Security and privacy legislation guidelines for developing personal health records

Personal Health Records (PHR) open new opportunities for enhancing delivery of standard health care services and health information to general population and supporting individuals to take more active role in health management and decision making processes. However, while utilization of PHR as part of a health management process brings much more flexibility, and advanced options to individuals, it also introduces questions related to responsibility and authority for creation, processing, maintenance and ensuring privacy and security of personal health related data. This paper summarizes the issues related to EU legal-regulatory requirements for developing PHR that enable storage, sharing and management of health data between different stakeholders (patient and healthcare institutions on different levels of care). We present a list of guidelines that outline which security and privacy issues must be taken into consideration and be addressed when developing PHR, and discuss them in the context of one European country (Norway). In the discussion we raise the issues that are not addressed in the existing regulations, but play an important role in developing secure PHR systems. We also propose a direction for further development of policies and legislations in Europe to facilitate further development and utilization of PHR systems.