Tuesday, March 04, 2008

How Private is Private? Is Google a covered entity?

Back in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress for the purposes of ensuring continuity of healthcare benefits for workers changing or losing their jobs (Title 1) and to establish national standards (Title 2) for electronic health care transactions, maintenance of privacy about so-called protected health information (PHI) and security of that information maintained in electronic repositories (e.g. hospital information systems and other data bases).

Since the actual implementation of the Privacy and Security Rules in 2003, there have been considerable efforts on the part of healthcare organizations (providers, health plans and so-called healthcare clearing houses) to develop policies and procedures which adhere to federal law while still carrying out patient care effectively as well as managing clinical research productively. Of course, nothing is perfect and there have been a plethora of papers and media articles on the barriers to patient care (Gross 2007) and to important large population based clinical research (Armstrong, Kline-Rogers et al. 2005; Wolf and Bennett 2005; Wilson 2006). Further, the security of PHI is not so great either (Freudenheim and Pear 2006).

Therefore, health insurance might be portable for some workers, but PHI is not!

With all the recent hoopla about Microsoft wanting to purchase, somewhat hostilely, Yahoo in order to “corner” the market on search engines, it might have been easy to overlook 10 second sound bites on the morning radio news, or the little technology tidbit in the New York Times (Lohr 2008) which was NOT on the front page.

So it seems that Google actually will scoop Microsoft in implementing a web based interface with a major healthcare system, in this case the Cleveland Clinic with its some 100,000 patients. The deal is, if one has a Google e-mail account, one can use the same sign-in and password to access and transmit one’s medical records. Apparently, the pilot phase will involve only some “innocuous” data such as allergies and prescription records. However, prescription records can certainly allow inferences about underlying health conditions for specific patients which, if leaked, could have problematic consequences. Funny how Google mail accounts are encryption proof (Stone 2007) to corporate electronic security walls. Does that provide some clues as to how undone PHI privacy could become?

And what about HIPAA? There is some debate about whether Google could be considered a healthcare clearing house or other entity which information repositories containing people’s PHI would be considered protected and would have an obligation to protect under current federal regulations. The World Privacy Forum (Gellman 2008) thinks not.

Other dicey questions: will Google patients be subject to advertising spam or other intrusive advertisement adduced from their prescription lists? What guarantees that the “client” (read patient lists) won’t be sold to Pharma companies as yet another means of developing data bases about physician prescribing patterns? Who is going to regulate these issues? Google is a great search engine—I use it all the time! But I’m not sure I want to use it to manage my healthcare information. I’d rather continue to keep it on my PDA!

Armstrong, D., E. Kline-Rogers, et al. (2005). "Potential impact of the HIPAA privacy rule on data collection in a registry of patients with acute coronary syndrome." Archives of Internal Medicine 165(10): 1125-1129.
Freudenheim, M. and R. Pear (2006). Health hazard: computers spilling your history. New York times. New York.
Gellman, R. (2008). Personal health records: why many PHRs threaten privacy, The World Privacy Forum.
Gross, J. (2007). Keeping patients' details private, even from kin. New York Times. New York.
Lohr, S. (2008). Google Health begins its preseason at Cleveland Clinic. New York Times. New York.
Stone, B. (2007). Firms fret as office e-mail jumps security walls. New York Times. New York.
Wilson, J. F. (2006). "Health insurance portability and accountability act privacy rule causes ongoing concerns among clinicians and researchers." Annals of Internal Medicine 145(4): 313-316.
Wolf, M. S. and C. L. Bennett (2005). "Local perspective of the impact of the HIPAA privacy rule on research." Cancer 106(2): 474-479.

1 comment:

MLO said...

For those of us who suffer from anaphylaxis, there is nothing innocuous about our allergy information...

That being said, the "privacy" concerns surrounding medical records are actually pretty ridiculous and not very well thought out. (I can't believe anyone would think they are.)

This is going to be a very interesting experiment.