At the end of June, Investor’s Business Daily reported that Google, Microsoft, Aetna, Blue Cross/ and 27 other private organizations "agreed on" ground rules for protecting the privacy of the sensitive information" c
ontained in personal health records (PHRs). Their Report indicated that the group has been working together for the past 18 months, and on Wednesday, June 26th, released the "hundreds of pages long" framework, which "starts with the idea that the information in a PHR is the user’s to control — and spells out how to guard it."
The "best practices" agreed upon by this private workgroup are posted online. Among them is a policy that audit trails should be conducted so that consumers can see who is looking at their records. In addition, the workgroup recommended that insurers, employers, and others be prohibited from seeing the information without the individual’s prior authorization.
The point that PHR repositories, like the ones being offered by Google and Microsoft, are not subject to HIPAA has been focused on by opponents of these models. However, in developing and releasing the Report containing privacy and security "best practices," I think that this is a step in the right direction and may reassure healthcare consumers that information maintained in such online filing cabinets will be kept as confidential and secure as when maintained by entities subject to federal privacy laws, like HIPAA.