How Do Personal Health Records Relate to HIPAA?

It is important for health care providers and their lawyers to understand Personal Health Records (“PHRs”) and how they relate to the Health Insurance Portability and Accountability Act (“HIPAA”). A PHR grants a patient personal access to and control over electronic copies of their own health information and thereby permits the patient to manage and track their records. To be clear, a PHR is distinct from an electronic health record (“EHR”), which is a term that describes both an electronic health record maintained by a health care provider for a particular patient and, commonly, the program or application through which the provider maintains that record (e.g., EPIC).

Instead, a PHR is focused not on the provider’s access to records but on the patient’s access to, and certain control over, a copy of their health records. This may take the form of an “app” or a “portal.” The Federal Trade Commission (“FTC”) regulations define PHR as “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual.”

Certain types of PHRs permit the patient to input other information, such as emergency contacts, family health histories and scheduled appointments. The PHR may also permit the patient to conduct research on health care conditions, renew prescriptions or exchange secure messages with health care providers.

The Department of Health and Human Services’ (“HHS”) Office for Civil Rights published a helpful guide on PHRs that distinguishes between those PHRs offered by an entity subject to HIPAA Privacy Rule (i.e., a Covered Entity or Business Associate), such as a health care provider or a health plan, and those offered by entities not subject to HIPAA’s Privacy Rule (e.g., employers — but not an employer’s health plan — or vendors who offer PHRs). Given HHS’s perspective, this division makes sense even though PHRs may take many forms. The guide provides examples of both types of PHRs, including their potential functions and limitations, and explains how entities subject to the HIPAA Privacy Rule may comply with those regulations in the context of PHRs (e.g., amending protected health information in a PHR, preparing an accounting of disclosures and distributing the Notice of Privacy Practices through a PHR).

A health care provider may receive a request from a patient asking that the provider send the requested records directly to a patient-controlled PHR offered by an entity not subject to HIPAA. Delivery to the PHR could take many forms, such as an email address maintained by the PHR vendor that will deposit received records directly into the patient’s PHR. In light of HHS’s ongoing initiative of focusing enforcement attention on individuals’ right of access, it is critical that the provider respond promptly and appropriately in compliance with HIPAA regulations. That is, even if the PHR in question is maintained for a patient through a vendor not subject to HIPAA’s Privacy Rule, the HIPAA Privacy Rule obviously still governs how the responding Covered Entity transfers the records to that PHR per the client’s request. Once those records are provided, however, it is important to note that, if the PHR vendor is not subject to the HIPAA Privacy Rule, then their activities are subject to the FTC’s Health Breach Notification Rule as “vendors of personal health records.”