Online Personal Health Records: Are They Healthy for Your Privacy?

A personal health record (PHR) is a tool for collecting, tracking, and sharing information about your health. Most PHRs are Internet-based and enable the patient to create, review, or maintain a record of any aspect of their health. Typically, this may include such information as:

  • medications
  • illnesses and hospitalizations
  • surgeries and other procedures
  • vaccinations
  • laboratory test results
  • family medical history
  • allergies

In addition to storing an individual's personal health information, some PHRs provide additional services such as drug interaction checking or messaging between patients and medical providers.

Some PHRs are marketed directly to the consumer by the hosting site, which may charge a fee. Other PHRs are offered by health care providers such as hospitals. Still others are offered at no charge by such online powerhouses as Google and Microsoft. Many are advertising supported. Here are some examples of PHRs:

  • Microsoft's HealthVault
  • Google Health (Google Health will cease operations on January 1, 2012.  However, data will be available for download through January 1, 2013.)
  • Revolution Health
  • WebMD

Because medical records are among the most sensitive type of personal information, we at the Privacy Rights Clearinghouse have some concerns about PHRs. PHRs may not necessarily be private and may not be secure, despite what the hosting site tells you.

Some PHRs are covered under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s Privacy Rule applies only to three categories of "covered entities" -- health care providers, health plans, and health care clearinghouses. Thus, PHRs that operate within the health care system are bound by the HIPAA privacy rule.

Other PHRs may be sponsored by third parties, and therefore outside the health care system. These types of PHRs may not be a “covered entity” under HIPAA. Some PHRs that are not “covered entities” protected by HIPAA may state that they are “HIPAA compliant”. The phrase “HIPAA compliant” can be misleading because it does not necessarily mean that the PHR is actually a “covered entity” under HIPAA. It is possible that you may not have any rights under the HIPAA Privacy Rule if you utilize a PHR that is only “HIPAA compliant”.

One privacy concern is the host’s ability to access and disclose personal medical information under specified circumstances. It is important to read the PHR’s privacy policy. Privacy policies may vary widely among PHRs, as can their security protocols. The privacy policy should state any disclosures or secondary uses of PHR information that may be made. Some PHRs may “mine” your information and sell it to other companies that want that information. Some may sell advertising that may be targeted to the conditions that you have. For example, if you have diabetes, you might receive advertising for insulin products and glucose monitors.

Another major concern is the hosting site’s security protocols. When users store their data on the host’s hardware, they lose a degree of control over their sensitive information. The responsibility for protecting that information from hackers and data breaches falls into the hands of the hosting company rather than the individual user. So there is a security risk in putting your sensitive medical data in someone else's hands. Obviously, the safest approach is to maintain your medical records under your own control.

Another concern involves subpoenas. If a company maintaining a PHR were served with a subpoena as part of legal process, it might be able to disclose a patient's personal medical information without being in violation of its privacy policy. This might happen as part of litigation involving any entity, including an insurance company or any other plaintiff or defendant in a civil lawsuit. Similarly a government agency or law enforcement might issue an administrative subpoena or warrant for this information. Plans subject to HIPAA do have some protection from subpoenas.

It is important to note that PHRs are not the same as electronic health records (EHRs), which are designed for use exclusively by health care providers. EHRs are closed systems kept by doctors' practices, hospitals, and networks. PHRs are records that are used mainly by consumers. However, PHRs may include data gathered from doctors, insurers, and pharmacies. The information in a PHR is available to the consumer and in some cases to the medical providers that the consumer authorizes.

For consumers interested in compiling a complete medical history, we recommend maintaining your own offline medical records. For forms to create your own personal health records, visit If you just want to track your medications, see “My Medicine Record” at . It can be used to keep track of your prescription medicines, over-the-counter medicines, and dietary supplements.

For additional extensive resources on PHRs, see the World Privacy Forum’s Personal Health Records Page at
.  Another useful resource is the California Office of Privacy Protection's publication "Is a Personal Health Record Right for You?" at