Is a Personal Health Record Right for You?

Considerations for Californians

This information is meant to give you an overall picture of Personal Health Records (PHRs) to help you decide if using one is right for you and your family. Only you can decide if a PHR is a tool you're interested in using and if so, which PHR provider best fits your needs.

Efforts are underway on the state and national levels to create a system of electronic health records that all of your healthcare providers can easily access. As plans for such a system move along, the Personal Health Record marketplace continues to change. This Consumer Information Sheet provides some basic information for you to consider before signing up for a PHR.

What is a Personal Health Record?

Your health information is currently stored by many different healthcare providers in many different locations. Your physician, dentist, optometrist, and other healthcare specialists all keep separate records.

A Personal Health Records is an Internet-based applications that allows you to gather, store, manage, and in some cases share, information about your health or the health of someone in your care. Your health information is stored where you can reach it on a Web site. You can usually access the site by using a user name and password.

Some insurers, HMOs or medical provider groups offer PHRs for their members, and certain Internet companies sell PHR services for anyone to use. The cost of using an Internet PHR provider varies. Some companies require a one-time-only fee, others charge an ongoing fee, and still others provide the service for free. The free services may be supported by advertising revenues.

PHR providers also have different ways to transfer your health information from where it is stored now to your electronic PHR. Some PHR providers have formed partnerships with hospitals, pharmacies and labs that let you import your medical records from your healthcare providers. Other PHR providers require you to get your health records and type the information into your electronic PHR.

What are the advantages of having a Personal Health Record?

A potential benefit of having a PHR is to gain a broad view of your health by having all of your information available in one central place. A PHR can allow you to access your health information to prepare for medical appointments. It can also enable you to communicate better with your healthcare providers about your medical needs.

People with chronic health conditions may use a PHR to keep track of such things as how their medications are affecting them, or how they're feeling from day to day. Diabetics, for example, might use a PHR to record their glucose levels. People with hypertension might want use it to track their blood pressure readings.

You might wish to add other health-related information to your PHR, such as your diet and exercise routines. You might use your PHR as a log to chart your progress towards your health and wellness goals.

Personal Health Records may help you care for a family member or friend who needs assistance tracking and managing their health information due to age or illness.

If you want to manage a PHR for someone else, you will have to get written authorization from the person you are caring for addressed to each of his or her healthcare providers. The authorization should say that the patient gives permission for the provider to release to the patient's caregiver all of the records and information about the patient's care and treatment.

How do I create a Personal Health Record?

You will need to request a copy of your records from each of your healthcare providers. To do so, you must complete an "authorization for the release of information" form for each provider. Request the form from your provider. Be aware that by law, a medical facility is allowed up to 60 days to provide you with a copy of your medical records, and most facilities charge for copies.

Some information you may want to include in your Personal Health Record are a list of illnesses and surgeries, medications and dosages, allergies, immunization records, eye and dental records, and lab reports.

Practice good computer hygiene.

Most people feel that information about their health is some of their most private information, and they want to be certain it's kept secure. Before you begin using a Personal Health Record, you should be sure that you are practicing good computer hygiene. As with anything you do online, taking appropriate precautions will protect both your computer and your sensitive information.

You can help lower your risk when you are online by installing a network firewall, using anti-spyware and anti-virus software and keeping all these protections up-to-date. Choose strong passwords that are hard to guess. To read more about computer security, see our Protect Your Computer from Viruses, Hackers, and Spies web page.

What questions should I ask before signing up?

If you decide that a Personal Health Record may be beneficial to you or someone in your care, you should thoroughly research the PHR providers you are considering. Here are some basic steps you should take and questions you should ask before you register for a PHR service.

Before you sign up with a PHR provider, carefully read the company's privacy policy and terms of use statements. For a more comprehensive guide to privacy policies, see our How to Read a Privacy Policy web page.

The privacy policy (perhaps along with the terms of use statement) should address all of the following questions. Contact the PHR provider if you want additional information. Be sure you are satisfied with the answers before you make your health information available to a PHR provider.

  • Who will have access to my personal health information? What control will I have over the sharing of my information?

    The policy should describe any sharing of your personal information with third parties. Many PHR providers offer health management tools they may call services, programs, vendors or partners. The policy should describe any financial or other business relationships with such services offered on the PHR site.

    These tools, whether they are designed to track specific health data or to give you detailed information about a medical condition, are provided by other companies. You may need to allow them access to your PHR to use them. It's important to note that such tools are probably not covered by the privacy policy of the PHR provider. You should review the privacy policy and terms of use of the company whose tool you're interested in using. A good rule to follow is that whenever you leave the PHR provider's Web site to visit a separate Web site, you should check that Web site's privacy policy and terms of use.

    Also look for a discussion of the sharing of de-identified or aggregated information with third parties. For example, this may be done for research purposes. Would the provider ask for your approval before such sharing? Some have expressed concerns about the possible ability of researchers and others to re-identify data that had been de-identified.1
  • How can I authorize others to have access to my PHR? Can I revoke the authorization later?

    Some PHR providers allow you to authorize others to access your Record. You may have the option to share your PHR with family or healthcare professionals. Can you limit authorizations to view your PHR? For example, if you allow your dentist to view your PHR, would he or she only be able to see your dental record? Or would your dentist be allowed to see all of your medical records? Look for information on how you would grant and revoke such authorizations.
  • How can I find out who has accessed or used my personal information?

    The policy should describe how you can learn who accesses your PHR. A PHR provider may notify you by email whenever someone accesses your information. Or you might be able to view an "audit trail" of access in your PHR itself. In addition, you might be able to receive a history of access to the information on a monthly or other basis.
  • Will I be able to remove my information from the system if I want to?

    How long after you have requested to delete information will it be deleted? Will the information be permanently removed from the provider's servers?
  • What security measures are used to protect my information?

    Remember that security is an important element of privacy. Basic security protections include requiring a password for access to your PHR, encryption of communications (perhaps excepting email), and control of access to the PHR provider's servers.
  • How can I ask questions or report concerns about my personal health record?

    Look for information on how to contact customer service and/or the PHR provider's privacy officer by email and by another means (fax or telephone). How quickly will a response be provided?

PHRs and the Law

Some PHR providers, such as health care providers and health insurers, are subject to the federal health information privacy law, HIPAA.2 It is recommended that PHRs meet privacy requirements at least equal to those in HIPAA, and recent amendments extended many HIPAA requirements to vendors of personal health records and other entities that offer products or services through PHR sites.3 In addition, California's medical privacy law applies to PHR providers.4 See our Your Patient Privacy Rights: A Consumer Guide to Health Information Privacy in California web page.

Offline Alternatives

Many of the benefits of having a compilation of your medical history can be enjoyed without posting the records online. The American Health Information Management Association offers suggestions on creating your own offline personal health record. The records can be stored on your own computer, on a USB or flash drive, or in a folder or binder. You can find information on their "MyPHR" site listed below. The Federal Drug Administration provides "My Medicine Record," forms for keeping track of your medicines. You can find the forms, along with a video that explains how to use them, on the FDA web site listed below.

For Additional Information on PHRs

Notes

1 See PHR FAQs on the Patient Privacy Rights web site. Back to link 1

2 Health Insurance Portability and Accountability Act of 1996 (HIPAA) - 45 CFR Parts 160 and 164, Standards for Privacy of Individually Identifiable Health Information and Security Standards for the Protection of Electronic Protected Health Information. For more on HIPAA, see the World Privacy Forum's "A Patient's Guide to HIPAA," available at World Privacy Forum. Back to link 2

3 The HITECH Act of 2009, part of the American Recovery and Reinvestment Act, extended many HIPAA provisions to personal health records maintained by entities not previously covered by HIPAA (42 U.S.C.A § 17938). For recommendations on HIPAA and PHRs, see "Review of the Personal Health Record Service Provider Market: Privacy and Security," Altarum, January 5, 2007, available at Patient Privacy Rights. Back to link 3

4 See the Confidentiality of Medical Information Act, California Civil Code section 56.06. Back to link 4

This fact sheet is for informational purposes and should not be construed as legal advice or as policy of the State of California. If you want advice on a particular case, you should consult an attorney or other expert. The fact sheet may be copied, if (1) the meaning of the copied text is not changed or misrepresented, (2) credit is given to the California Department of Justice, and (3) all copies are distributed free of charge.