PERSONAL HEALTH DATA ON THE NET: STATES ADDRESS PRIVACY CONCERNS

Volume 29, Issue 517 June 9, 2008

Kory Mertz

The Internet search giant Google recently gave the health information technology movement a huge boost by introducing "Google Health." The new service allows consumers to create their own "home pages" for personal health information. Participants will decide which information they wish to include in their personal health records (PHRs), may enter the information themselves, and decide whether and with whom they wish to share it.

Controlled solely by the consumer, PHRs are expected to allow patients to better manage their care, and to help eliminate adverse drug interactions and duplicative tests. And, if patients wish to, they can send PHR data online to doctors or other providers.

Google makes most of its revenue by selling ads displayed during searches, and it won't charge consumers for creating and storing their PHRs. While Google Health will not include any ads, the company believes the new service will increase brand loyalty, leading to more searches and greater exposure to ads on other Google pages.

But many consumers are wary of online PHRs. And patient privacy advocates have raised serious concerns about electronic PHRs, such as Google Health. “A major concern is that PHRs are generally not subject to any privacy act," explained Robert Gellman, a privacy consultant and author of a recent report on PHR privacy. "This is a surprise to almost everybody. People expect that their health records are subject to [privacy] laws… and for the most part they are—when those records are held by doctors and insurers. When you agree to give your records to a third party there may be no privacy protections that apply at all.”

To protect patient confidentiality, states are beginning to act. To date, Arkansas and California have enacted privacy protections.

Consent Required

Currently, all states have laws that prohibit doctors, insurers and others in the health field from sharing individuals' health information without their consent. The federal Health Insurance Portability and Accountability Act (HIPAA) does the same thing.

But until recently, no states protected health data that was held by private third parties operating PHRs such as Google and Microsoft (which recently launched its own PHR "HealthVault").

However, last year, California extended its health data privacy laws to companies that provide PHRs. The law (AB 1298) now prohibits third parties from sharing, selling or using for marketing purposes users' data without their consent.

“Medical records hold our most personal, private information,” said California bill sponsor Assemblyman Dave Jones. “Patients should feel confident [that their personal health information] will never fall into the wrong hands."

Most states also have laws that require financial institutions to notify customers when their personal data has been breached. But few require notification about breaches in health data.

Arkansas, however, mandates that organizations tell consumers if their health records have been breached. And when California enacted AB 1298, it provided the same protection. "Patients have their doubts about how secure their medical records really are," Assemblyman Jones said. "This bill will make insurers, doctors, and everyone in the health-care industry guard their patients’ medical info like it was their own.”

What Does It Do?

Although Google made a big splash when it launched Google Health, it entered a crowded market that includes nearly 200 PHR companies, according to analysts at the Markle Foundation. According to Marissa Meyer from Google, the company entered this tough market because “the majority of internet users when they look for health information online start with search.” However, consumers have been slow to create PHRs so far.

Google Health provides a number of different features for users including:

adverse drug interaction warnings;
access to medical reference material;
searches for doctors and hospitals and view their location; and
in the future, users will be able to select to share their data with providers who sign up for Google Health.

Before these features can be of use, however, people need to enter their health data (such as age, height, weight, conditions, medications and allergies) into Google Health. Users have two ways to enter data into the program. They can manually enter the data with assistance from guided keyword searches that help patients identify their conditions.

Patients also can directly import their medical history from eight organizations that Google has established partnerships with. Patients can currently import their health data from labs (Quest Diagnostics), pharmacies (Walgreens), hospitals (Cleveland Clinic and Beth Israel Deaconess Medical Center) and pharmacy benefit managers (MEDCO). Google plans to expand its network of partners in the future.

Due to legal liability, providers are reluctant to trust unverified data in PHRs. To address these concerns all data entered into Google Health is tagged as to its point of origin.

Google created hundreds of pages providing an overview of health conditions and links to recent news stories and medical journal articles on those conditions. The strep-throat page provides an example of information included on the page.

Privacy Concerns

Google responds to concerns about privacy by pointing out that under their privacy policy, users have complete control over their information, including who can see their information and who can add to it. “No Google health user…will ever find their health information as search results on Google. That information is yours and only you have access to it,” said Roni Zeiger, Google Health product manager. Google will not sell or share its users' data without obtaining explicit consent. The company says its privacy policy provides greater privacy protection than HIPAA.

Privacy advocates counter that Google’s privacy policy is voluntary and can be changed at any time by Google, unlike the set requirements imposed by HIPAA or state law. “Physicians have a duty to their patients. PHR companies like Google and Microsoft have duties to their share holds. They don’t have any moral, ethical or professional duties with respect to the records they hold—all they have is a privacy policy and terms of use agreement that are subject to change at any time,” said Gellman.

Nevertheless, advocates hope that PHRs will help bring health information technology into the mainstream, by giving consumers experience with storing and managing their own health data.