LAS VEGAS--Personal health records are often cited as a critical part of improving the quality of health care, but thorough consent and security policies regarding access and transmission of electronic health information are equally important, experts say.

Group Health Cooperative, a consumer-governed, nonprofit health care system, has been working with electronic health records for seven years, said Ted Eytan, medical director of health informatics and Web services in the quality/informatics division of the Seattle-based organization. Nearly 135,000 adult members have personalized Web pages featuring personal health information, he said.

Patients can fill out health risk assessments and the data is transmitted to their personal health records, he said. Then, a message is sent to their health care provider about the information, allowing a provider to respond immediately if necessary, he said.

"It's part of providing medical care," Mr. Eytan told attendees at America's Health Insurance Plans' annual meeting held June 20-22 in Las Vegas.

Organizations offering personal health records, though, need to take important steps to safeguard the information and ensure that access is restricted to people with permission to view the records, observers say.

WellPoint Inc., the largest U.S. health insurer by membership, provides its members with the capability to develop their own personal health records, an option to receive test results online, provide a limited set of records to their providers and to allow other family members access to the information, said Wilma Kidd, director, corporate privacy and compliance training for the Indianapolis-based insurer.

A key consideration in setting up members' electronic health records is getting permission to share the information with providers and family while safeguarding the member's privacy, she said. For example, any authorization policy should also feature a provision to ensure that the information will not be released if the authorization has been revoked, she said.

Consent policies should address specific requirements and expectations if permission is obtained through the provider, such as defining responsibility for the availability, maintenance and protection of the records. Consent forms are the simplest way for providers to get such permission, particularly in situations such as emergency room visits, she said.

When developing electronic health records, policies may need to define the types of records that will be available online, such as pharmacy data and lab results. The policies should also indicate how sensitive records will be made available to providers, including records pertaining to sexually transmitted diseases and substance abuse, bearing in mind that state and federal laws limit access to certain records.

For example, a minor in Virginia can have an abortion without parental notification, so that information needs to be excluded from records that family can access but still be available to providers, she said.

"There are state laws governing who has access to that information, so you have to have a way to carve that out," Ms. Kidd said.

"You would have to have a mechanism in place for the provider to get more information about those sensitive records," she said

In terms of security safeguards, WellPoint tracks who accesses information and has staff members to monitor the systems for potential breaches. Although there have been attempts by hackers to access the information, WellPoint has not had a data breach, Ms. Kidd said.

"We have a group of people who are always looking" for possible security breaches, she said.