So far, the public has yet to embrace personal health records, or PHRs, in part because the main push to promote them appears to be from health plans and employers. The problem with this approach was illustrated by a 2005 California HealthCare Foundation survey, which found that 52 percent of the respondents were worried about employers using medical information to limit job opportunities (up from 36 percent in the 1999 survey).
According to Edward Fotsch, CEO of personal health record provider Medem, the key is to have a record provided by a trusted third party—a patient’s physician. Physicians, however, have been wary of personal health records because of uncertainty about their effect on workflow and legal liability.
Nicolas Terry, co-director of the St. Louis University School of Law’s Center for Health Law Studies, says today’s doctors are becoming familiar with the "online patient," and these patients will become familiar with personal health records. According to Terry, an online patient is one who comes into a doctor’s office and says, "This is what I have, I need you to fix it, and I need this drug."
Terry and Steven Waldren, director of the American Academy of Family Physicians’ Center for Health Information Technology, also say trusting the data and liability concerns related to that information are big issues.
Paper records may contain loads of extraneous data and they are harder for patients to edit, Waldren says, while it is easier to hide information from physicians in electronic formats.
"With the current tort system, physicians are very concerned about liability, even when they do the right thing," Waldren says, so along with standardization, legal issues concerning privacy have to be worked out before personal health records will get wider use.
"Do patients have the right to delete something from a PHR?" he says. "If they do, do they have to notify physicians that something is missing?"
Waldren adds, however, that he’s not aware of any specific liability discussions regarding personal health records, and if there are any, they are a small part of general discussion concerning liability and tort reform.
While Terry acknowledges similarities between the patient using personal health records and the one who comes to a doctor’s office armed with manila folders filled with computer printouts and documents, the two aren’t the same.
"It’s certainly new territory for us all," he says. "I can certainly understand why doctors could have some apprehension on a very intuitive level."
Terry says personal health records create new business, technical, clinical and legal issues, and a lot of this is because it upsets the traditional model in which physicians were undisputed owners of patients’ health records.
Few policies exist on personal health record ownership and control of the data.
The Altarum Institute, based in Ann Arbor, Michigan, reviewed 30 publicly available PHR privacy and security policies and in January presented a report to the consumer empowerment work group of the American Health Information Community, an advisory panel to the U.S. Department of Health and Human Services. The analysis found that personal health record providers have little to say about disclosure of secondary uses of data, pay little attention to ownership of data after a business relationship is ended, don’t define essential legal terms such as "personal health information" or "de-identified" patient information, and don’t have formal mechanisms to enforce written policies.
Some experts have recommended letting market forces work to resolve issues and have counseled against mandating policies and standards because they fear it will stifle innovation.
But Peter Basch, medical director for e-health at MedStar Health system in Washington, thinks a lack of guidance has hurt the market.
"Bad policy can be fixed; no policy makes me nervous," he says. "I’m troubled by the idea that ‘things will work themselves out.’ "
Terry also says federal privacy regulations contained in the Health Insurance Portability and Accountability Act of 1996 have not kept pace with technology, adding that what’s needed is a global privacy standard that is applicable wherever health care information is stored. But the tricky part is finding the political will to open the HIPAA black box, he says.
Geoffrey Gifford, a partner and founder of the Chicago-based law firm Pavalon, Gifford & Laatsch, says basic legal standards apply whether the patient brings in a box of paper files or a disk filled with irrelevant data.
"I think the rules are still the same," says Gifford, an attorney specializing in medical negligence and product liability. "The standard of care is the standard of care, whether it’s electronic records or paper. You have a duty to look at them if the records are pertinent to the treatment you’re rendering."
The records don’t need to be memorized, but they should be scanned for information relevant to the purpose of the patient’s visit to the doctor’s office, he says.
"Not to do that would be a deviation from the standard of care if the physician needs the information and it’s available with a reasonable effort in a reasonable amount of time," Gifford says.
Lonny Reisman, an internist and cardiologist, is the founder and CEO of ActiveHealth Management, a health management and data analysis company that launched its own personal health record in January called MyActiveHealth. Reisman says common sense still applies.
"Having information presented in a PHR doesn’t present a higher risk than not asking the right question or not checking results of a test that you asked for," he says.
Fotsch says many issues have already been worked out by liability carriers, medical societies and state medical boards that developed the eRisk Guidelines. While the guidelines are comprehensive, it’s also noted that they "are not meant as legal advice and clinicians are encouraged to bring any specific questions or issues related to online communication to their legal counsel."
Debra McBride, vice president of Aon Risk Services of Minnesota, a division of Aon Healthcare, which advises hospitals on risk management issues, doesn’t think a physician’s risk is increased when they accept a personal health record, and that physicians should not be afraid to ask their patients, "What’s important in here and why is it important to you?"
"It’s the same risk as having a banker’s box of medical records from the Mayo Clinic," says McBride, who is also an attorney and a registered nurse. "They shouldn’t be afraid of the information. Plus, they’re not receiving it in a vacuum; they’re getting it from a patient who’s sitting in front of them. Ask for some guideposts."
She says physicians should view a patient’s involvement in his or her health care as something positive, and that "having a patient hand you information" will be happening more frequently.
Fotsch says that was something he rarely experienced during his years as an emergency room physician, ending in the early 1990s.
"I saw 10,000 ER patients, and I can remember on one hand the number of patients who had any documented information when they came in," he says.
Fotsch says much of the confusion surrounding personal health records stems from a misunderstanding of what they are.
"A disk with a mishmash of information is not a PHR, because I could call my dog a Ferrari if I wanted to, but that doesn’t make him one," Fotsch says. "A personal health record is, by definition, an online collection of structured data."
The American Health Information Community, a federal advisory body chartered in 2005 to make recommendations to the U.S. secretary of health and human services on how to accelerate the development and adoption of health information technology, has recommended that the agency adopt standards on medication history, registration information and technical specifications for moving data. But those standards have not been adopted yet.
While agreeing that standards are needed, Waldren, of the American Academy of Family Physicians, disagrees that personal health records need to be Web-based. Although he says Web-based models will eventually dominate the field, Waldren says there are desktop personal health records available "that are network-able."
But Fotsch wonders if the models mentioned by Waldren allow secured online communication between physicians and patients. Without that, Fotsch says, a personal health record is like an ATM with no money that only allows you to check your balance.
Fotsch says a personal health record should resemble a continuity of care record or continuity of care document—two vetted and accepted formats for transmitting basic patient-care data. The personal health records should have defined fields where particular types of data are entered and displayed, and they also should feature a secure e-mail connection between patient and physician.
"There’s a structure around a personal health record," Fotsch says. "So, if you say you accept a personal health record, you know what you’re accepting."
Along with all the other clinical, business and liability concerns, Fotsch says, physicians should be concerned with computer viruses infecting patients’ disks, adding that "our IT department would string us up" if outside disks were routinely introduced to the computer system.
In terms of physicians being liable for information in a personal health record, Fotsch says, physicians need to establish ground rules with their patients ahead of time.
"If I’m a physician and I offer you a PHR and you make changes on your own—or you go to some other doctor who makes changes—and I call in a wrong prescription, am I liable?" Fotsch asks. "No, I’m not, but only if—when I issued the personal health record—I set the rules of the road that I need to be notified of changes. You don’t say to a patient, ‘Here’s a bottle of medicine. Good luck.’ "
Personal health records primarily eliminate telephone tag and the waiting-room pop quiz where patients receive a form attached to a clipboard and attempt to reconstruct their medical history by memory, Fotsch explains. Instead of fearing personal health records, Fotsch says physicians should welcome them.
"What they should be frightened of is basing medical care on information that patients happen to remember and scribble down on a piece of paper," he says. "But that’s the standard of care."
Medem’s iHealthRecord is offered to patients through their doctors. While health plans and employers are offering their members and employees personal health records, Fotsch says the adoption of these products has been low because patients are concerned that the information these personal health records contain may somehow be used against them to deny either medical treatment or a job.
"Do you want to give this information to the people who would raise your rates?" Fotsch asks. "It’s like getting a form from your car insurance company saying, ‘Write down how often you speed.’ "
Even when records are offered by physicians, interest is still low, says Joseph Heyman, a gynecologist and American Medical Association trustee.
"I have some patients using it, but not that many," he says, adding that there has not been an overwhelming business case supporting the use of personal health records.
Reisman says part of the problem may lie in the origins of electronic medical record systems. When they were being developed in the 1990s, he says, the focus was on improving efficiency, not on boosting quality and safety.
"I’m not sure there’s been much input from physicians on PHRs," he says.
Internist Dr. Michael Zaroukian, chief medical information officer at Michigan State University, agreed, noting that a lack of a business case and scant clinical evidence supporting the use of personal health records has led to physician indifference.
"What providers are saying is either nothing, because they don’t see it on their horizon, or it’s one more thing they have to do that they don’t get paid for," he says. "[PHRs] have the potential, if used correctly, to improve care, but just because they could doesn’t mean they will."