Privacy Advocacy Group Attacks PHRs

Today, the World Privacy Forum released a report, Personal Health Records: Why Many PHRs Threaten Privacy. Both the 16 page report and a shorter, 5 page consumer advisory report can be found here. There was also an article today referencing the report in the San Fransisco Chronicle.

While the report does not give names of any particular PHR vendor (I could certainly name a few egregious examples), the report does make it clear that a consumer is at risk of having their privacy compromised if they are not careful.

Research for our upcoming PHR report ( due out by end of May 2008 ) concurs with this finding and it is also something I have brought up in the past. Having over the last few months reviewed countless web-based PHR solutions and where possible, their privacy policies, I have found almost zero consistency. This issue will continue to plague the industry until they, as a group, define what are best privacy and security practices and begin policing themselves through some form of industry-sponsored certification process. (Note: The existing HON certification is a joke.)

Microsoft for example, is in a perfect position to sponsor such an initiative and insure that all partners adopt the same strong privacy and security policies that Microsoft is using for HealthVault. Unfortunately, Microsoft has yet to step-up to the plate on this one, which is shameful.

My Recommendations to the PHR Industry:

Microsoft – Take a leadership role and require that all HealthVault partners adopt the same privacy and security policies that you are using. Better yet, work with Dossia and Google as well to create a common set of standards and compliance policies for the industry and a mechanism to implement them and police them. (Please refer to later post, Microsoft Comes Clean on Privacy, which commends Microsoft for taking a pro-active stance on this issue.)

PHR vendors – Establish a semi-independent organization that will create a set of best practice standards for privacy and security. Give this organization the power to use these standards as the basis of a “Good Housekeeping” seal of approval certification process for PHR vendors. This organization will fully vet PHR solutions going well beyond what HON does today. Those that comply, get a prominent seal to display on their website. Microsoft, Google and Dossia, maybe you could be lead sponsors to form such an organization.

Both of the above will take sometime to implement so what should PHR vendors do today? Here are my top seven suggestions:

• Make your privacy & security policies clear and understandable.
• Have them visible and not hidden down at the bottom of your homepage with a small font “Privacy” link.
• Allow the consumer to download your policies e.g., provide them as a PDF.
• State clearly how any data may be used.
• State clearly opt-in/opt-out policies and procedures.
• Detail how records are stored and where and what are your policies for records removal.
• Specifically state how you support portability and the process by which a consumer can retrieve their records and move them to another PHR of their choosing.

I’m sure I’ll think of more steps PHR vendors can take later, but taking these steps would be an excellent starting point. Unfortunately, I have yet to find site that supports all of the above suggestions.

If the industry does nothing, they will be leaving it to the government to create privacy regulations. My fear here is that such regulations may not achieve lofty privacy goals and instead have the perverse affect of killing an industry that is only beginning to get some traction.