Confusing Folks: PHR, PHI, PII, NPPI, and Dozens of Other Acronyms…It’s Still All Personal Information

By Rebecca Herold

Last updated: July 25th, 2007

I really enjoy reading survey results. I can’t help myself. Whether the surveys are well-done, sloppy, long, short, statistically accurate or obviously statistically invalid, I still find them interesting. Especially when they cover what the general public and non-IT/non-infosec person thinks or knows about information security and privacy, or some industry-specific issue.

Last week Aetna and the Financial Planning Association released the results of a survey seeking to find out more about what adults know about their healthcare records.

“An estimated 70 million people have access to basic Personal Health Records (PHRs) – password-protected, online records that store essential health information – through their health insurers, with millions more scheduled to receive the service this year. But when Aetna (NYSE:AET) and the Financial Planning Association® (FPA®) surveyed more than 2,100 adults 18 and older, 64 percent said they do not know or are unsure about what a PHR is. Among the group of Americans who are familiar with PHRs, 83 percent acknowledge that the online record personalizes their experience with their health care provider, but only 11 percent currently use one to keep track of their medical and health history.”

Okay, why is yet another abbreviation being used to describe what, essentially, is also called Electronic Protected Health Information (E-PHI) by the Health Insurance Portability and Accountability Act (HIPAA)? Yes, I know there are some differences in what is contained within PHRs, but the point is all these acronyms confuse the heck out of people to the point they just don’t even try to know or understand them any more.

The HIPAA Privacy Rule describes and covers all types of PHI, and the HIPAA Security Rule describes and covers PHI only in electronic form.

Geesh, talk about confusing to most folks! Not to mention the covered entities (CEs) that must comply with them.

And each of the other laws addressing privacy and data protection have another term to reference personally identifiable information (PII), including “PII” (the term I like the most) in some of them.

Is it no wonder 64% of the public don’t know what PHR is? In fact I’m surprised it’s not higher.

It would help the understanding of the public to harmonize the definition of PII across all the federal and state laws so that people don’t have to keep track of all the different labels. Well, the chances of this happening are less than seeing pigs sprouting wings and flying.

Okay, going beyond the terminology issue and assuming the survey described what a PHR is, what about the other findings?

“Survey Highlights:
When asked why they didn’t use a PHR, respondents had varying reasons, indicating a need for education:

  • Have their own system for maintaining records (35 percent)
  • Concerned with the security of personal information (26 percent)
  • Don’t know how to use and manage a PHR (18 percent)
  • Even those surveyed who are familiar with PHRs may not realize essential health information is at their fingertips. Surprisingly, fewer than one in 10 would turn to a PHR to access health information if displaced during a natural disaster. The majority of respondents would contact their physician (64 percent) or insurance company (16 percent) or say they do not know where they would find vaccination records, recent test results and their blood type (16 percent).
  • More than half (55 percent) of the women surveyed keep track of their medical and health history, but not through a PHR. By comparison, only 39 percent of men keep track of their medical and health history and 44 percent don’t keep track at all.”

What this survey does demonstrate is the need for all organizations, no matter in what industry, to provide a way for individuals to be able to access their PII, be able to review it, and give them the ability to request corrections. This is a basic privacy principle of most non-US data protection laws, which are almost all built around the Organization for Economic Cooperation and Development (OECD) privacy principles.
Organizations will find that if they give individuals access to their corresponding PII and allow them the ability to correct mistakes within it, they will have much more accurate records, and as a result can make better business decisions with that data. Currently incorrect PII is perpetuated and shared, causing many problems for not only the individuals but also the businesses.
And, not only will data be more accurate, customers will be happier knowing the organizations with whom they do business are giving them access to their PII. This is a very good way to retain customers and attract new customers.

“In light of these findings, Aetna and FPA have expanded the Plan for Your Health public education campaign by introducing PHR information on to help Americans use PHRs to manage their personal health data and ultimately play a more active role in their health care. The site features tips on maximizing and personalizing a PHR and top reasons to use the online record.”

Have you looked at your PHR? If you’re in a healthcare organization, do you know if your organization has a process in place to allow individuals access to their PII/PHR/whatever-acronym-you-use?