What HIPAA standards apply to personal health records (PHR)?

The Health Insurance Portability and Accountability Act (HIPAA) sets standards to protect sensitive patient health information. Personal health records (PHRs) created, maintained, or accessed by covered entities or business associates are governed by HIPAA regulations. 

What are personal health records?

Personal health records (PHRs) are electronic applications or tools that allow individuals to manage and store their health information privately and securely. PHRs can include a wide range of health-related data:

• Medical history: Information about past illnesses, surgeries, medications, allergies, immunizations, and family medical history.
• Lab results: Records of blood tests, imaging results, and other diagnostic tests.
• Doctor visits: Details of past appointments, notes from healthcare providers, and treatment plans.
• Vital signs: Information like blood pressure readings, heart rate, weight, and height.
• Health and fitness data: Exercise routines, dietary habits, and other lifestyle-related information.

PHRs can be managed by individuals themselves, often through online platforms or mobile apps provided by healthcare organizations, insurers, or independent software developers. They are designed to give individuals more control over their health information, allowing them to track their health status, share information with healthcare providers, and become more actively involved in managing their care. There are different types of PHRs, including:

• Tethered or connected PHRs: These are linked to a specific healthcare organization's electronic health record (EHR) system, allowing patients to access their medical information from that provider.
• Standalone PHRs: These are independent of any healthcare provider's system and are managed entirely by the individual. They allow users to input and manage their health information themselves.

See also: HIPAA Compliant Email: The Definitive Guide

HIPAA standards governing PHRs

• Privacy rule: Healthcare providers must ensure that PHR data remains protected under HIPAA's privacy rule. This involves safeguarding patients' protected health information (PHI), controlling access, and obtaining patient consent for data sharing.
• Security rule: The security rule mandates the implementation of robust safeguards to protect electronic protected health information (ePHI). Providers should employ encryption, access controls, and regular risk assessments to secure PHR data.
• Breach notification rule: In case of a security breach compromising PHI within PHRs, healthcare providers must notify affected individuals, the Department of Health and Human Services, and, if necessary, the media, adhering to HIPAA's breach notification requirements.
• Minimum necessary standard: Providers must ensure that access to PHI within PHRs is limited to the minimum necessary for intended purposes. This principle mitigates unnecessary exposure of sensitive information.
• Business associate agreements (BAAs): When collaborating with PHR vendors or other entities handling PHI, providers must establish BAAs to ensure compliance with HIPAA standards.