon providing individuals with greater access to, and control over, their medical information.
But according to a February 20 report issued by the World Privacy Forum and authored by privacy attorney and consultant Robert Gellman, many PHRs will have to rely upon advertising (particularly pharmaceutical company advertising) in order to have a sustainable business model. And the world of online advertising is driven by the collection of personal information in the form of click-throughs, page views and transaction information. The WPF report correctly notes that companies operating PHRs will typically not be subject to regulation by HIPAA. However, a few state laws, such as California's Confidentiality of Medical Information Act, are broad enough to apply to many PHR companies that maintain medical information.
In the absence of applicable privacy and security laws or professional ethical obligations, privacy becomes essentially a matter of contract -- and that contract is the PHR company's privacy policy. A less privacy-friendly PHR company could commercialize medical information in any number of ways, if those uses are permitted under the terms of the company privacy policy. Microsoft and Google are setting an excellent example with explicit, comprehensive privacy policies that emphasize the individual's control over uses and disclosures of their medical information. However, these trend-setters will inevitably be followed into the marketplace by PHR companies that take a more lax approach to privacy policies and practices. And that is when things will get messy ….