It is important that you thoroughly read and understand the privacy policies of the electronic personal health record (ePHR) vendor or organization sponsoring the ePHR you are using on the Internet.  You want to be sure that your information could not be retrieved or used by any person or organization you do not want to have access to it, and you need to understand exactly what happens to your information if you decide to close your account.  You should maintain legal ownership of your information.  Ask whether you will be notified of any changes in privacy policies and review any changes carefully. 

An important security feature is that the system can provide an audit trail of who has entered, accessed, or modified the information in the PHR.  You should expect technical support to be available on a 24 hour basis.  Be sure that the systems gives you the ability to copy data to another device for carrying if you want this option in an emergency or for other purposes.  

To ensure your protection, retain a copy of your ePHR policies and consider choosing an ePHR that, at a minimum, meets these security criteria:

• Documented “Notice of Privacy Practices” policy;
• Policy and procedures for authentication;
• If web-based they must use SSL or TLS for encryption at a minimum of 128bit;
• Minimum use of a complex password that includes upper and lowercase with the use of one number;
• Unique identifier for each person using the system;
• System and record activity audit log;
• Documented policy for access control;
• 24/7 technical support;
• Automatic logoff; and
• Disaster recovery and back-up policy