Personal health records (PHRs), centralized places for consumers to electronically store, manage, and share their personal health information, offer new opportunities to help consumers manage their own health and health care. However, ensuring the privacy and confidentiality of health information contained within PHRs is challenging. This paper analyzes the major properties of existing PHR systems and identifies specific privacy and security issues with each type of PHR. It proposes a consumer-controlled privacy protection approach that includes high-minded privacy principles such as independent consent management, independent privacy and security audits, and regulatory compliance requirements. It further presents a consumer-controlled system architecture that embodies these principles in the web-based PHR system.