Health, the web, and HIPAA

One of the more exciting (or frightening) developing trends on the web is the push to keep your health records online. The government is encouraging doctors, hospitals and other medical institutions to do this for the ultimate in health records portability. This is made more difficult by HIPAA, which makes those same groups responsible for the security of your health records. The end result is that the government is sending mixed messages, and smart money is on keeping the records offline if you're a medical provider.

Enter two companies not exactly renown for their respect of privacy: Microsoft and Google. Google Health and Microsoft's Healthvault allow you to put your medical records, prescriptions, shot records, etc online and share them with your pharmacy and various healthcare providers. This sounds like a really good idea. It makes your records readily available for new doctors and makes it easy for you to share with a trusted family member or friend. Here is a short examination of both services.

First we'll look at Google Health. From the page you go to on that link:

Take charge of your health information

It's safe, secure and free

* Organize your health information all in one place
* Gather your medical records from doctors, hospitals, and pharmacies
* Share your information securely with a family member, doctors or caregivers

Google stores your information securely and privately, but you always control how it's used. We will never sell your data. You are in control. You choose what you want to share and what you want to keep private. View our privacy policy to learn more.

The privacy policy looks pretty good, but under the "How Google uses your information" section, #3 states:

Google will use aggregate data to publish trend statistics and associations. For example, Google might publish trend data similar to what is published in Google Trends. None of this data can be used to personally identify an individual.

I don't like my data being shared even "in aggregate." It's supposed to just be information like "x number of persons making between 45,000 and 100,000 a year are members." But I'm paranoid, especially about my health data. That is data that can be very damaging in the wrong hands.

The "Sharing your information" section is encouraging. The first thing they do after telling you that you can share information, see a list of who you are sharing it with, and revoke the right of someone on the list to see your information is to warn you that they may still have a copy of it, even if they can't access it to get new information. Now if only people would actually read the policy it would save some headaches later.

One encouraging thing about Google's offering is that it complies with Safe Harbor guidelines. By the nature of their business Google is not the worlds biggest privacy watchdog, but they appear to understand the importance of privacy when it comes to health records.

Now for a look at Microsoft Healthvault:

HealthVault lets you …

* Organize your health information, with everything in one place
* Simplify your life: enter health info once, use it in many ways
* Gain insight with data that helps you make informed decisions

Microsoft Healthvault is HONCode and Truste certified. Health On the Net was founded in 1995 and "promotes and guides the deployment of useful and reliable online health information, and its appropriate and efficient use." You can verify Healthvaults certification here, but right now they are actually undergoing annual review. It comforts me that they are reviewed annually.

The Healthvault privacy policy is longer and wordier than Google Health's but says essentially the same thing. Your data will only be released in aggregate, except for the people you release your own info to.

The question that burned in my brain when I heard about this was, "What about HIPAA? How can this be legal?"

Actually, because neither business is a medical provider, they fall through the cracks of HIPAA. They are providing a service to the consumer and have no affiliations with hospitals or doctors. So they can do things a doctor or hospital would not be able to do when it comes to your data. You might want to think about that before joining either of these services. But despite what looks like a service I would avoid at first glance, I would recommend either of these for someone who has medical conditions that require multiple specialists. My experience is that there usually isn't as much communication between doctors as you would expect. But they have to give you your records if you ask, and putting the records in a service like this means you can make sure every doctor has access to everything going on. These services don't remove control of your information from you, they give you control you've never before had of your healthcare. That is a good thing.

[Edited 7:40am to add to last paragraph]

Some people have a right to know

A letter on southcoasttoday.com points out that there are some persons who should be given automatic access to health records. Spouses should always have access to each others records. Parents should, once their children are old enough, have either a living will or a signed power of attorney granting one or all of their children access to their medical records. Everyone should prepare for the worst case scenario - should you be incapacitated, who takes care of you and your affairs? Living wills and medical/financial/total power of attorney specify the answers to those questions. Don't make them lightly, and make sure you really trust the peolple you are giving such power to, but if at all possible, have these documents on file with an attorney and/or your doctor.

So much for a 'light weight' rest of the week. :)

Who will watch the hen house?

In an article Thursday, the Huffington Post went to some length to examine the tug-o-war occurring between the health industry (hospitals and insurance companies) and privacy/security advocates. The health industry wants a federal rule on health data breach notification to contain a "harm threshold" that says how many records are breached, or how much harm is done by the breach before notification is required. The reason there was anything to argue about is a piece of legislation crafted to encourage the move to electronic medical records. The article doesn't mention the bill by name, or any of it's authors, but apparently the original bill did not specify just how much data had to be mishandled before notification was required - and that is the same as saying ANY lost data meant notification was necessary. The HC industry lobbied the Department of Health and Human Services to add a "harm threshold" because if one bill went to the wrong address, that patient would have to be notified. Such stringent requirements scare hospital administrators and health insurers: "Such a requirement, they say, not only would be costly but also would overwhelm consumers and make them less likely to notice when a real problem occurred."

How many mistakes do they make every month? It sounds to me like hard-nosed notification requirements are overdue. Strict requirements with real consequences for failure to comply will force healthcare providers and insurers to fully train their employees in the regulations and give them the tools to do it right. If they are making so many mistakes right now that being required to send notifications of any mishandled data would overwhelm me with notifications there is a big problem. I don't trust the health care industry to police themselves and notify people any sooner than they absolutely have to. I think it's time to contact our congressman and tell them we want notification. The easiest way to contact your senator (if you don't already have the info):

http://www.senate.gov/general/contact_information/senators_cfm.cfm

Your Representatives:

http://www.house.gov/
Enter your zip code in the box in the upper left and click on "go".

Healthcare workers not hip to HIPAA

According to the Modern Healthcare website, a significant number of healthcare employees don't know that they are subject to HIPAA regulations. It's apparently a failure to communicate. The American Recovery and Reinvestment Act of 2009 extended who has to comply to HIPAA regulations, but as many as 50%+ of newly affected workers failed to get the memo. I'd be less concerned if I didn't wonder how many of the employees who were already affected by HIPAA haven't got the memo yet.

England has had it's worst consumer data breach in a while courtesy of a Verizon T-Mobile employee who sold customer info. Hey Verizon T-Mobile, I want better controls over my data! Can you hear me now?

[Edited @ 1:57pm because apparently I have subconscious issues with Verizon]