Tuesday, December 1, 2009

Health, the web, and HIPAA

One of the more exciting (or frightening) developing trends on the web is the push to keep your health records online. The government is encouraging doctors, hospitals and other medical institutions to do this for the ultimate in health records portability. This is made more difficult by HIPAA, which makes those same groups responsible for the security of your health records. The end result is that the government is sending mixed messages, and smart money is on keeping the records offline if you're a medical provider.

Enter two companies not exactly renown for their respect of privacy: Microsoft and Google. Google Health and Microsoft's Healthvault allow you to put your medical records, prescriptions, shot records, etc online and share them with your pharmacy and various healthcare providers. This sounds like a really good idea. It makes your records readily available for new doctors and makes it easy for you to share with a trusted family member or friend. Here is a short examination of both services.

First we'll look at Google Health. From the page you go to on that link:

Take charge of your health information

It's safe, secure and free

* Organize your health information all in one place
* Gather your medical records from doctors, hospitals, and pharmacies
* Share your information securely with a family member, doctors or caregivers

Google stores your information securely and privately, but you always control how it's used. We will never sell your data. You are in control. You choose what you want to share and what you want to keep private. View our privacy policy to learn more.

The privacy policy looks pretty good, but under the "How Google uses your information" section, #3 states:

Google will use aggregate data to publish trend statistics and associations. For example, Google might publish trend data similar to what is published in Google Trends. None of this data can be used to personally identify an individual.

I don't like my data being shared even "in aggregate." It's supposed to just be information like "x number of persons making between 45,000 and 100,000 a year are members." But I'm paranoid, especially about my health data. That is data that can be very damaging in the wrong hands.

The "Sharing your information" section is encouraging. The first thing they do after telling you that you can share information, see a list of who you are sharing it with, and revoke the right of someone on the list to see your information is to warn you that they may still have a copy of it, even if they can't access it to get new information. Now if only people would actually read the policy it would save some headaches later.

One encouraging thing about Google's offering is that it complies with Safe Harbor guidelines. By the nature of their business Google is not the worlds biggest privacy watchdog, but they appear to understand the importance of privacy when it comes to health records.

Now for a look at Microsoft Healthvault:

HealthVault lets you …

* Organize your health information, with everything in one place
* Simplify your life: enter health info once, use it in many ways
* Gain insight with data that helps you make informed decisions

Microsoft Healthvault is HONCode and Truste certified. Health On the Net was founded in 1995 and "promotes and guides the deployment of useful and reliable online health information, and its appropriate and efficient use." You can verify Healthvaults certification here, but right now they are actually undergoing annual review. It comforts me that they are reviewed annually.

The Healthvault privacy policy is longer and wordier than Google Health's but says essentially the same thing. Your data will only be released in aggregate, except for the people you release your own info to.

The question that burned in my brain when I heard about this was, "What about HIPAA? How can this be legal?"

Actually, because neither business is a medical provider, they fall through the cracks of HIPAA. They are providing a service to the consumer and have no affiliations with hospitals or doctors. So they can do things a doctor or hospital would not be able to do when it comes to your data. You might want to think about that before joining either of these services. But despite what looks like a service I would avoid at first glance, I would recommend either of these for someone who has medical conditions that require multiple specialists. My experience is that there usually isn't as much communication between doctors as you would expect. But they have to give you your records if you ask, and putting the records in a service like this means you can make sure every doctor has access to everything going on. These services don't remove control of your information from you, they give you control you've never before had of your healthcare. That is a good thing.

[Edited 7:40am to add to last paragraph]