Austin, TX - Patient Privacy Rights (PPR), the nation's leading health privacy watchdog released its First Personal Health Record (PHR) Privacy Report Card today. Designed to educate and protect consumers, the Report Card, is available online at Our assessment of five different PHRs found a wide range of existing privacy policies; some PHRs protect our rights to control who can see and use health information, and others do not.

"The good news is there are companies that offer meaningful ways to control your private information," said PPR's Executive Director, Ashley Katz. Some PHRs only share your information with your explicit permission. Some allow you to segment "or lock-up" extra sensitive information, so it can only be seen by those that you permit. Some offer easily accessible reports of who saw and used your information, when and why.

"The bad news is other companies do not allow patients to control their PHRs. That is a scary thing when you consider that PHRs can store sensitive health information as well as lifestyle habits such as what you eat, how much you drink, and how often you exercise," said Katz. This information can easily get into the wrong hands, especially if your PHR is offered by an employer or insurer. "All PHRs claim to be ‘patient-centric' and claim that ‘privacy is important,' but it's simply not true."

PPR devoted a great deal of time to wade through policies, websites and applications, recognizing that few busy people have the time or expertise to do in-depth evaluations or compare the differences between PHRs. Most people see the words "privacy policy" and think it means their privacy is protected. That couldn't be further from the truth.

PPR makes no recommendations on specific PHRs. The Report Card is our opinion based on the information available on these companies' websites.

PPR graded the following PHRs:
CapMed's ICE PHR -> C
NoMoreClipboard -> A
WebMDs -> C

PPR also graded the following platforms that incorporate PHRs:
Google Health -> D - Platform, F - Partners
Microsoft HealthVault -> B Platform, F Programs

Detailed grades and commentary are available on the website,

Two grades were given to Google Health and Microsoft HealthVault, products we refer to as "Platforms." Google Health and Microsoft HealthVault's privacy policies apply only to their Platform, not to any of the companies linked to their Platform. For example, while the Platform, may require the individual's consent before disclosing any data; any third party such as another PHR, a tracking tool for diabetes or research search engine does not necessarily play by the same rules.

One grade was given to the Platform itself and another grade was given to the programs and partner applications linked to the Platform to highlight the differences between the applicable policies. The programs and partner applications for each Platform were treated as one group. There are simply far too many different programs/partners for PPR to grade each individually. As such, we took a random sampling of these programs/partners. The grade for these groups of companies (an "F" for both Google Health partners and Microsoft HealthVault programs) does not mean that all of the third party companies failed. Rather some of the companies randomly selected scored poorly because they do not allow meaningful patient control over their information. Note that is a PHR available on both platforms and it earned an "A".

We also note that if the Program or Partner application is "HIPAA compliant" it can use any information provided from your account for "treatment, payment and health care operations" without getting your express consent. This does not give the individual control over their private, sensitive information. Most people have no idea how broad those three categories actually are.

A detailed FAQ is available with the Report Card online:

The FAQ covers the following questions:

What is a PHR?
What is a platform?
How did you grade these PHRs?
Will you allow vendors to respond to these grades?
Have you received any money from these vendors?
What laws protect PHRs?
Should you use a PHR?
How can a PHR harm me?
Why is "anonymous", "de-identified", or "aggregate" data a problem?

What can be done?

1. The public needs to wake up and pay attention. Our personal health information is everywhere and being passed from one company to the next, without our permission or knowledge. If we don't demand control, we will lose it forever.
2. We need federal laws that make Fair Information Practices the rule for all health information. Data shared for one purpose should be used solely for that purpose unless the patient gives consent for any new use. No single piece of data should be allowed to go to an employer, insurer or other entity without patient permission.
3. Laws alone will never be enough; technology will continue to evolve. Consumer watchdogs like Patient Privacy Rights need your support to shine light on how your health information is used and misused.
4. With public awareness, federal protections and consumer watchdogs on the lookout, industry can be pressured to restore our rights to health privacy and compete based on whether their systems or products offer the most protections and give individuals the greatest degree of control over their data.


About Patient Privacy Rights:

Patient Privacy Rights is the nation's leading health privacy watchdog. Our mission is to ensure the right to control your medical privacy to protect jobs and opportunities. Patient Privacy Rights has over 10,000 members in all 50 states. We lead the trans-partisan Coalition for Patient Privacy representing over 10 million Americans.