Increasingly patients are creating and maintaining personal health records (PHRs) with data from a variety of healthcare providers as well as data they have generated about their health. What provisions should be included in a model privacy and security policy that patients might use in making decisions related to their privacy and the security of their PHRs?