Electronic Personal Health Records

^Pr^ep^ar^{ed f}^o^r^M^e^m^b^ers^an^d^Com^mⁱ^t^t^ees^of^C^ong^r^e^ss

The Administration, Congress, foundations, and the private sector have undertaken various
initiatives to promote the adoption of electronic health records (EHRs) as part of the national
health information infrastructure. An electronic personal health record (EPHR) is a database of
medical information collected and maintained by an individual. Commercial suppliers, health
care providers, health insurers, employers, medical websites, and patient advocacy groups offer
EPHRs. Congress has held hearings on electronic personal health records, and legislation has
been introduced (S. 1456), ordered to be reported (H.R. 2406), and reported (S. 1693). Electronic
personal health records are controversial among privacy advocates and patients, who are
concerned about health information privacy and security, and misuse of individually identifiable
health information. The extent to which electronic personal health records are protected by the
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is discussed herein.
This report will be updated.

In 2004, the President and the Department of Health and Human Services (HHS) launched an
initiative to make electronic health records available to most Americans within the next ten years,
and to transform the health care system by lowering costs, reducing medical errors, and ¹
improving quality of care. The President called on HHS to develop and implement a strategic
plan to guide the nationwide implementation of health information technology that would, among ²
other things, allow EHRs to be shared across healthcare systems and providers. Many are
concerned about the privacy and security of EPHRs; the potential for the exploitation of personal
medical information by hackers, companies, or the government; and the sharing of health ³
information without patients’ knowledge or consent.
Congress has held hearings on electronic health records,⁴ and legislation has been introduced to
promote EPHRs. S. 1456 (Carper/Voinovich), the Federal Employees Electronic Personal Health
Records Act of 2007, would require each carrier entering into a contract for a health benefits plan
to establish and maintain electronic personal health records for individuals and family members
enrolled in Federal Employee Health Benefits Plans. Health benefit plans would be required to
comply with HIPAA privacy and security regulations and other relevant privacy and security
laws. H.R. 2406 (Gordon) directs the National Institute of Standards and Technology (NIST) to
increase its efforts in support of the integration of the healthcare information technology system
and authorizes the Director of NIST to, among other things, focus on information management
including electronic health records management. H.R. 2046 was ordered to be reported by the
House Science and Technology Committee on October 24, 2007. S. 1693 (Kennedy), the Wired
for Health Care Quality Act, would enhance the adoption of a nationwide interoperable health
information technology system. S. 1693 was reported on October 1, 2007, by the Senate
Committee on Health, Education, Labor, and Pensions (S.Rept. 110-187).
Philanthropies such as California Health Care Foundation, Robert Wood Johnson Foundation, the
Markle Foundation, and many others have provided funding, leadership, and expertise to the EHR ⁵
effort. Medical informatics, nursing informatics, and medical and nursing professional societies ⁶
have also been involved. The private sector has been actively involved through the launch of ⁷
tools and websites offering EPHRs.

¹^Ex^e^c^u^tiv^e^O^r^de^r¹³³³⁵^:^Iⁿ^c^eⁿ^tⁱ^v^e^s^for^the^U^s^e^of^H^e^alth^Iⁿ^f^o^r^m^ati^on^Te^c^hno^lo^gy^a^{nd Es}^t^a^b^lis^hi^ng^t^h^e^Pos^iti^on^of^the
^N^a^tio^nal^H^e^alt^h^Iⁿ^f^o^r^m^ati^oⁿ^Te^c^hno^lo^gy^C^o^or^di^nat^or^{, (}²⁰⁰⁴⁾^.
²^H^e^a^{lth a}ⁿ^d^H^u^m^a^{n Se}^r^v^ic^e^s^a^{nd the}^N^a^tiona^l^C^o^or^di^na^tor^f^o^r^H^e^a^l^{th I}^T^,^The^D^e^c^a^de^{of H}^e^a^lth^Iⁿ^f^o^r^m^atioⁿ
^Te^c^hnol^ogy^:^D^e^liv^e^rⁱⁿ^{g C}^o^ns^um^e^r^-^c^eⁿ^tr^ic^and^Iⁿ^f^o^r^m^ati^on-^rⁱ^c^h^H^e^alth^C^a^r^e^{, Fr}^am^e^w^or^k^for^Str^a^te^gⁱ^c^Ac^tion⁽^J^uly^21,
²⁰⁰^4),^htt^p^://w^ww^.hhs.g^ov^/he^a^lthit/doc^um^eⁿ^ts/hitf^ra^m^e^w^o^r^k^.pdf^{; se}^e^GA^O,^H^e^{alth I}ⁿ^f^o^r^m^ati^oⁿ^Te^c^hno^lo^gy^:^Eff^o^r^t^s
^C^onti^nue^but^C^o^m^p^r^e^he^ns^iv^e^Pr^iv^ac^y^Appr^oac^h^N^e^e^d^e^d^f^o^r^N^a^ti^on^{al S}^t^r^a^te^gy^{, G}^A^O^-^07-²³⁸⁽^W^a^s^hing^ton,^D^.^C^.^{: J}^aⁿ^.
^{10, 20}⁰⁷⁾^.
³^Se^e^,^H^e^a^lth^P^r^iv^a^c^y^P^r^oje^c^t^aⁿ^d^C^e^nte^r^f^o^r^D^e^m^o^c^r^a^c^y^a^{nd T}^e^c^hnolog^y^,^L^e^{tter to}^T^h^{e H}^o^no^rab^l^{e E}^d^wa^{rd M.}
^K^e^nne^dy^{, C}^hair^m^aⁿ^,^Seⁿ^a^te^C^o^m^m^itte^e^{on H}^e^al^th,^Ed^uc^ati^oⁿ^,^L^a^b^o^r^a^{nd Pe}^ns^io^ns⁽^J^uly^23,²⁰⁰⁷⁾^,
^http:^//w^w^w^.he^a^lthpr^iv^a^c^y^.^or^g^/^us^r^_doc^/^W^ir^e^d_le^tte^r^_7-²³^.p^df^.
⁴^S^ee,^e.^g.^,^Pr^iv^ate^H^e^alt^h^Re^c^o^r^d^s^:^Pr^iv^ac^y^I^m^plic^at^ions^of^the^Fe^d^e^r^a^{l G}^o^v^e^r^nm^eⁿ^t’^s^H^e^alt^h^Iⁿ^for^m^atio^{n Te}^c^h^nol^ogy
^Initia^tiv^e^{: H}^e^a^r^ing^B^e^f^o^r^e^the^Seⁿ^a^te^Subc^om^m^.^{on O}^v^e^r^sⁱ^g^h^{t of}^G^o^v^’^{t Ma}^na^g^e^m^e^{nt, the}^Fe^de^r^a^{l W}^o^r^k^f^o^r^c^e^,^a^{nd the}^th
^Distric^t^of^Colum^b^ia^{, 1}¹⁰^C^ong^.⁽^F^e^b^.^1,²⁰⁰⁷⁾^.
⁵^Se^e^,^Ma^r^k^le^Fou^nda^ti^on^,^T^h^e^C^o^nne^c^tin^{g f}^o^r^H^e^alt^h^C^o^m^m^o^{n Fr}^a^m^e^w^or^k^:^O^v^e^r^vⁱ^e^w^and^Pr^incⁱ^p^l^e^s^,
^http:^//w^w^w^.c^onne^c^ting^f^or^he^a^lth.^o^r^g^/c^om^m^oⁿ^f^r^a^m^e^w^o^r^k^/^doc^s^/^O^v^e^r^vⁱ^ew^.pdf^.
⁶^Ameri^can^Heal^t^h^In^f^o^rm^atⁱ^oⁿ^M^aⁿ^a^ge^men^t^A^sso^ci^atⁱ^oⁿ^,^Am^eri^c^aⁿ^M^e^dⁱ^cal^Iⁿ^f^o^rm^atⁱ^c^s^Asso^ci^atⁱ^oⁿ^,^T^h^{e V}^a^l^u^e^o^f
^Pe^r^s^{onal H}^e^a^lth^Re^c^o^r^d^s⁽^F^e^b^r^u^a^r^y²⁰⁰⁷⁾^{. R}^e^tr^ie^v^e^{d o}ⁿ²⁰^07-^10-⁰⁹^{. h}^ttp:^//w^w^w^.a^him^a^.or^g^/dc^/^pos^iti^ons^/^doc^um^eⁿ^ts^/
⁽^c^onti^nue^d.^..)

An electronic personal health record is a database of medical information collected and
maintained by an individual.
^In^{a pers}^on^al^EH^R^(PH^R^{) m}^odel^,^patⁱ^eⁿ^t^s^{are t}^h^{e dom}ⁱⁿ^aⁿ^t^man^a^g^e^rs^aⁿ^{d cu}^s^t^odi^aⁿ^s^o^f^t^h^ei^r
^electronⁱ^c^m^e^dical^records^.^Th^e^{record con}^s^is^t^s^of^inf^o^r^m^at^ioⁿ^fi^el^dsⁱⁿ^t^o^w^hⁱ^c^{h dat}^a^are
^en^t^e^{red ei}^t^h^{er by}^t^h^{e pat}ⁱ^eⁿ^t^or^t^h^roug^h^dat^a^ex^port^,^or^m^aⁿ^a^{ged by}^t^h^{e pat}ⁱ^eⁿ^t^f^r^o^m^records
^m^aⁱⁿ^taiⁿ^ed^b^y^th^{e p}^a^tieⁿ^t^’^s^p^h^y^s^iciaⁿ^.^Oⁿ^{e P}^H^R^m^o^d^e^l^h^a^s^p^a^tien^t^s^su^b^s^cr^ibⁱⁿ^g^to^a^w^e^b^-
^bas^e^{d s}^e^rvⁱ^{ce t}^h^at^assⁱ^st^s^t^h^e^mⁱⁿ^col^l^ectⁱⁿ^g^dat^a^f^r^o^m^on^{e phys}ⁱ^cⁱ^aⁿ^aⁿ^{d t}^h^en^di^s^s^e^mⁱⁿ^a^tⁱⁿ^g
ⁱ^t^t^o^ot^h^e^rs^{. T}^h^{e “}^C^on^tⁱ^nuⁱ^t^y^of^C^a^{re” record}^pro^pos^{ed by}^th^e^Am^ericaⁿ^A^cade^m^y^o^f^Fa^mⁱ^l^y
^P^h^y^s^icia^ns^as^{a s}^t^aⁿ^{dardized f}^o^rm^o^f^s^u^mm^ar^{ized electron}ⁱ^c^records^w^o^u^l^{d be a con}^v^eⁿⁱ^eⁿ^t
^dat^a^m^odel^.^Wi^t^h^{a fu}^l^l^y^person^al^EH^R^sy^s^t^e^m^{, on}^l^y^t^h^{e con}^s^um^{er can}^do^wⁿ^l^o^{ad, v}ⁱ^e^w^,
^com^bⁱⁿ^{e, or pr}^oces^s^{all h}ⁱ^s^records^.^P^a^tien^t^s^w^o^u^l^{d th}^eⁿ^{be able to ch}^oos^{e w}^h^ich^records^or
^part^s^of^records^t^h^ey^w^o^u^l^{d export}^.^Ex^po^rt^{ed rec}^o^rds^c^o^u^l^{d b}^e^provⁱ^d^ed^on^a^r^e^a^d^-^oⁿ^l^y^b^a^sⁱ^s^,
^prot^ectⁱⁿ^g^ag^aiⁿ^s^t^al^t^e^ratⁱ^oⁿ^{or en}^t^r^y^of^addi^tⁱ^oⁿ^a^l^m^a^t^e^rⁱ^a^l^.^E^m^pl^oy^e^r^s^,^h^o^s^pⁱ^t^a^l^s^y^s^t^em^s^,^aⁿ^d
^EMR^v^eⁿ^dors^{are als}^o^r^o^llin^g^ou^{t hy}^brid^m^odels^t^h^{at en}^able^web-^bas^e^{d acces}^s^f^o^r^p^a^tⁱ^eⁿ^t^s^t^o
^p^o^r^tⁱ^o^{ns o}^f^t^h^eⁱ^r^r^e^c^o^r^d^{s fo}^r^p^e^rsoⁿ^a^l^he^a^l^t^h^m^oⁿⁱ^t^o^riⁿ^g^.^Fu^t^u^r^e^m^odel^s^cou^l^{d m}ⁱ^mⁱ^c^pers^on^al
^fi^na^ncⁱ^a^l^m^a^na^ge^me^nt^so^ft^w^a^r^e^suc^h^a^s^Iⁿ^t^uⁱ^t^’^s^Q^uⁱ^c^ke^{n o}^r^Mⁱ^c^r^o^s^o^f^t^’^{s M}^o^ne^y^.^[^cⁱ^t^a^tⁱ^o^ns⁸
^o^m^itted^]
Various types of EPHRs are offered by commercial suppliers (e.g., Microsoft); health care
providers (e.g., the Department of Veterans Affairs); the federal government (e.g., HHS); health
insurers; employers (e.g., Wal-Mart); employer consortiums (e.g., Dossia Health Care); medical
websites (e.g., WebMD); and patient advocacy groups for cancer patients, children with special ⁹
health needs, adults with disabilities, and health and weight management patients.
An EPHR may be web-based or in a database created on the patient’s own computer. EPHRS are
maintained in electronic mediums. Three types of electronic personal health records exist:
^{(1) a p}^r^ov^ider-^o^wⁿ^{ed a}ⁿ^{d prov}^ider-m^aiⁿ^t^aiⁿ^e^{d di}^g^ital^su^m^m^a^r^y^o^f^cliⁿ^icall^y^r^e^le^v^aⁿ^t^h^e^a^lth
ⁱⁿ^f^o^r^m^atioⁿ^m^a^d^e^a^v^ailab^l^{e t}^o^p^a^tien^t^s^;⁽²⁾^{a p}^a^tieⁿ^t^-^o^wⁿ^e^d^so^f^t^w^a^r^e^p^r^o^g^r^a^m^th^at^let^s
ⁱⁿ^divⁱ^d^u^als^eⁿ^{ter, org}^aⁿⁱ^{ze a}^{nd retriev}^e^th^{eir o}^wⁿ^h^ealt^h^inform^at^ion^an^{d t}^h^{at captu}^re^s^th^e
^patien^t^’^s^con^cerns^{, problem}^s^,^s^y^m^p^to^m^s^{, e}^m^erg^eⁿ^c^y^coⁿ^t^ac^{t in}^f^o^r^m^ation^,^{etc.; an}^{d (3)}^a

^(...c^on^tin^ue^d)
^Mic^r^os^of^tW^or^d-^A^H^I^M^A^-^A^M^I^A^PH^R^S^ta^tem^e^nt-^f^ina^l^2-²⁰⁰^7.^pdf^.
⁷^S^ee,^H^o^w^t^o^C^h^oos^e^{a PH}^R^Su^pp^lie^r^{, a}^t^htt^p^://w^ww^.^m^y^phr.c^o^m^/^r^e^s^ourc^e^s^/phr^_se^a^r^c^h^.a^sp.
⁸^T^e^rr^y^,^Ni^ch^o^l^{as P}^.^;^F^r^an^ci^s,^L^e^slⁱ^e^P^.^,^Eⁿ^surin^g^t^h^e^Priv^ac^y^aⁿ^d^C^onfi^d^eⁿ^ti^ality^{of E}^l^e^c^t^ronic^He^alt^h^Re^c^o^rds^{; 20}⁰⁷
^U^.^I^{ll. L}^.^R^e^v^.⁶^81,⁷^{21 (}²⁰⁰⁷⁾^.
⁹^Se^e^,^htt^p^://w^ww^.he^a^lthv^a^ult.c^o^m^{/; htt}^p^://w^ww^.^c^a^p^m^e^d.c^o^m^{/; http:/}^/www^.iHe^a^lthRe^c^o^rd.c^om^/;
^https:/^/^www^.^m^y^m^e^d^ic^a^l^re^c^o^rds.c^o^m^/^logⁱ^n.^{jsp; htt}^p^://w^ww^.^m^y^h^e^a^l^t^h^.v^a^.^g^o^v^;^http^://w^ww^.hhs.g^ov^/^f^a^m^il^y^h^istor^y^/;
^http:^//w^w^w^.drine^t.c^o^m^/^bc^bs^a^.^htm^;^htt^p^s^://m^em^be^rs^.k^aⁱ^s^e^rpe^r^m^a^ne^nte^.^org^/^k^p^w^e^b/^js^p/^f^e^a^t^ure^/^a^bout^/
^a^bout^_y^ourhe^a^lth.^j^s^p^{; htt}^p^://w^w^w^.^w^a^l^m^a^r^tfa^c^t^s^.^c^o^m^/^Fa^c^t^She^e^t^s^/^D^o^s^sⁱ^a^_^H^e^a^lth_Ca^r^e^.^pdf^{; htt}^p^://w^w^w^.dos^sⁱ^a^.^org^/^hom^e^;
^a^{nd h}^ttp:^//w^w^w^.^w^e^b^m^d^.c^om^/^phr^.

^p^o^r^tab^l^{e, in}^ter^o^p^e^r^a^b^l^{e d}ⁱ^g^ital^f^ileⁱⁿ^w^h^ic^h^se^lected^{, cli}ⁿ^ical^l^y^r^e^le^v^aⁿ^t^h^ealt^h^d^a^ta^can^b^e¹⁰
^m^aⁿ^a^g^e^{d, s}^e^c^u^{red an}^{d t}^r^an^sf^erred.
This varies widely and depends on the data elements in the EPHR. Information in an EPHR may
include personal identification, including name and birth date; emergency contacts; names,
addresses, and phone numbers of physicians, dentists, and specialists; health insurance
information; living wills, advance directives, or medical power of attorney; organ donor
authorization; a list and dates of significant illnesses and surgical procedures; current medications
and dosages; immunizations and their dates; allergies or sensitivities to drugs or materials;
important events, dates, and hereditary conditions in the family history; results from a recent
physical examination; opinions of specialists; important test results; eye and dental records;
correspondence between the patient and the provider(s); educational materials; and any other
information the patient wishes to include.
Commercial vendors “allow a patient to enter personal data into a record that is maintained by the
web site,” whereas health care providers generally “permit an individual to read their medical ¹¹
record, review test results, and submit health information.” The patient may add supplemental
medical information to the EPHR (e.g., social history, reproductive history, sexually transmitted
disease history, alternative treatments, appointments, claims data along with clinical care,
pharmaceutical, and laboratory records).
Each supplier may have different policies and practices regarding how they may use data they
store for the individual. HIPAA-covered entities are required to provide a Notice of Privacy
Practices describing the uses and disclosures that the covered entity is permitted to make for
treatment, payment, and health care operations, a description of each of the other purposes for
which the covered entity is permitted or required to use or disclose protected health information
(PHI), and a statement that other uses and disclosures will be made only with the individual’s
written authorization. Non-HIPAA covered entities that offer EPHRs are not bound by the HIPAA
Privacy Rule. Other laws may apply such as state medical confidentiality laws, federal and state
consumer protection laws, federal and state unfair trade and deceptive practices laws, information
security laws, Gramm-Leach-Bliley (when EPHRs are offered by financial institutions including
insurance companies), state security breach notification laws, and contract law.

¹⁰^S^ee,^Am^eri^c^an^A^c^ad^e^m^y^o^f^F^a^mⁱ^l^y^P^h^y^sⁱ^cⁱ^aⁿ^s^,^{An I}ⁿ^tr^o^duc^ti^on^to^Pe^r^s^{onal H}^e^a^lth^Re^c^o^r^d^s^,^avai^l^a^bl^{e at}
^http:^//w^w^w^.a^af^p.or^g^/^f^p^m^/²⁰⁰⁶⁰⁵^00/^57aⁿⁱ^n.^htm^l^.
¹¹^J^o^y^L^.^P^rⁱ^tts^,^H^e^alt^h^an^{d t}^h^e^N^a^ti^ona^{l I}ⁿ^for^m^at^io^{n I}ⁿ^fr^as^tr^uc^tur^e^a^{nd t}^h^e^N^H^I^I^Pe^r^s^oⁿ^a^{l H}^e^a^{lth D}ⁱ^m^e^ns^ion^:^Heariⁿ^g
^Be^f^o^re^the^Na^tiona^{l Com}^m^itte^e^on^V^ita^{l a}ⁿ^{d He}^a^lth^Sta^tistic^s^be^f^o^re^the^Na^tiona^l^He^a^lth^Inf^o^rm^a^tion^Inf^r^a^s^truc^ture
^W^o^rk^g^r^{oup, (J}^aⁿ^.²²^{, 2}⁰⁰³^{), a}^v^aⁱ^l^a^ble^a^t^htt^p^://i^hc^rp.g^e^o^rg^e^t^ow^n.e^d^u/^priv^a^c^y^/^pdf^s^/^pritts^nc^v^s^h1⁰³⁰⁰²^.^pdf^.

The HIPAA Privacy Rule and the HIPAA Security Rule are applicable to the privacy and security ¹²
of EPHRs. HIPAA was enacted primarily to “improve portability and continuity of health ¹³¹⁴
insurance coverage in the group and individual markets.” Part C of HIPAA requires the
development of a health information system through the establishment of standards and ¹⁵
requirements for the electronic transmission of certain health information. HIPAA-covered
entities—health plans, health care clearinghouses, and health care providers who transmit
financial and administrative transactions electronically—are required to use standardized data ¹⁶
elements and comply with the national standards. Failure to comply may subject the covered
entity to civil or criminal penalties.
HIPAA also addressed the privacy of individually identifiable health information and required ¹⁷
adoption of a national privacy standard. HHS issued final Standards for Privacy of Individually ¹⁸
Identifiable Health Information, known as the Privacy Rule, on April 14, 2003. The HIPAA
Privacy Rule is applicable to health plans, health care clearinghouses, and health care providers
who transmit financial and administrative transactions electronically. The rule regulates protected ¹⁹
health information that is “individually identifiable health information” transmitted by or ²⁰
maintained in electronic, paper, or any other medium. The definition of PHI excludes
individually identifiable health information contained in certain education records and
employment records held by a covered entity in its role as employer.
The HIPAA Privacy Rule limits the circumstances under which an individual’s protected health
information may be used or disclosed by covered entities. A covered entity is permitted to use or
disclose protected health information without patient authorization for treatment, payment, or ²¹
health care operations. For other purposes, a covered entity may only use or disclose PHI with ²²
patient authorization subject to certain exceptions. Exceptions permit the use or disclosure of
PHI without patient authorization or prior agreement for public health, judicial, law enforcement, ²³
and other specialized purposes. In certain situations that would otherwise require authorization,

¹²^P^.^L.¹⁰⁴^-¹⁹^1,¹¹^{0 S}^t^at^{. 19}³⁶⁽¹⁹⁹⁶⁾^,^c^odi^fie^{d i}ⁿ^par^t^a^t⁴²^U^.^S.C^.^{§§ 13}²⁰^d^et^seq^.
¹³^H^.^R^e^pt.¹⁰^4-⁴^96,^a^t¹^,⁶⁶^-⁶^7,^re^p^r^inte^dⁱⁿ¹⁹⁹⁶^U.S^.^C^.^C^.^A^.^N.¹⁸⁶⁵^,¹⁸⁶⁵^-⁶⁶^.
¹⁴^{42 U}^.^S.C^.^§^§¹³²^0d-¹³²⁰^d-⁸^.
¹⁵⁴²^U^.^S.C.^§^§¹³²⁰^d^-²⁽^a)-(f^{). (Natio}ⁿ^a^{l sta}ⁿ^d^a^rd^{s f}^o^{r tra}ⁿ^sactioⁿ^s^t^o^en^ab^{le t}^h^{e electro}ⁿⁱ^{c ex}^ch^an^g^e^o^f^h^ealth
^inf^o^rm^a^{tion, un}^iq^ue^ideⁿ^tif^ie^{rs, c}^ode^se^{ts, se}^c^u^rity^{, e}^l^e^c^t^r^onic^sⁱ^gⁿ^a^tur^e^s^,^a^nd^tr^aⁿ^s^f^e^r^of^inf^o^r^m^a^{tion a}^m^ong^he^a^lth
^plaⁿ^s^.⁾
¹⁶^{42 U}^.^S.C^.^§¹³²⁰^d-⁴⁽^b)^.
¹⁷^H^I^P^A^A^r^e^quir^e^{d a}^pr^iv^a^c^y^s^t^a^ndar^d^tha^t^w^{ould a}^d^dr^e^s^s^the^rⁱ^g^h^t^s^o^f^the^s^ubje^c^t^ofⁱⁿ^divⁱ^dua^lly^ideⁿ^ti^fⁱ^a^b^le^he^a^lth
^inf^o^r^m^a^{tion, the}^p^r^oc^e^dur^e^s^e^s^ta^b^lis^he^{d f}^o^r^t^h^e^e^x^e^r^cⁱ^s^e^of^s^u^c^h^rⁱ^ghts^,^aⁿ^{d a}^u^t^hor^iz^e^d^or^r^e^quir^e^{d us}^e^s^a^{nd dis}^c^l^o^s^u^r^e^s
^of^suc^h^inf^o^rm^a^tion.^P^.^L^.¹⁰^4-1⁹¹^,^T^itle^{II, §}²⁶^{4, A}^u^g^.²¹^,¹⁹^96,¹¹⁰^Sta^t^.²⁰^33,⁴²^U.S.C^.^§¹³²^0d-^{2 (n}^ote⁾^.
¹⁸^{45 C}^.^F.R^.^P^a^r^t¹⁶^{4 S}^u^b^p^a^r^{t E—}^P^r^iv^a^c^y^of^I^ndivⁱ^dua^lly^I^d^eⁿ^tif^ia^ble^H^e^a^{lth I}ⁿ^f^o^r^m^a^tion.
¹⁹^{45 C}^.^F.R^.^§¹⁶^0.¹⁰^3.
²⁰^S^ee^So^uth^C^a^r^o^lin^{a M}^e^dic^a^l^As^s^o^c^.^v^.^T^hom^ps^on^,³²⁷^F.^3d³⁴^{6 (}⁴^th^Cⁱ^r^.²⁰⁰³⁾⁽^H^I^P^A^A^c^{ould be}ⁱⁿ^te^r^p^r^e^te^{d t}^o
ⁱⁿ^cl^ud^{e n}^oⁿ^-^el^ect^roⁿⁱ^{c m}^e^dⁱ^cal^re^co^rd^s).
²¹^{45 C}^.^F.R^.^§¹⁶^4.⁵⁰^6.
²²^{45 C}^.^F.R^.^§¹⁶^4.⁵⁰^8.
²³⁴⁵^C^.^F.R.^§¹⁶⁴^.⁵¹²⁽^a)-(l).

a covered entity may use or disclose PHI without authorization provided that the individual is ²⁴
given the opportunity to object or agree prior to the use or disclosure.
The HIPAA Privacy Rule also provides for accounting of certain disclosures;²⁵ requires covered
entities to make reasonable efforts to disclose only the minimum information necessary; requires ²⁶
most covered entities to provide a notice of their privacy practices; establishes individual rights ²⁷
to review and obtain copies of protected health information; requires covered entities to
safeguard protected health information from inappropriate use or disclosure; and gives
individuals the right to request changes to inaccurate or incomplete protected health ²⁸
information.
The HIPAA Privacy Rule would govern the use and disclosure of the EPHR to the extent that the
supplier of the EPHR is a HIPAA-covered entity and the information contained within the EPHR ²⁹
is “protected health information” as defined in the rule. The rule defines a covered entity as
health plans, health care clearinghouses, and health care providers who transmit certain
transactions electronically. As noted above, a variety of suppliers offer EPHRs, some of which ³⁰
would be considered a “covered entity” for purposes of the rule. Moreover, the information
typically included within an EPHR would appear to consist of the kind of “individually
identifiable health information” encompassed by the rule. As noted earlier, EPHRs generally
include information collected from an individual that is created or received by a covered entity
that relates to the individual’s health or condition, health care treatment or payment, and that
identifies the individual. For example, information in an EPHR typically includes contacts,
names, addresses, and phone numbers; health insurance information; advance directives; lists and
dates of significant illnesses and surgical procedures; medications and dosages; immunizations;
allergies; family history; physical examination results; opinions of specialists; tests results; eye
and dental records; and correspondence. When the supplier of the EPHR is a HIPAA-covered
entity, information in the EPHR would likely be deemed protected health information.
Where HIPAA does apply, supplemental personal information added by the individual to the
EPHR would also become protected health information available for use or disclosure by the
covered entity pursuant to the rule. Suppliers of EPHRs that are governed by the rule are
permitted to use and disclose the EPHR for treatment, payment, and health care purposes without
patient authorization. They are required to allow patients to request restricted use and disclosures
of the EPHR. They are also required to obtain patient authorization to use or disclose the EPHR
for many other purposes.
Note also that EPHRs provided by covered entities would also be subject to the HIPAA Security
Rule. This rule requires covered entities to maintain administrative, technical, and physical

²⁴^{45 C}^.^F.R^.^§¹⁶^4.⁵¹^0.
²⁵^{45 C}^.^F.R^.^§¹⁶^4.⁵²^8.
²⁶^{45 C}^.^F.R^.^§¹⁶^4.⁵²^0.
²⁷^{45 C}^.^F.R^.^§¹⁶^4.⁵²^4.
²⁸^{45 C}^.^F.R^.^§¹^64.⁵²^6.
²⁹^Se^e^s^upr^a^f^ootn^o^te^11.
³⁰^Co^mm^er^ci^al^su^p^p^lⁱ^e^{rs (}^e.^g^.^,^Mic^r^osof^{t a}^{nd W}^e^bMd)^aⁿ^d^he^a^lthc^a^r^e^prov^ide^r^{s w}^ho^doⁿ^o^{t b}^{ill e}^l^e^c^t^ro^nic^a^lly^f^o^{r the}ⁱ^r
^s^e^r^v^ic^es^{, pe}^r^s^ona^l^he^a^{lth r}^e^c^o^r^d^s^pr^ov^ide^r^s^w^ho^pr^ov^ide^s^e^r^v^ic^e^s^di^r^e^c^t^l^y^{to pa}^tie^nts^,^aⁿ^d^r^e^gⁱ^ona^l^he^a^{lth inf}^o^r^m^a^tion
^o^r^ganⁱ^zatⁱ^oⁿ^s^{(RHIOs) are no}^t^con^sⁱ^d^ered^“co^vered^en^tⁱ^tⁱ^e^s”^a^{nd t}^h^e^r^ef^or^e^w^{ould n}^o^t^be^s^ubje^c^t^t^o^t^h^e^H^I^P^A^A^P^r^iv^a^c^y
^Ru^le.^Se^e^Kⁱ^rk^J^.^N^a^ha^ra^,^T^h^{e Hea}^l^t^h^c^a^{re P}^rⁱ^v^a^{cy Deb}^a^t^{e Hea}^t^{s U}^p^,^T^h^e^P^rⁱ^v^acy^A^d^vi^so^{r 3}^(S^ep^.²⁰⁰⁷^).

safeguards to ensure the confidentiality, integrity, and availability of electronic protected health
information the covered entity creates, receives, maintains, or transmits. The purpose of the
requirements is to protect against any reasonably anticipated threats or hazards to the security or
integrity of such information, as well as to protect against any unauthorized uses or disclosures of ³¹
such information.
^Gin^a^{Marie Ste}^v^ens
^L^e^gⁱ^s^l^at^iv^{e A}^t^torn^e^y
^g^s^t^e^v^eⁿ^s^@^c^rs^.l^oc.g^ov^{, 7}^-²⁵⁸¹

³¹^{45 C}^.^{F. R}^.^P^a^r^t^s¹⁶^{0 a}ⁿ^{d 1}⁶⁴⁽^s^u^bpa^r^t^s^A^,^C⁾^{. Se}^e^C^R^S^R^e^p^o^r^t^R^L³⁴¹²⁰^,^Fe^de^r^a^{l I}ⁿ^f^o^r^m^ati^oⁿ^Se^c^u^r^ity^an^{d D}^a^t^a
^Bre^a^c^h^Noti^fic^ati^oⁿ^Laws^,^b^y^Gⁱⁿ^a^M^a^ri^{e S}^t^even^s.