Understand How PHR is 'not' covered by HIPAA

PHR or Personal Health Record is essentially a medium of saving health information of an individual that helps the diagnostic process of healthcare providers and aids individuals in providing their health information instantly. Presence of PHR makes it easy for a person to participate in the sharing or accessing of his medical records. A PHR is different from an Electronic Health Record or EHR. An EHR is the electronic or digitalized format of all the information about a patient with a healthcare provider. With PHRs, information such as medical history can be accessed online.


HIPAA PHR Coverage
Please note that HIPAA seeks to cover most types of PHRs, this includes PHRs offered health plans and healthcare providers. However, some types of PHR are not handled by Covered Entities and are not covered. PHRs that exist outside the realm of HIPAA Privacy Rule include:

  • PHRs maintained by employers, i.e. health records not included in the group health plan sponsored by the employer
  • PHRs offered directly to people by PHR vendors-policies enlisted by the PHR vendor tend to dictate how the information contained with such PHRs is secured

Note: Such PHRs are less likely to be automatically or systematically updated with the latest of information provided by healthcare providers. However, the most comprehensive and latest health information about an individual is found on EHRs. However, individuals can request a copy of their PHR and get it updated.

PHR Vendors Handling Uncovered PHR
PHR vendors are likely to share personal health records with related business partners and other contractors. People are advised to question their employer or the chosen vendor to detail the conditions under which their PHR can be shared and the procedure for seeking authorization for the same. When selecting a PHR, people should analyze the kind of regulatory authority that is responsible for maintaining the integrity of information. People who feel that privacy-protecting regulations proposed by a PHR vendor are sufficient should understand any violation of their personal data within the PHR cannot be challenged under the umbrella of HIPAA non-compliance.

Maintaining Data Integrity Among Uncovered PHRs
Though information contained with PHRs outside the regulatory realm of Privacy Rule cannot be protected by HIPAA, Privacy Rule does regulate how PHI held by a covered entity is entered into PHRs. This ensures that the PHR achieves some degree of consistency with HIPAA benchmarks.

As per Privacy Rule guidelines, covered entities should provide the concerned individuals a HIPAA NPP. An NPP (Notice of Private Practices) briefs individuals about their health information rights and how a covered entity can use/disclose/share such information. Covered entities are also encouraged by HIPAA to highlight their privacy practices as a part of the HIPAA NPP.

This is best understood by HIPAA-defined Accounting of Disclosures: the Privacy Rule insists that people receive a detailed accounting of the types and extent of their PHI disclosures made by a covered entity. In comparison, PHR disclosures are rather limited and are not covered under HIPAA's accounting guidelines. To ensure some degree of accountability for disclosures of uncovered PHRs covered entities are encouraged to adopt functionalities that allows individuals to view a log of when and by whom was their PHR accessed.