How Private and Secure is Protected Health Information?

Gerry Higgins, Director, Translational Informatics, Johns Hopkins Medicine

Gerry Higgins, Director, Translational Informatics, Johns Hopkins Medicine

There was a very interesting meeting yesterday, “The Personal Health Record (PHR) Roundtable”, organized by the Office of the National Coordinator for Healthcare Information Technology (ONCHIT).  Some of the more enlightening discussions took place in the afternoon sessions, focusing on security, privacy and standards.  Josh Lemieux, Director of Personal Health Technology, Markle Foundation and Dr. Matthew Wynia, Director, The Institute for Ethics, American Medical Association, presented some data about consumer’s views concerning the electronic PHR. On a positive note, although only about 7% of Americans now use a PHR (Consumers and Health Information Technology: A National Survey, California Healthcare Foundation, 2010), a Markle survey showed that about 70% of patients and 65% of physicians agree that patients should be able to download and keep their own copies of their personal health information.

As usual, the U.S. Department of Veterans Affairs (VA) leads the way in healthcare IT, providing the proverbial “blue button”, that now allows veterans to download their own health information, and Medicare beneficiaries will shortly have similar access over the web to their medical records. However, of patients and physicians that were surveyed, over 80% do not want the government collecting personally identifiable health information, or have those data sold to third parties.

Some interesting information has emerged from investigations by the Federal Trade Commission (FTC).  First, an investigator sifted through dumpsters behind CVS and Rite Aid pharmacies in Indianapolis, IN, and then in 12 other U.S. cities. What he found was paper copies of so-called “protected” information containing identifiable patient prescription data.  This led to the FTC leveraging fines, and implementing ongoing audits about how these pharmacies dispose of PHI.  Second, the vast majority of official “Breach Notices” provided by the FTC about loss of PHI have occurred through the misplacement of mobile devices such as laptop computers, portable hard drives and netbooks.

And then there are consumers and institutions making duplicates of medical records on copying machines that have hard drives and store these data for potential retrieval by nefarious individuals at a later time.  And there is the person who accesses their PHI on a secure web site in a public setting such as a library, and forgets to log off.

According to Lee Tien, J.D., Attorney at the Electronic Frontier Foundation, and other panelists, most consumers and patients falsely believe that:

  • Patients have the legal right to correct erroneous information in their medical record
  • Providers and other vendors are required to provide an “audit trail” for each individual they serve
  • PHI is protected by HIPAA at all times, when it is only valid for certain “covered entities” and “business associates”
  • Their PHI can’t be sold to a third party, when this occurs all the time

John Moore, a respected expert on Healthcare IT (see, forecasts that mobile devices will be the major vehicle for PHI provided by hospitals by the year 2014.  The mHealth technology developers may develop better security measures by that time for mobile devices.  But, California’s Office of Privacy Protection, which has the strictest laws regulating the use of PHI and Personal Health Records, recommends that, to insure the greatest safety, it is best not to put PHI on mobile devices at this time (see And this is part of a larger social issue about privacy and security. Dr. Danah Boyd of Microsoft Research (New England), and expert in privacy and social media, has been very concerned about the leakage of personal information on Facebook:

“On 8 January 2010, Facebook’s founder Mark Zuckerberg made the following statement:  “People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people.  That social norm is just something that has evolved over time.” …Thus began another wave of concern about Facebook’s attitudes toward their users’ privacy. The above comment came on the heels of Facebook’s move in December 2009 prompting users to reconsider their privacy settings (Zuckerberg, 2009). Users were presented with a message that asked them to alter their privacy settings. The default option was to make user content publicly accessible to all Facebook users and anyone else who had enough technical savvy to access the data using the tools that Facebook made available to software developers.”

This obviously caused great consternation from privacy advocates.  And this is not a generational issue – or should we all adopt the challenge of the Personal Genomes Project – to make public all of our genomic and medical data?

Finally, a couple of tidbits:

-What has happened to all of the Protected Health Information contained in the databases of the dozens of Personal Health Record companies that have gone bankrupt?

-The Provider – Patient Privilege (including HIPAA protection) no longer applies if an intermediary intercedes between the 2 parties, such as an IPad or IPhone application – thus, can these data can be used by the third party application for any purpose that they want, including selling it to marketing companies or to health insurers?


  • Dr.  Danah Boyd’s web site:
  • “The Public and Doctors Agree with ‘Blue Button’ Idea.” See Markle Foundation,
  • “Consumers and Health Information Technology: A National Survey.” See California Healthcare Foundation,
  • “Topline Results From a National Consumer Survey on HIT.” See

Email Newsletter

Sign up to receive our latest updates delivered straight to your inbox.

Share Your Thoughts

To register, click here.