PHR (Personal Health Record)
Personal Health Record
An electronic record of identifiable health information drawn from multiple sources that is managed, shared, and controlled by or primarily for the individual.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- HIPAA & Privacy
- Acronym for
- Personal Health Record
- Primary sources
- 1
- Workspace handoff
- ask d3 →
Where this comes up
Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.
Full definition
What it is in practice
PHRs include patient-controlled health apps and portals. PHRs are not always HIPAA-covered; FTC HBNR may apply to PHR vendors.
How it shows up in your practice
When integrating with PHR vendors via API, confirm BAA or FTC HBNR status and document the data exchange.
Sources
- FTC — Health Breach Notification Rulehttps://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule
Confirm PHR vendor status in Ask D3
Open ask d3 →Related terms
- HIPAA & PrivacyFTC Health Breach Notification RuleFTC rule (16 CFR Part 318) requiring vendors of personal health records and related entities (not HIPAA-covered) to notify affected individuals and FTC after a breach of unsecured PHR identifiable health information.
- DocumentationPatient PortalA secure web-based application that lets patients access portions of their health information and communicate with the practice.
- Compliance ProgramFHIR (Fast Healthcare Interoperability Resources)HL7 standard for exchanging healthcare data electronically through RESTful APIs and structured resources.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryFTC Health Breach Notification RuleFTC rule (16 CFR Part 318) requiring vendors of personal health records and related entities (not HIPAA-covered) to notify affected individuals and FTC after a breach of unsecured PHR identifiable health information.
- GlossaryFHIR (Fast Healthcare Interoperability Resources)HL7 standard for exchanging healthcare data electronically through RESTful APIs and structured resources.
- GlossaryPatient PortalA secure web-based application that lets patients access portions of their health information and communicate with the practice.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- RegulationHIPAA Authorization Requirements (45 CFR 164.508)Required elements and statements for a valid HIPAA authorization, plus the prohibition on combining authorizations with other documents in most circumstances.
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
- SRAHIPAA Patient Right of Access: A Small-Practice WalkthroughHow 45 CFR 164.524 governs patient access to their records, the 30-day rule and 30-day extension, the limited fees a practice may charge, and the OCR Right of Access Initiative.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.