Patient Privacy Rights grades five PHRs

By Kyle Hardy
09:22 AM

Patient Privacy Rights, a health privacy watchdog group, has released a new report card grading five personal health record platforms.

“We wanted to highlight a number of concerns over lack of control by patients,” said Ashley Katz, executive director of Patient Privacy Rights. “The good news is there are some companies that keep your personal health info secure. The bad news is that there are some companies that don’t give patients control over their PHR.”

Group officials say the report card, which graded companies including CapMed/Metavante, Google Health, Microsoft HealthVault, NoMoreClipboard and WebMD, is designed to educate and protect consumers.

"Our assessment of five different PHRs found a wide range of existing privacy policies," a statement from the group read. "Some PHRs protect our rights to control who can see and use health information, and others outright violate those rights. One PHR shares all personal information with employers and insurers, for example."

The grading system was based on multiple constitutional, state and federal laws regarding personal privacy, said PPR officials, and included evaluating any partners and applications.

PPR officials gave an explanation of each letter grade:

A – 4.0 to 5.0 – Excellent: No invasive practices, solid protection, assurance of privacy rights and user-friendly.
B – 3.1 to 3.9 – Fairly comprehensive efforts and privacy protection with room for improvement.
C – 2.6 to 3.0 – The platform provides some privacy safeguards, but has multiple key flaws and weak protections.
D – 2.0 to 2.5 – Few, if any, safeguards and protections, and/or misleading information, and/or not user-friendly.
F – 1.0 to 1.9 – The PHR threatens patient privacy and control over personal information either through inaction or actual business practice.

NoMoreClipboard PHR ranked best with an “A” for privacy protection. CapMed/Metavante and WebMD followed with “C” ratings.

Microsoft HealthVault was given a "B" for its platform, but received an "F" for other partners and programs. Google Health received the lowest score with a “D” for platform privacy policies and an “F” for their partners and programs.

Continued on next page...

Platforms provided by employers and insurers received an "F" rating from the report card.

“For Google Health and Microsoft HealthVault, their privacy policies apply only to their Platform, not to any of the companies linked to their Platform,” said Katz. “For example, while the Platform may require the individual's consent before disclosing any data; any third party such as another PHR, a tracking tool for diabetes or research search engine does not necessarily play by the same rules."

“One grade was given to the Platform itself and another grade was given to the programs and partner applications linked to the Platform to highlight the differences between the applicable policies,” said Katz. “There are simply far too many different programs/partners for PPR to grade each individually. As such, we took a random sampling of these programs/partners.”

Katz said PPR could not grade the Partners/Programs on every category.  Some categories did not apply, and others could not be verified. Primarily, PPR wants to drive home that each Program/Partner has its own privacy policy and those policies can really vary, said Katz.

“We think it’s really critical for the public to understand how the personal health record works,” said Deborah Peel, MD, founder of Patient Privacy Rights. “Our focus is on control. Really what matters is patients see who is using their information and for what purpose.”

Click here to read the full Report Card.