Our recent coverage of HealthVault has received some attention from other news outlets.

VentureBeat author David P. Hamilton has been covering HealthVault. He began with an attempt to review HealthVault that ended in frustration attempting to register a password. His next post was a review of HealthVault itself. Recently he posted his thoughts regarding our coverage of HealthVault.

Our comments also received some attention from Dana Blankenhorn at ZDNet. Robin Harris, another ZDNet author, believes that HealthVault is a sick joke. ZDNet also has some screenshots of HealthVault in action for those who may not have the time to play around with the site themselves. ZDNet also has a news article about Microsoft’s efforts to get health records online.

All of the articles are well worth reading if you are concerned about the privacy implications of electronic health records.

Last week, Microsoft announced a new PHR (Patient Health Records) system called HealthVault. HealthVault is a web-based portal that enables end-users to upload their health records on the web. Unfortunately, what people don’t realize is that HealthVault and similar PHR systems are not subject to or governed by law. When the Health Insurance Portability and Accountability Act (HIPAA) was enacted, we did not envision that private software firms would eventually want to create databases for our health records. As a result, HealthVault and other PHR systems are not subject to the same privacy and security laws to which traditional medical records are subject to in the United States because they are not “covered entities” as specified in the HIPAA.

Over the course of the past 7 years, researchers at ThePrivacyPlace.org have evaluated over 100 privacy statements for financial and healthcare web portals. In addition, we focus on evaluating the extent to which the privacy of sensitive information is protected in these systems as well as the extent to which system comply with relevant regulations.

Even though physicians and the press are excited about the introduction of these new PHR systems [1], there are questions that I urge the public to ask before entrusting their sensitive health records to any PHR system. My concerns are based on a careful evaluation of the HealthVault privacy statements [2, 3]. Microsoft appears to have sought the counsel of physicians who believe that patient consent is the best indicator of privacy protections. Unfortunately, most physicians do not understand the subtleties buried within healthcare privacy statements within the context of the software that implements those statements. For this reason, I now list three primary questions that one should ask before entrusting their health records to HealthVault or any other PHR system:

Will your health information be stored in other countries without appropriate legal oversight, skirting many of the protections afforded by the HIPAA?

The HealthVault privacy statement explicitly states that your health records may be off-shored to countries that do not afford the same privacy protections for sensitive information that we do in the United States. In particular, if information is disclosed or altered, do you have any legal recourse or remedy?

Will your health care records be merged with other personal information about you that was previously collected within the context of non-health related services?

Within the context of HealthVault, the answer to this question is yes. Microsoft explicitly states that they will merge the information they have previously collected from you via non-health related services with your HealthVault information. Moreover, it is unclear what information Microsoft already has about us other than our names and contact information and precisely what information third parties may access. Furthermore, we don’t know if that information is accurate or complete. Thus, use of the merged information may not be what we expect.

Are the access controls to your health records based not only on your consent, but also on the principle of least privilege?

Although HealthVault requires patient consent for any accesses and sharing of your health records, access controls leave the door wide open for data breaches. HealthVault enables individuals to grant access to other people and programs that can further grant read/write access to your health record. The only safeguard is a history mechanism to provide an accounting of accesses if you suspect that your information has been breached after the fact. A better approach would be for Microsoft to proactively enforce contractual obligations via audits and monitoring mechanisms.

The hype surrounding HealthVault’s privacy protections among those in the medical community must be balanced with the reality of the information security and privacy practice expressed in its public privacy statements. It is critical to address these privacy concerns in the design of PHR systems before we deploy them with vulnerabilities that will ultimately lead to yet another rash of data breaches.

References

[1] Steve Lohr. Microsoft Rolls Out Personal Health Records, New York Times, 4 October 2007.

[2] Microsoft HealthVault Search and HealthVault.com Beta Version Privacy Statement, October 2007.

[3] Microsoft HealthVault Beta Version Privacy Statement, October 2007.

President Bush called for the adoption of electronic health records in his 2004 State of the Union and extolled their benefits, saying that “by computerizing health records, we can avoid dangerous medical mistakes, reduce costs, and improve care.” In 2005’s State of the Union, he reiterated his desire to seek “improved information technology to prevent medical error and needless costs.”

Recently, a Congress health subcommittee has been reviewing the efforts to deploy electronic medical records (EMRs) and has found progress to be “disappointingly slow” (according to Rep. Johnson, R-Conn.). The hearing (detailed in this CNET article) reviewed the pros and cons of moving towards paperless systems and included testimony from several health and privacy experts. Particular concern was noted for HIPAA’s lack of coverage of non-insurance health transactions; this means that medical records used in these transactions are not governed by the strict security and privacy requirements. It was noted that the lack of a uniform federal privacy standard may also make the deployment of an EMR system much more complicated.

I do not carry my insurance card with me every day because my Social Security Number was printed on the card. In case I lost my wallet some day, all of my personal information (including name, SSN, DoB, home address, which will be more than enough for identity theft) will be available to whoever got my wallet. I cannot afford the risks. But, there are good news for New York State residents. Excellus Blue Cross Blue Shield of New York State has begun issuing new alpha-numeric identification numbers to its policyholders, replacing their old Social Security number-based policy ID system. The switch is scheduled to be completed by the end of May. That’s absolutely great news. I hope the Blue Cross Blue Shield of North Carolina can do the same thing for their customers so that I can carry my insurance card with me without worrying about what will happen if I lose my insurance card.

The following excerpt is from an article at timesreporter.com: A review of the various effects the Health Insurance Portability and Accountability Act (HIPAA) has had on the medical industry and patients. While patients appreciate the stronger privacy protection, the medical community has found that compliance with the new law can interfere with patient care.

Personally, I can relate to these findings. A few months ago, a good friend of mine had a heart attack and was hospitalized for several days. I was visiting him on the 3rd day of his hospital stay when a hospital administrator approached him. She asked him several HIPAA related questions and asked him to sign various wavers. For example: Can the hospital disclose his personal information to friends and family members? Or, Can the doctors discuss his medical treatments and condition with family members and friends? Now, keep in mind that he had been on morphine and various other drugs since he was admitted and just finished an angioplasty procedure at this point in time. While I thought it was terribly inappropriate to ask him these questions while he was in no way cognisant enough to make such a decision, I asked myself when would be an appropriate time? Should they stop treating his pain long enough to let him sign the HIPAA wavers? Would that be humane? How else would he reach an informed decision? And where does the line for protection of personal privacy become unrealistic and/or ridiculous?

As a privacy and security researcher, I cannot agree with the hospitals actions in this matter. I realize that there will be continued resistance, compromises, and inconvenience in the pursuit of protecting our individual privacy; but if we don’t persist, we surely cannot progress.

Researchers who used to search medical records for potential participants in their clinical trials of new medications or medical treatments must now rely on doctors for patient referrals. As a researcher, I fully understand how this can be viewed as hindrance by medical researchers. However, as a public citizen I’m happy to see that HIPAA is having an impact on those trying to access my sensitive medical information without my knowledge. ThePrivacyPlace.Org recently released an Analysis of Web Site Privacy Policy Evolution in the Presence of HIPAA that you may find interesting.

For more information on HIPAA prohibiting researchers from reviewing medical records, see: Privacy rule builds biomedical research bottleneck.

– aia

A few months back I received an email from a person who said they have my medial reports from Blue Cross Blue Shield of NC. This was a person with the exact same name as mine. I was shocked to see the carelessness that was shown on part of the employees at the Student Health Center at my University. On checking with them I found out that my social security number was transferred to the other person’s records and vice versa. It seems to me that at many places privacy and general “best practices” are not being given the regard people expect to see.
On a similar note, recently, an Everett, Washington hospital employee mistakenly faxed confidential patient data to the city’s newspaper when the employee transposed numbers for two physicians with the same last name. More information on this case can be found at :
Hospital works to cut number of fax problems

– Neha Jain