The recent post on Aug 29th generated an interesting comment regarding security and privacy of Web-based PHRs.

Unfortunately, in an earlier post where I bemoan the utter confusion (may I be so bold as to say chaos) that one confronts when looking for a PHR, I failed to mention the issue of widely varying security and privacy policies of these PHR vendors.

These policies are all over the map, from no clear policies at all, to HON Code and Verisign certifications with clear policies addressing both security and privacy.

This is a very BIG issue.

Based on my research to date as well as the research of others, (PDF) a consumer is at a very high risk of having their privacy compromised for the benefit of others such as insurers, employers, pharmaceutical companies, etc. There are also clear security risks at some of the PHRs I visited online that have very weak security protocols.

Nothing is for free and many “free” PHRs’ business models are based on selling consumer data to others. Then there are the free PHRs sponsored by payers (insurance companies) who, through their industry association AHIP, have a broader initiative for PHRs. But do you really want insurance companies to have your detailed medical history? Could such access by insurance companies result in denials of coverage or at the very least surcharges based on your risk profile? And what about that free PHR from one’s employer? Do you want them to have that kind of access to your medical records? What might it mean to that promotion you were hoping for if your employer notices that you are seeing a therapist?

There is little if any consistency in the Web-based PHR market today and good luck trying to find some consumer’s guide to PHRs.

If those in Washington are so gung ho on promoting greater consumer involvement in their healthcare and concurrently, the promotion of a National Healthcare Information Network, then it is incumbent upon them to begin establishing some very clear policy guidelines for Web-based PHRs that will insure a consumer’s privacy is upheld and security of their medical records assured. Would also be nice (am I asking for too much?) if they could take the lead and begin providing the consumer with very clear guidance on choosing a PHR.

Until that time, buyer do beware, the Web-based PHR market is a minefield.

Note: I did go looking far and wide for any document that provided clear guidance to assist a consumer in evaluating a Web-based PHR , including what to look for when assessing security and privacy policies of a PHR vendor. Found nothing. If you, the reader, know where I may find such, please pass it along.