Integrated, reliable and cloud-based personal health record: A scoping review

Personal Health Records (PHR) emerge as an alternative to integrate patient’s health information to give a global view of patients’ status. However, integration is not a trivial feature when dealing with a variety electronic health systems from healthcare centers. Access to PHR sensitive information must comply with privacy policies defined by the patient. Architecture PHR design should be in accordance to these, and take advantage of nowadays technology. Cloud computing is a current technology that provides scalability, ubiquity, and elasticity features. This paper presents a scoping review related to PHR systems that achieve three characteristics: integrated, reliable and cloud-based. We found 101 articles that addressed those characteristics. We identified four main research topics: proposal/developed systems, PHR recommendations for development, system integration and standards, and security and privacy. Integration is tackled with HL7 CDA standard. Information reliability is based in ABE security-privacy mechanism. Cloud-based technology access is achieved via SOA.

💡 Research Summary

This paper conducts a scoping review of personal health record (PHR) systems that aim to satisfy three essential attributes: integration across heterogeneous health information systems, reliability of data handling, and cloud‑based delivery. The authors systematically searched major bibliographic databases for articles published between 2010 and 2023 using keywords such as “personal health record,” “integration,” “cloud,” and “security.” After screening titles, abstracts, and full texts, 101 relevant studies were retained for analysis.

The review identifies four dominant research themes. The first theme comprises proposals and implementations of new PHR platforms or extensions that interoperate with existing electronic medical record (EMR) or electronic health record (EHR) systems. Most of these implementations rely on the HL7 Clinical Document Architecture (CDA) as the primary interchange format, encoding clinical documents in structured XML to achieve syntactic compatibility among disparate providers. A secondary, emerging trend is the use of HL7 FHIR (Fast Healthcare Interoperability Resources) either as a complement to CDA or as a lightweight alternative for real‑time data exchange, though FHIR‑centric solutions remain in early stages.

The second theme focuses on development guidelines and best‑practice recommendations. These papers discuss patient‑centred consent management, governance policies, usability considerations, and regulatory compliance (e.g., GDPR, HIPAA). They emphasize that any integrated PHR must embed mechanisms for patients to define fine‑grained privacy preferences and to audit data accesses.

The third theme addresses system integration and standards. Beyond CDA, several studies explore IHE (Integrating the Healthcare Enterprise) profiles, terminology services (SNOMED‑CT, LOINC), and semantic mapping techniques to bridge gaps between legacy EMR formats and modern APIs. The literature highlights persistent challenges: versioning of CDA documents, the complexity of maintaining cross‑standard mappings, and limited support for streaming sensor data.

The fourth and most extensive theme concerns security and privacy. Attribute‑Based Encryption (ABE) emerges as the predominant cryptographic approach for enforcing fine‑grained, patient‑driven access control. In ABE‑based designs, each data object is labeled with a set of attributes (e.g., “cardiology report,” “high‑risk patient”), and users receive decryption keys derived from their professional attributes (e.g., “cardiologist,” “primary care physician”). This model enables dynamic policy enforcement without a central authority constantly re‑issuing keys. However, the computational overhead of ABE, especially on mobile devices, is repeatedly noted, prompting researchers to propose lightweight ABE variants, pre‑computation strategies, or hybrid schemes that combine ABE with traditional Role‑Based Access Control (RBAC). Some works also investigate homomorphic encryption for secure analytics on encrypted PHR data, though performance constraints limit practical deployment.

Cloud deployment strategies are uniformly described as Service‑Oriented Architecture (SOA) or micro‑service based. Authors typically containerize PHR components (authentication, data storage, analytics, notification) and orchestrate them via Docker/Kubernetes, allowing elastic scaling and fault tolerance. Hybrid cloud models dominate: sensitive clinical data are retained in on‑premise or private‑cloud repositories to satisfy data‑sovereignty requirements, while non‑sensitive services (e.g., patient portals, health‑coach APIs) run on public clouds such as AWS or Azure. Secure API gateways, OAuth 2.0, and OpenID Connect are the standard mechanisms for federated identity and cross‑system authorization.

Across all themes, the review uncovers a notable gap: while integration, reliability, and cloud delivery are each addressed in isolation, few studies present a unified architecture that simultaneously satisfies all three. The authors argue that future research should converge on a cohesive framework that (1) leverages FHIR’s lightweight, RESTful resources together with CDA’s comprehensive document model, (2) embeds ABE‑based fine‑grained encryption directly into FHIR resources, and (3) employs policy‑engine‑driven micro‑services to automate consent enforcement across multi‑cloud environments. Additionally, systematic evaluation of performance, usability, and regulatory compliance in real‑world deployments is called for.

In conclusion, the scoping review maps the current landscape of integrated, reliable, and cloud‑based PHR systems, highlights prevailing standards (HL7 CDA, emerging FHIR), security mechanisms (ABE), and cloud architectures (SOA/micro‑services), and outlines concrete research directions needed to realize truly interoperable, trustworthy, and scalable personal health records.