This is the final part of our series on personal health records. Click here to read the rest of the series.

Consumers are wondering if personal health records can guarantee the level of privacy and protection of their personal information. The Health Insurance Portability and Accountability Act (HIPAA), a federal law, requires health care providers to protect the privacy of personal medical records. Third-party vendors can act as business associates of their covered entity clients. This makes them contractually required to comply with HIPAA, which includes the following obligations:

• To not use or further disclose the PHR other than as permitted by the contract or as required by law;
• To use appropriate safeguards to prevent unauthorized use or disclosure of the PHR;
• To report to the covered entity any unauthorized use or disclosure of which the vendor becomes aware;
• To ensure that any agents, including subcontractors, to whom it provides PHRs agree to the same restrictions and conditions that apply to the business associate; and
• On termination of the contract, return or destroy all PHRs in its possession, or, when that is not possible, extend the protections of the contract for as long as the information is retained.

When selecting a vendor for a PHR, find out what its policies around privacy and protection are and if they abide by sound privacy practices.

Looking forward
As PHRs evolve, we will see vendors adding new features that will further enhance the experience for patients and physicians. One example is a calendar in which patients can enter appointments with doctors and then receive reminders for those appointments. Pre-populated intake and immunization forms for visits to new doctors and schools or camps are other enhancements. Links to educational resources may be provided so that the patient can access general information about a range of health issues.