A personal health record (PHR) is not the same thing as an electronic health record (EHR) even though both contain medical information and are (usually) electronic. The primary difference between a PHR and an EHR is that individuals own and have control over their PHRs, while EHRs are held and maintained by healthcare providers.
A person who has a PHR can access it from practically anywhere the internet is available, control what goes into it, and decide who can access their health information. In contrast, healthcare providers control EHRs and authorize certain people, such as doctors and hospital personnel, to access it.
Are personal health records subject to the HIPAA Privacy Rule?
PHRs offered by healthcare providers and health plans are subject to the HIPAA Privacy Rule. Covered entities such as health plans and healthcare providers can contract with business associates to administer PHRs or to perform certain PHR-related functions.
By law, a business associate must have a business associate agreement with the covered entity in place for as long as the business associate is administering PHRs or performing PHR-related functions that involve protected health information (PHI).
Does the HIPAA Privacy Rule apply to other types of personal health records?
Some PHRs are offered by employers or PHR vendors that are not covered entities. These PHRs are not subject to the HIPAA Privacy Rule, with one exception. The Privacy Rule applies to the process of moving PHI from a covered entity, such as a healthcare provider, into an individual's PHR, even if the PHR itself is not subject to the Privacy Rule. In other words, if a healthcare provider sends PHI directly to an individual's PHR, that process is subject to the Privacy Rule.
This could require the PHR's owner to authorize the information transfer. Alternatively, a healthcare provider could send the PHI directly to the individual, who would then enter that information into the PHR, either manually or by uploading it. Once PHI is in this type of PHR, the Privacy Rule does not apply. It is up to individuals to research PHR providers' privacy policies, learn who will have access to their PHI, and find out whether their PHR provider is allowed to share their PHI.
What are the benefits and risks of keeping a personal health record?
Personal health records can be useful health management tools because they allow people to see their entire health history and correct errors in their health information. If a PHR owner is far from home and has a health emergency, they can access their PHR remotely and share relevant information with healthcare providers.
Many PHRs also offer the ability to send messages to healthcare providers and request prescription refills. Like other records stored on computers, PHR owners' PHI could be at risk of exposure if a data breach or malware attack occurs. Personal data could be accidentally or deliberately leaked, either through human error or by a malicious person who has access to PHI.
Paubox Email Suite allows users to compose and send HIPAA compliant email using their laptop, desktop, or mobile device. Email recipients can view email messages and attachments without needing to log into a portal, download an app, or enter multiple passwords. Paubox has achieved HITRUST CSF certification, demonstrating that our email solutions have met regulatory and industry-defined requirements and are appropriately managing customers' risk.