Usable Privacy and Security in Personal Health Records

PHRs (Personal Health Records) store individuals’ personal health information. Access to this data is controlled by the patient, rather than by the health care provider. Companies such as Google and Microsoft are establishing a leadership position in this emerging market. In this context, the need for psychological acceptability in privacy and security protection mechanisms is essential. Any privacy and security mechanism must be acceptable from a usability perspective. This paper presents a study of the privacy policies of 22 free web-based PHRs. Security and privacy characteristics have been extracted according to the ISO/TS 13606-4 standard. In general, quite a good level was observed in the characteristics analyzed. Nevertheless, some improvements could be made to current PHR privacy policies to enhance the management of other users’ data, the notification of changes to the privacy policy to users and the audit of accesses to users' PHRs.