| By Stuart J. Johnston |
The advent of “in the cloud” medical records services, such as Microsoft HealthVault and Google Health, promises an explosion in the storage of personal health-care information online.
But these services pose sticky privacy questions — unless you know how to protect your personal medical records.
A promise of safer personal health data
Your private health information is migrating wholesale onto the public network with the advent of online health-care records stored in massive data centers around the world.
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 10, Windows 8, Windows 7, Firefox, Internet Explorer, Google, etc. Join our 460,000 subscribers!
Subscribe and get our monthly bonuses - free!
The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!
While the services aim to make it easier for consumers to access and manage their personal health information, the ready availability of this data also makes it much easier and less expensive for insurers to put your medical history under the microscope.
Surprised? You shouldn’t be. You voluntarily grant access to that sensitive information every time you sign a waiver so that your health insurer can decide whether to pay for a doctor’s visit, a prescription, or an expensive medical test.
What’s more, most of the gathering and collating of this information is legal. In fact, the number of companies that have access to this information runs into the millions, say privacy advocates.
As recently as last year, only 1% to 3% of U.S. consumers had electronic versions of their health records, according to market research firm Health Industry Insights, an IDC company.
That is about to change.
The fact that two of the biggest players in the emerging world of cloud computing services — Microsoft and Google — are jumping into that arena with both feet will likely accelerate the shift to online medical records.
Microsoft kicked off the beta test of its HealthVault service almost a year ago, while Google announced its Google Health service last February and launched a beta in May. While both services are still in beta, each company has partnered with large health-care providers for pilot tests: Microsoft with Kaiser Permanente and Google with the Cleveland Clinic.
Private health data goes public by mistake
Part of consumers’ reticence to sign up for electronic personal health-care records — with or without services “in the cloud” — has to do with a handful of recent high-profile data breaches. In April, the largest health insurer in the U.S., WellPoint, disclosed that records on as many as 130,000 of its customers had leaked out and become publicly available over the Internet.
To be fair, so-called cloud services aren’t at fault, at least not so far. Microsoft, Google, and other companies that put your medical records online are adamant that their security is top-of-the-line. Their services are intended to give consumers greater, not less, control over who sees what by giving consumers personal ownership of their information, according to the services.
“[As a consumer], I control release of that information,” Grad Conn, senior director of the Microsoft Health Solutions group, told me in describing HealthVault. A Google spokesperson expressed virtually the same assurance about Google Health. Neither company is disclosing how many users it has signed up thus far.
Indeed, consumers’ control of their health data is not the core problem. It’s what happens to your information after its initial release that worries privacy advocates — and with good reason. Once the data leaves the safe harbor of a secure cloud service, it’s fair game for companies in several different industries.
Take, for example, prescription records.
“All 51,000 pharmacies in the U.S. are wired for data mining. Selling prescription records is a multibillion-dollar-a-year industry,” states an FAQ published by Patient Privacy Rights, a major consumer-health and privacy-rights organization.
This data mining of prescription records can cost consumers big-time.
For instance, a July article in Business Week cited the case of a Louisiana couple denied health insurance because the wife took two medications that set off red flags for a prospective insurer.
Ironically, both were for “off-label” uses — that is, they were prescribed not for the maladies that the drugs were originally designed to treat. The woman’s doctor prescribed an antidepressant to help her sleep due to symptoms of menopause and a hypertension drug to reduce swelling in her ankles.Although clinically she was neither depressed nor had high blood pressure, the couple’s application for health insurance was denied, the article stated.
Or take the case of supermarket customers who use so-called “affinity” cards to obtain discounts at their favorite grocery. Data showing that a customer regularly buys cigarettes might be obtained by an insurer or employer and combined with a health record where the customer claimed to be a nonsmoker.
“It’s interesting how they can tie all of that [information] together,” Lynne Dunbrack, program director at Health Industry Insights, told Windows Secrets.
Consumer privacy may get lost in the clouds
Cloud computing is the latest buzz phrase for putting the massive processing power and storage capacity needed to provide ubiquitous computing out on servers located on the public network, or “in the cloud.” Microsoft, Google, and many other online companies have embraced the idea.
Most observers — including privacy advocates — state that the move to store our health records in the cloud is inevitable. In fact, there are many benefits to consumers for having that information available virtually instantly. For example, if you were in a different city and needed to be rushed to the emergency room, your health history would be immediately available to the physicians on call.
Or, Dunbrack added, having access to a patient’s commplete prescription information can help displaced persons stay alive in a hurricane-ravaged area, for example.
In fact, a survey conducted last spring for the Markle Foundation found that, of nearly 1,600 respondents, four out of five see electronic health records as useful, but many indicated that protecting the confidentiality of that information is crucial. “Nearly half called specific privacy practices ‘critical’ in their decision to try one out,” a foundation statement said.
The downside is that storing health records online makes it easier for insurers to calculate the odds that you will be more expensive to insure than the next person. That’s the rub, say privacy advocates.
Wait, you say. Isn’t there a law that keeps your data from being misused? Yes and no.
It’s called the Health Insurance Portability and Accountability Act, or HIPAA. Moreover, there are many exceptions to the law. Additionally, both Microsoft and Google claim their health services are not subject to HIPAA regulation, since they don’t offer health-care services themselves.
Pam Dixon, executive director of the World Privacy Forum, says HIPAA is far from perfect but better than no protection at all. “Before HIPAA, it really was much worse,” she said. However, she agrees that “secondary use” of patient data has become an industry unto itself — a genie that will be difficult or even impossible to get back into the bottle due to the billions of dollars that can be made from it.
“Right now, disclosure of health information is out of control,” Dixon said, adding ruefully, “Technology is not going to go backwards.”
How to safeguard your health-care records
So, what can you do to protect yourself? Patient Privacy Rights offers these recommendations and questions to ponder as you navigate the sometimes-perilous world of electronic health records:
• Don’t even think about using a personal health record (PHR) that’s offered by an employer or insurer. These are the last companies with which you want to share all your personal health and daily activities.
• Don’t simply rely on a “HIPAA-compliant” PHR. HIPAA has more loopholes than the tax law; millions of businesses can legally access your information without your consent.
• How do you authorize access to the information? If gaining access requires nothing more than having someone guess your password, say “no, thanks.”
• Does the PHR provider have the right under its “agreements” to take, sell, or share your information?
• What security does the PHR provide?
Finally, a little personal advice: hold off signing up for any electronic health-records system for the time being. So few people have joined to date that there are bound to be problems to work out, not to mention the potential for identity theft. Let somebody else play the role of pioneer.
Stuart Johnston is associate editor of WindowsSecrets.com. He’s written about technology for InfoWorld, Computerworld, InformationWeek, and InternetNews.com.