The first focuses on the inherent threats of having medical information stored and displayed electronically: bugs. Apparently one-third of the Department of Veterans Affairs 153 medical facilities fell victim to a bug in a recent software update, causing electronic medical records to display incorrect or misleading patient data, including vital signs, medications, stop orders, and lab results. As a result, a handful of patients received incorrect doses of intravenous medication — including the blood thinner heparin, which at excessive doses can be fatal.

The VA seemed to brush it aside as a rarity, explaining that “What we found was that the glitch that could occur didn’t occur routinely…It was hit or miss, and didn’t happen with all patient records. It was very sporadic.” To me, the sporadic nature of the glitch is no comfort, as that means it is harder to predict why it happened and harder to ensure it won’t happen again. Equally discomforting is the fact that while the computer bug emerged in August 2008, it apparently wasn’t fully corrected until December, and wasn’t made public until a whistle blower exposed the bug in January 2009. The agency’s excuse: the agency has a duty to inform patients only in cases in which harm is done, and “It was determined that no patients suffered harm as a consequence of this.”

Unbelievable.

Of course, reliability isn’t the only threat of relying on electronic, and increasingly online, records to manage our health. Privacy remains a major factor, so much so, that it is emerging as a central issue in the Obama’s administration’s push to “make the immediate investments necessary to ensure that within five years all of America’s medical records are computerized.”

Just days before Obama’s inauguration, the NY Times reports on new opportunities for ensuring privacy in online medical records. Some lawmakers are insisting that any new spending must be accompanied by stronger privacy protections. The Obama campaign had previously only hinted at its position on medical privacy, but the Times points out that Rahm Emanuel, Obama’s incoming chief of staff, has advocated such safeguards when he was a House member from Illinois, stating “As we move forward on health information technology it is absolutely essential that an individual’s most personal and vulnerable information is protected.”

Hopefully we have an opportunity here for change, and will see the strengthening of HIPAA and its applicability to the third-party management and processing of patient records.

Tectonic Shifts in the Health Information Economy

In a recent shift in the health information landscape, large corporations are seeking an integral and transformative role in the management of health care information. The mechanism by which this transformation is likely to take place is through the creation of computer platforms that will enable patients to manage health data in personally controlled health records (PCHRs). Two types of large corporations are involved. Technology companies such as Google and Microsoft see business opportunities, whereas Fortune 100 companies in their role as employers see efficiencies and cost savings when patients can securely store, access, augment, and share their own copy of electronic health information. Though this shift in the locus of control of health information is driven largely by a need to provide assistance with clinical care processes, it will also profoundly affect the biomedical research enterprise.

And for those who lack institutional access to the rest of the article, here’s the Times’ synopsis:

As part of a push toward greater individual control of health information, Microsoft and Google have recently begun offering Web-based personal health records. The journal article’s authors describe a new “personalized, health information economy” in which consumers tell physicians, hospitals and other providers what information to send into their personal records, stored by Microsoft or Google. It is the individual who decides with whom to share that information and under what terms.

But Microsoft and Google, the authors note, are not bound by the privacy restrictions of the Health Insurance Portability and Accountability Act, or Hipaa, the main law that regulates personal data handling and patient privacy. Hipaa, enacted in 1996, did not anticipate Web-based health records systems like the ones Microsoft and Google now offer.

The authors say that consumer control of personal data under the new, unregulated Web systems could open the door to all kinds of marketing and false advertising from parties eager for valuable patient information.

Despite their warnings, Dr. Mandl and Dr. Kohane are enthusiastic about the potential benefits of Web-based personal health records, including a patient population of better-informed, more personally responsible health consumers.

“In very short order, a few large companies could hold larger patient databases than any clinical research center anywhere,” Dr. Mandl said in an interview.

But the authors see a need for safeguards, suggesting a mixture of federal regulation — perhaps extending Hipaa to online patient record hosts — contract relationships, certification standards and consumer education programs.

Privacy and Security – Due to the sensitive and personal nature of the data that will be stored in Google Health, we need to conduct our health service with the same privacy, security, and integrity users have come to expect in all our services. Google Health will protect the privacy of your health information by giving you complete control over your data. We won’t sell or share your data without your explicit permission. Our privacy policy and practices have been developed in thoughtful collaboration with experts from the Google Health Advisory Council.

The notion that Google will conduct their health service with “the same privacy, security, and integrity users have come to expect in all our services” causes me some pause. Google currently tracks my search queries in order to place advertising, scans the content of incoming Gmail messages for similar monetization, and, given their vast suite of products and services linked by a common Google Account, has the ability to create detailed dossiers on users online activities. I hope they treat my personal medical data with greater “privacy, security, and integrity” than how they track and monetize my general search activities and e-mail messages.

Google also states “We won’t sell or share your data without your explicit permission.” This is troubling to me as it signals the possibility exists that Google will want to sell or share my data with third parties. We need to learn more about what Google is contemplating here: What plans exist to sell or share my medical data if I do give explicit permission? How will my data be used, and by whom? How will my permission be granted? Will I know who is using the data and how? Can I decide I want to share it with certain parties and not others?

The note mentions the privacy policy for Google Health. A screenshot provided by Google also shows links to the service’s privacy policy. As far as I can tell, however, the actual policy hasn’t been made available, so we can’t evaluate its claims and promises. I urge Google to share this policy ASAP.

A bit more information as been made available via the press. This Cnet article notes that:

“Google won’t sell the data and won’t put ads on the site, but rather hopes to drive traffic to partner sites where there will be ads. In addition, Web searches will not be used to provide services or information to users of Google Health, Google representatives said.”

This provides a bit more clarity, but I still hope to be able to sit down with Google’s people to discuss these issues in more detail, much in the way Microsoft has made itself available on its HealthVault product.

(As an aside, I’m also tracking various conversations and debates over the extent to which HIPAA applies to these platforms – I hope to assemble my thoughts on that soon)

In their announcement, Google promises: “Above all, health data will remain yours — private and confidential. Only you have control over when to share it with family members and health providers.” This is similar to the assurances Microsoft made to me, but Google provides no details.

A key concern is whether and how Google plans to monetize this service. Will sponsored ads be inserted? Will there be a search component? Will user activity be tracked to provide personalized services and advertising?

Google, if you want to meet and discuss, you know how to find me.

[Fred Stutzman and Eric Jennings have more thoughts]

UPDATE:  Fred Stutzman asks good questions in the comments below, which I try to reply to. I feel they’re important enough to add to the main post, for those reading via RSS.

Fred says:

I would like to know specifically:

1) If Google plans to sell targeted ads based on records
2) Google plans to integrate the health records into the Google cross-service profile. That is, will my gmail now know I have asthma if I elect to participate.

My reply:

1) I suspect they might, although they’re probably not under as much pressure to monetize the service as Microsoft is. The key issue will be to what extent are ads personally targeted based on one’s health data, or one’s health-related search query, or one’s clickstream data on the health site.

2) I suspect that in terms of “live” processing, the answer will be no. When ads are served to you on Gmail or a SERP, I doubt they’ll ping your health data to help personalize them. However, presumably a Google Account will be needed to use the health service (they like to require that for everything, even their muni-wi-fi proposals), which does mean such a linkage can be made if necessary (business decision, subpoenas, etc)

I hope we can get more information soon.

HealthVault is Microsoft’s attempt to provide an online platform where personal electronic health records can be stored, managed, and shared with various healthcare providers. HealthVault also features a topical search engine allowing users to search specifically for health-related information (Microsoft will use sponsored search ads on the search engine to monetize the HealthVault platform). Microsoft’s press release launching the service last fall can be found here; it has been covered by the New York Times, Washington Post, BusinessWeek, etc.

Any attempt to aggregate and store personal medical data online is fraught with privacy issues, and HealthVault has attracted its fair share of criticism and concern (especially given the bad taste Miscrosoft’s Passport/Hailstorm efforts left in privacy advocates mouths).

Some of the privacy concerns that immediately come to mind include:

• How secure are the personal health records stored online?
• Who has access to the data and under what conditions?
• Will users’ data be aggregated, data-mined, monetized, or sold?
• Are users’ health-related search queries logged?
• Are users’ clickstream activities on HealthVault logged?

Microsoft, of course, has been paying attention to all of this, and they’ve been trying to address HealthVault’s privacy-related issues through various policy, marketing, and design decisions. It was under this auspice that I met with HealthVault platform’s Product Manager George Scriban to share ideas about health privacy generally, and HealthVault specifically. Here’s some of what I learned Microsoft is doing to address the privacy issues surrounding HealthVault:

• To help protect user privacy, all search activity on HealthVault’s search engine is encrypted via HTTPS. This helps provide some security from having health-related searches viewable by employers or other network providers, in much the same way passwords are encrypted as they move across the Internet.
• Compared to many traditional search engines, where the sponsored ads are personalized and/or contextually tied to the specific search terms, the sponsored ads that subsidize HealthVault searches are only “bluntly targeted.” This is done by mapping the concepts that appear on top search result pages, and then targeting the ads to those concepts. For example, a search for “HIV and pregnancy” might provide results dealing with the broader concepts of sexual health and prevention. It is these concepts that trigger certain ads to be displayed, not the original search term. As a result, there is less motivation to track and log the specific search terms that might be more personally sensitive.
• Traditional search engines often go to great lengths to help understand the purpose and intent of ambiguous search queries, typically through the logging of search activities. For example, a simple search for the term “cold” could refer to an upper respiratory infection, a climate condition, or an emotional stance. By logging and comparing previous search activity, search engines can try to predict what the user actually was looking for. But with a health-specific search engine, it is much more likely the user is seeking medical information about the common cold. Given this drop in search term ambiguity, HealthVault’s search engine cookie only retains query data per session (the tracking cookie expiries if you close your browser or visit a different web page).
• Similarly, the more persistent cookies related to the search engine in HealthVault expire after 90 days. And their server logs, which might also contain clickstream data they store (to monitor interface usability, clicking of sponsored ads, etc), are destroyed after 90 days.
• Regarding users’ health records, they are given full control over what information is stored on the system, who can access it, and what they can do with it. Microsoft wil make themselves available for audits to ensure compliance with their privacy policies.
• Given that third-party applications will be built on top of the HealthVault platform, Microsoft’s goal is to make this much more transparent than similar execution on sites like Facebook, where users don’t really know what information applications are accessing or what they are doing with it. HealthVault provides the ability to see how a users’ individual health records have been accessed and used. If a user uploads a piece of health information, they can use a control panel to see who has accessed the data (only people they authorize can do so), when they accessed it, and what was done with it, whether it was modified, and so on.

I must note that I haven’t been able to verify these technical claims, and my research in this area is only beginning — many other harms could remain even if all the above are fully implemented. But if the above steps can be validated, it appears the developers of HealthVault have taken Microsoft’s “Privacy Guidelines for Developing Software Products and Services” to heart, and have consciously designed HealthVault to protect user privacy.

::

UPDATE: Fred Trotter provides the right kind of push-back on Microsoft’s claims I detail above. He also notes that my fellowship at the Yale ISP is funded by Microsoft. I should have provided this disclaimer earlier:

Microsoft is a funder of the Information Society Project (ISP) at Yale Law School, and their grant pays for my fellowship there. I can safely say that I have not personally felt any pressure or influence by Microsoft on my scholarship (or my blog posts).

Also, I don’t know if my being the “Microsoft Fellow” actually granted me any special access. The invitation I received from Robin Bender Ginn, from MSFT’s PR firm Edelman, seemed quite generic, identifying me as a “recognized technology privacy leader,” was sent to my blog e-mail (not my Yale account), and didn’t mention the relationship between ISP and MSFT. It honestly felt like the kind of invitation they probably sent to a dozen like-minded scholars/bloggers. I noted the connection between MSFT and the ISP in my reply, but I don’t know if they were aware of it beforehand.