What PHR Should I Use? It’s Complicated.

Leslie Kernisan new headshotA friend called me the other day: he is moving his 93 year old father from New England to the Bay Area.

This is, of course, a relatively common scenario: aging adult moves — or is moved by family — to a new place to live.

Seamless transition to new medical providers ensues. As does optimal management of chronic health issues. Not.

Naturally, my friend is anxious to ensure that his father gets properly set up with medical care here. His dad doesn’t have dementia, but does have significant heart problems.

My friend also knows that the older a person gets, the more likely that he or she will benefit from the geriatrics approach and knowledge base. So he’s asked me to do a consultation on his father. For instance, he wants to make sure the medications are all ok for a man of his father’s age and condition.

Last but not least, my friend knows that healthcare is often flawed and imperfect. So he sees this transition as an opportunity to have his father’s health — and medical management plan — reviewed and refreshed.

This last request is not strictly speaking a geriatrics issue. This is just a smart proactive patient technique: to periodically reassess an overall medical care plan, and consider getting the input of new doctors while you do this. (Your usual doctors may or may not be able to rethink what they’ve been doing.) But of course, if you are a 93 year old patient — or the proxy for an older adult — it’s sensible to see if a geriatrician can offer you this review.

Hence my friend’s situation illustrates two common core healthcare needs that families of older adults often have:

To successfully manage a transition to a new team of medical providers.

To obtain a second opinion regarding a person’s health, chronic conditions, and the medical management plan. (For more on how this approach can can help patient assess the quality of their outpatient care, see this post.)
To address both of these needs, older adults and family caregivers need a good personal health record (PHR).

So, I find myself — yet again — on the hunt for a good PHR system to recommend to families.

As some might recall, I blogged about PHRs back in January. (See this post.)

And now the time has come for me to take another look at what’s out there for PHRs. Let’s see what people can recommend for these two family caregiver use cases.

Use Case #1: The family of an older adult with multiple chronic problems has not been collecting substantial health information. (As in, copies of the health information that doctors look at; I’m not talking about those patient visit summaries, which I find are barely of use.) The family is moving the aging parent across the country, and are requesting a comprehensive consultation.
Persnickety doctor (yours truly) sends them her list of medical information that they should bring to the first visit. Family needs to:
  • Obtain this information, much of which is currently in the hands of prior providers,
  • Organize it and keep it in a way that will facilitate care in the future,
  • Keep adding medical information to their repository in the future, in part because Dr. Kernisan has insisted that this will pay off for future healthcare needs.
Use Case #2: I am just going to paste the relevant comment right here, as I find it fascinating. In an earrlir post I listed a number of digital options for managing health information. However, the reader still felt a need to request additional advice. (The moral of the story: family caregivers will likely be asking doctors and others for advice. I assume this is because sorting through a lot of options on your own is tiring; that’s why people ask experts instead of figuring it all out on their own via Google.)

I’m a caregiver to my mother in that I go with her to all her doctor visits & keep a notebook (4 inches) that has all her doctors’ notes (5 in all), hospital visits/ER visits & tests. The notebook grew from a smaller one to the 4-inch one because during her last hospital visit, the doctors were asking me questions that I didn’t know the answers to & didn’t have that specific doctor’s records to help them. Believe me, I got on that right away while she was still in the hospital & it stayed with her at the hospital until she came home.

I also keep an updated list of her medications with allergies listed as well as a 3-page typed-out present, past medical, past surgical, family & social history.

There is a notebook-sized business card holder for her appointment cards.

My problem is now that that 4-inch notebook is becoming heavy to carry, but as sure as I put all the different dividers into individual notebooks & take that particular notebook with us to that particular doctor, he’ll want to know what one of the other doctors said or what the most recent tests showed & I won’t have that information. Is there something out there like a PDA or something where I scan the paper copies onto our home computer, then put the scanned copies on the device as well as a calendar in order to keep her appointments?

Like the idea above about putting a “please return to…” sign on the notebook; never thought about it getting lost.

Thanks for your help.

So to summarize this use case: an adult-child caregiver has been maintaining a personal health record on paper. She has decided that it’s in her mother’s interest for her to serve as health information exchange system. (Smart!) Her notebook is getting big and cumbersome, so she’d like to convert it to a digital repository. She finds providers are often interested in health information — including test results — from other providers.She needs to:

  • Convert her existing paper resources into a digital format,
  • Easily share content from the PHR with her mother’s various doctors,
  • Keep adding information to the PHR as her mother continues to see various providers.

What personal health record systems can you recommend?

I have a few PHR ideas for these two use cases, but I haven’t had time to research in depth since my last post on PHRs. So I am soliciting suggestions and recommendations from you, dear readers.

30 replies »

  1. “some people don’t trust the cloud and prefer to have sensitive information only in hand, the general trend seems to be for many to accept the risks of the cloud (which probably most don’t accurately understand) in exchange for convenience.”

    Indeed, many people trust the Cloud and, I guess if I were critically ill and the only option I had was to store my records in the Cloud, I’d do so, too. However, that ‘s not my only choice so I prefer to have them on my MedKaz.

    Despite the pleasant “image” the Cloud conjures up, it has two serious drawbacks. First, breaches and thefts are occurring at accelerating rates and will continue to do so because medical records are exceedingly valuable — I understand they sell for ca $500 per patient vs ca $20 for CC ID info.

    Second, during simple power outages or natural disasters, such as Hurricanes Katrina, Irene, and Sandy, providers cannot access their patients’ records. Eg. in Hurricane Sandy, all hospitals below 23rd Street in Manhattan had to shut down and relocate their patients because they had no power or access to patient records.

    Thus, the consequences of relying on the Cloud can be dire.
    . . . . . . . . . . . . .

    “I’m a Kaiser patient. If KP puts my ePHI on the cloud, it must be “safe enough”…they can certainly afford lawyers.”

    The issue isn’t whether a provider like KP can afford a good lawyer. It’s whether I as a patient can afford the risks of theft, which can be enormously disruptive and could even make it impossible for me to get a job (if I were out of work and a prospective employer chose not to hire me because my family had serious health issues), or whether I, given my complex health issues, can afford to have my medical records inaccessible at any time. My life might depend upon a care provider being able to access my records in an emergency.

  2. Thank you Merle & Bobby for these comments; I learned quite a lot from them.

    FWIW although I think some people don’t trust the cloud and prefer to have sensitive information only in hand, the general trend seems to be for many to accept the risks of the cloud (which probably most don’t accurately understand) in exchange for convenience.

    I’m a Kaiser patient. If KP puts my ePHI on the cloud, it must be “safe enough”…they can certainly afford lawyers.

  3. “It’s cute to say 10 lawyers will give you 12 opinions and to speculate what’s appropriate behavior”

    Yeah. A flip wisecrack (often applies to MDs as well), but one borne of frustrating experience. I sat on my HIE’s Privacy and Security Task Force. I was the staff lead on writing the P&Ps. We spent more than a year endlessly debating arcane fine points, with the lawyers always wanting “further study” (on our dime, of course).

    And they would always blow us Great Unwashed tech grunts off, along the lines of “you just don’t understand legislative construction.”

    Yes, in HIPAA, “Good Faith / Reasonable efforts” are noted.

    It’s also worth noting that individual States’ laws and regs trump HIPAA, unlike most areas where “federal supremacy” holds sway.

  4. As a consumer-patient, I want my records secure, private and accurate, and I want to know that when a care provider is treating me that my records and only my records are immediately accessible to him or her.

    As a PHR vendor, I want to provide nothing less. That’s why we don’t store a patient’s records on our servers, in the Cloud or anywhere else. That’s why we include the patient’s picture on the device to ensure proper patient identification. That’s why we give patients control of their records on a device that they can conveniently carry with them at all times. That’s why we give the patient the ability to attach addenda to records to correct mistakes in their records. That’s why we don’t share any information about them with anyone else.

    Also, as a BA I take my responsibilities seriously and rely on knowledgeable counsel to advise me. I suggest that all parties, providers, BAs et al, connected with PHI do the same. The stakes are too high to do anything less.

    It’s cute to say 10 lawyers will give you 12 opinions and to speculate what’s appropriate behavior. But that’s not good enough for me. If a provider or business associate gets sued, their only real defense is that they acted in good faith and followed the advice of counsel. I should add that counsel, in the case of PHI, should be intimately familiar with HIPAA regulations, not just any attorney.

  5. As you note, you are a “BA.” But, a BA exists per 45 CFR 164 et seq only to the extent that they are involved with a CE (Covered Entity: Clinical Provider, Clearinghouse, or Health Plan) as it pertains to the business use of ePHI, so your statement is a bit misleading. to wit:

    “…the patient is free to share his/her information with anyone they care to and they are not subject to HIPAA”

    That is nominally true. You or I could post our ePHI on Facebook at will were we that reckless and no one (including Facebook) is HIPAA liable. If Leslie’s pt sends her a link to (or an email attachment regarding) her ePHI Google doc document, Google is not liable (unless they are explicitly providing a BA service for the pt). BUT, if the doc views it in the course of the doctor-patient relationship, the onus is on the doc to log it and keep it documentably confidential within her ops in compliance with the intent of HIPAA regs (as is the BA) should it be drawn into her EHR in any way and used for subsequent medical decisions.

    You want 12 differing legal opinions on this kind of stuff? Gather 10 lawyers in a conference room. What you usually hear is “the question merits further review.”

    At, of course, $500 per hour.

    Wish that the doc could make that kind of money.

  6. Perhaps this will help clarify this issue. Our attorneys specializing in healthcare information, HIPAA, etc., outlined the “rules” for us. This is my understanding of them as they apply to our patient-focused personal health record system and our handling of patient records (PHI).

    MedKaz is owned by the patient as is the data on it. Once the patient’s PHI are on it, the patient is free to share his/her information with anyone they care to and they are not subject to HIPAA. While there is no requirement to do so as far as I know, we do keep an audit trail on their MedKaz so they can see who accessed their MedKaz, when and what records were opened.

    We, as a company who processes PHI, are considered a Business Associate. In accordance with the changed rules governing Business Associates (changed sometime last year). we are held to the same standards as a care provider. Thus, we or any other Business Associate, must protect patient records just as a physician or lab must do — even when we transmit the patient’s information to the patient. It must be secure, encrypted, etc and the patient must have signed a HIPAA Release authorizing us to handle their PHI.

  7. Hi, Dr. Leslie-

    Goog question.

    If your patient voluntarily shares ePHI with you from a site hosted by a 3rd party — AND the 3rd party is not explicitly acting as an ePHI Business Associate (“BA”) — you are probably not required to document the transaction. But, I would document it (including express, documented pt date/time permission to view) anyway in some fashion just to CYA, particularly if the information is not “encrypted in transit.”

    The Security regs go ePHI ops within HIT systems controlled by CEs and/or BAs.

    (And, IANAL)

  8. PHR is somewhat of a catch-all term. Generally, there are two classes, those that are subject to HIPAA privacy rules, and those that fall outside of that scope. PHRs that are subject to the Privacy Rule are those that a covered health care provider or health plan offers, or are otherwise provided and supported through a covered entity. The big difference is in the mechanics of how the patient accesses information, and how information is transferred in/out of the covered entity. If I’m using my insurance company’s PHR (a covered entity subject to HIPAA rules and whatnot), _they allow me access_ to information they are warehousing. I may or may not be able to integrate outside or unstructured data into their system, and it’s not always a complete record of stored data. For instance, my Quest labwork is included in my provider’s PHR because it’s structured data (and they have all that reg stuff in place), but my PT notes from an out-of-network provider are not, nor labwork from a local factuality that submitted the information in an unstructured format (read: faxed it over). The issue I come across with PHRs associated with provider organizations, labs, insurance companies and whatnot is a lack of portability.

    If I’m using Evernote or similar (outside the scope), the due diligence is on me to acquire the information, and warehouse it myself. Similarly, I’m limited in how I can import data to my provider, but generally since most information I’m providing is unstructured (ecg, imaging, notes) it’s been a somewhat trivial matter thanks to efax or direct/quicklinks (in the case of DICOM stuff). OCR and tagging makes unstructured data super manageable.

    Side note: there’s no such thing as HIPAA certification, and from a infosec best practices perspective, HIPAA compliance is really the minimum standard. There have been a few failed initiatives towards third-party health data security certifications. Security is tricky. It’s 2014, and my partner’s bank doesn’t have 2FA, and I think that’s a valid reason not to recommend CitiBank to consumers, yet how many people consider that an acceptable risk? Plenty of doctors recommend health data tracking devices to patients which also fall outside the scope. When it comes to security, I wouldn’t expect a doctor to know/understand my personal tolerances, and I think it will be interesting to see how that ends up playing in the consumer/patient/provider market.

    The last big consideration I look at regarding PHR security and health data is the type of risk they are exposed to. Am I concerned about an employer potentially finding out about high risk comorbidities? Employer-sponsored PHRs are not subject to the security standards that apply to covered entities. Or am I concerned about identity fraud associated with claims data breaches? Am I just one of those people who uses the same log in credentials for everything and then it’s all open? A binder full of papers is about the only thing secure from a NSA/DHS perspective, but I would hate to leave it at the deli.

    Sorry for the wall of text, and if I’ve interpreted something incorrectly, I hope someone comes along and clarifies. When it comes to who I trust online, rarely do I dig down into nitty gritty technicals. I look to see if they SSL/HTTPS all the things. I look at their 2FA and login requirements. Did they just launch last week from their dorm room? Do they leverage OSS? Do they have a bug bounty program and are they receptive to community feedback?

    Anyways, lots to consider, I think it’s a fascinating dynamic.

  9. hi Bobby! Now let me make sure I understand what you wrote.

    Does this mean that if I (a covered entity when working as a doctor) view my patient’s health info which they have stored online on Google Drive, there is supposed to be an audit trail?

    Does it make a difference if we view it on their device versus the office computer?

  10. I’m a practicing doc, not an expert in information security. So I can’t say I know the ins and outs of what companies must offer in order to store a consumer’s health information.

    What I meant is that I don’t think Evernote has been certified (whatever that really means) as secure enough for protected health information. (If they had, I assume they would be marketing themselves for this purpose.) Whether Evernote actually is secure enough for this work and just hasn’t gone through the process of being labeled as such…quite possible.

    My opinion would change once someone with the authority to advise doctors said “It’s ok for patients to store their sensitive medical data in Evernote, and it’s ok for you to tell them that Evernote is secure enough.”

    I actually don’t know if this is true, but I have assumed that companies that advertise themselves as PHR services have somehow made themselves suitable for medical information. Haven’t considered whether that makes them a covered entity or not.

  11. Define “technically secure enough.” Do you not feel that Evernote has not leveraged industry best practices around security and privacy, or is this from a policy standpoint? They aren’t acting as a covered entity, so HIPAA doesn’t apply. Would your opinion change once they are PCI compliant?

  12. Well, technically, under HIPAA, ANY time ePHI is created, updated, deleted, transmitted, or simply accessed for viewing, there must be an audit trail log: date/time, by whom, about whom, action taken. 45 CFR 164.306(a)(1) and 45 CFR 164.312 et seq specifically at a minimum.

    And, a CE of BA is bound by ALL of .164.3 as appropriate:

    .306(2)(c) Standards. A covered entity or business associate must comply with the applicable standards as provided in this section and in §164.308, §164.310, §164.312, §164.314 and §164.316 with respect to all electronic protected health information.

    While the word “view” does not appear in the regs, the requirement has nonetheless been so construed.

  13. Getting past records from providers couldn’t be easier. In both of your use cases, it fits whenever the patient or their children want to activate it.

    As part of the patient setup procedure, the patient lists all her current providers and others from whom she wants to assemble records. This is highly automated and generates two pre-populated pages for each provider: a Request for Records asking for her records and that they be sent to Health Record Corporation, and a HPAA Release. She signs and sends them to their respective providers.

    When we receive them, we process them (i.e., make every record searchable) and send the patient an e-mail to download her records She plugs her MedKaz into her computer, logs on to MedKaz and downloads her records. That’s the first aha moment! It’s as simple as that. (See http://medkaz.com/faqs/faqs-for-patients/#1.)

  14. Good question. I have occasionally looked at unsecure online documents with patients, but accepting a file share does take things to another level.

    Agree that we need more clarity about these rules.

  15. Agree that carrying around paper records is a chore. That said, it’s easy to get started with paper.

    I just took a look at the MedKaz website. I can’t quite tell how my two use cases would get started with it. How would they get their information on it, assuming their PCP doesn’t give them a pre-loaded device?

    Anyway, it looks like you have a promising idea. Ultimately it will come down to how much friction is involved for everyone who has to use the system…good luck!

  16. Yes, Nick Dawson wrote a THCB post earlier this year about how he uses Evernote to keep all his records. I don’t think it’s technically secure enough, but it does make it easy to access the information from a variety of devices.

  17. I’ve heard a lot of people say that they share this information with Google docs. Not sure what the HIPAA implications are. Is a provider in violation of the rules if they accept a file share? It would help if the rules about file sharing were clarified.

  18. Collecting and carrying around paper records is a chore for the care giver and doesn’t really work for the average care provider who doesn’t have time to rifle through reams of paper.

    Similarly, most care givers don’t have time or the patience to scan paper records and key in masses of data to some form of phr.

    There is one system that meets the needs you described, simplifies the transition form one provider to another, and avoids the pitfalls I mentioned. It’s MedKaz®. (Disclosure: I’m Founder & CEO of Health Record Corporation, creator of MedKaz.)

    My own MedKaz demonstrates its scope and power. It contains digitized copies of my records of more than 300 encounters with physicians, labs, hospitals, etc. spanning 29 years, from 38 providers in six cites and three states, using more than 14 records systems, including paper and at least eight of the most prominent EMR systems. I and any provider, with only two or three clicks, can search for and instantly access any record on it, even without Internet or web server access. And it’s updated for me so neither I nor any family member need to enter data.

  19. Well that’s very thoughtful .I like the second case . PHR can be maintained in digital Notepads , Smart phones, Ipad etc. it can be saved in these devices and then there would be the whole record of the patient in it .