HIPAA, Hippocrates, or Hypocrisy?

France 24 discusses the latest Google venture into additional online services under the item, Google Health takes on HealthVault. The service, and the issues, both merit a careful look.

Among the issues associated with Internet-accessible health records and publicly-stored health records, security and privacy are the most widely discussed reasons to shun Google’s service.

  • If I trust my health information to Google Health, can I be certain that nobody will hack my record and change it?
  • Can I be certain that nobody will snoop through my medical records without my express permission -- regardless of whether that person is a researcher looking to find the average number of drugs a T2 diabetic takes each year, or Big Pharma trying to sell me on the merits of the latest I-didn't-realize-I-had-this-wrong-with-me-but-need-Big-Pharma-to-correct-it gimmick?
  • Will an employer, or an insurance agency, find a way to snoop through my records and decide that my health issues make me "uninsurable" (and therefore potentially "unemployable")?

Easy accessibility by an individual’s healthcare providers, and the use of large-scale, eventually-longitudinal data for public health trend analysis are two of the more widely discussed reasons for providing the service and enticing patients to use it.

  • If my doctor can read my medication profile and health journal on-line, I don't have to bring yards of printouts to an office visit.
  • If I am in an accident, a smart-card or USB key with my site login information can provide complete health, insurance, and provider information to the Emergency Room to which I am taken.
  • And we all keep at it for ten, twenty years, maybe we'll find out what the true long-term side-effects of metformin, glipazide, or analog insulin might be.

While I concede the public health benefits, I am for the moment on the side of the skeptics. At least as far as Google Health is concerned.

On the other hand, I have signed on to the beta site for Diabetes Connect, a community for diabetics and caregivers sponsored by Alliance Health.

Looking at Diabetes Connect on its own, it is a community that has aspects of dLife (news and information, discussion fora, no blog function) and the Ning diabetes communities (discussion fora, friends, private messaging between friends), and aspects that are not highlighted by any of those groups (user reviews, book reviews, etc.). It is a more technically-oriented community than either dLife or the Ning diabetes-related social networks, which is fine in itself. I found the site through the site-owner’s (Amy Tenderlich’s) blog
The interesting thing is, if you check up Alliance Health, its goal, its mission, its raison d’être is to find audiences for medical providers and Big Pharma to shill to. Sign up for a diabetes website, and you’re asked if you have any of the usual comorbid conditions (neuropathy, hypertension, sleep disorders, high cholesterol, cardiovascular disorders, GERD, etc.)… with the idea of being able to target you for more medical goods and services.

Additionally, I have been proactive in signing up with my medical insurance providers’ online presences. The sites are secure, my information is restricted to the insurance agency, and with that information my insurers can provide me with a wider range of services that better suit my needs.

While I am fairly careful to minimize the connections between my online d-life and the rest of my online life (not to mention, the rest of my “real” life!), much of it can still be connected in three links or less. With all the data mining, identity theft, governmental interference, and overall fearmongering going on, I’m not sure I shouldn’t be worrying about the potential repercussions of keeping that tight a series of connections. But for now, they are – and so far, I’ve not much issues with that. But as far as Google Health is concerned… for now, at least, I’m not comfortable taking that risk.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 simply provides too many broad exemptions for “covered entities” who have unlimited access to our medical data, and according to the Patient Privacy Rights Foundation, an Austin, TX-based patient advocacy organization, there are well over 6,000 organizations who are considered “covered entities” which are exempt from HIPAA privacy rules – although its worth noting that neither Google or Microsoft are among those “covered entities”.

In April 2004, President George W. Bush called for the Department of Health and Human Services (HHS) to develop and implement a “strategic plan” to guide the nationwide implementation of health information technology (IT). The plan was to recommend methods to ensure the privacy of electronic health information. The U.S. Government Accountability Office (GAO) was asked to summarize its report which describes the different steps that HHS is (and is not) taking to ensure privacy protection as part of its national health IT strategy and identifies challenges associated with protecting electronic health information exchanged within a nationwide health information network.

In February 2007, the GAO released its report which showed that overall, the Department of HHS was only in preliminary stages of protecting patient privacy, and has not yet defined an overall approach for integrating its various privacy-related initiatives and addressing key privacy principles, nor has it defined milestones for integrating the results of these activities.

The simple fact of the matter is that patient privacy has always been an afterthought, and that is reflected in the marginal protections that are even provided. Its time to start over from the beginning and create new legislation which addresses the reality of the way things actually work.

With regard to Diabetic Alliance, tmana, all these communities need some kind of business plan/financial backing to stay afloat – as Manny has discovered (and now partnered with J&J LifeScan). Diabetic Connect uses NO display advertising, so no annoying pop-ups. They handle ads as “opt-in only,” meaning you have to proactively go into the “offers” area and click on stuff you want if you’re interested. I personally think that’s a nice way to handle it. They’ve also taken huge precautions to assure member privacy.

My 2 cents…

To be honest, I’m a lot more comfortable with someone saying they want this information to sell me something they feel is appropriate because they are going to want targeted information and are less likely to want the purity of their information messed with. A big entity like Google or a governmental entity is a high-profile target for hackers and identity thieves.

It is very interesting to find HIPAA not protecting privacy, as it is invoked to-no-end in volunteer training for NYC Marathon communications volunteers… pretty much the only “medical” information that can go over non-encrypted radio communications is the runner numbers and a “disposition code” if they drop out of the race. Everything else goes out over encrypted networks. (I’ve been a radio volunteer at the Marathon for over 15 years.)

Is it possible that NYRRC is one of the few organizations that tries to take privacy seriously?

So, we built Diabetic Connect so that all services would be driven by patients/caregivers who opt-in to a channel for certain services or ads. We don’t push banners from drugcos or google adsense on each page. Also, we believe that if we engineer the right systems that we could expose more products/services that exist in the diabetes arena to help folks…but aren’t necessarily from the big drugcos. You wouldn’t know that any other solutions other than pharma drugs exist if you went to WebMD (b/c pharma cos are the only ones willing to pay their exorbitant rates.) We are working on this but have a way to go. If we become a shill for the drug cos, then we will have failed in our mission. Our mission is really to become a shill for you.

Let’s face it. Managing chronic diseases and conditions is expensive. We believe if you get engaged with a technology-enabled web company (that isn’t Msft or Google btw) where that web company is committed to protecting your identity and info but exposes certain info which will allow you to participate in more savings and services…then this overall service could be hugely valuable. The more engaged and active…we believe that we can deliver more valuable targeted services to you.

In regards to Hipaa, this statute only protects consumers whose data resides in a regulated entity such as a doctors office, insurance co, or other medical provider that bills medicare. It helps to prevent that data from coming out of a regulated entity and from being used in an inappropriate way. No data from a consumer to a web entity like Msft HealthVault, GoogleHealth, or Alliance Health is regulated by Hipaa, although basic consumer privacy laws and regulation is still at work.

I hope some of this info helps the discussion.

hey folks!
well shoot; this conversation looks like it has already come and gone. Perhaps that will make me the person at the party who interjects themselves into a conversation after everyone has moved on to the h’orderves table. But tmana, you raise such an interesting topic, covering a lot of territory!

Scott raises a good point about HIPAA, and as individuals we do not have a right of action under HIPAA for perceived violations (meaning we cannot sue). People have tried to sue under HIPAA and they have been thrown out of court specifically because of this. HIPAA is also quite toothless and enforcement has been incredibly lax (I thought zero cases have been addressed, but Scott found references to just one, I believe, in almost 7 years). However, there are a handful of cases going through the courts, and that have been approved for trial, where individuals are using HIPAA as a benchmark for a minimal standard of care, and one which is not being followed in particular cases. This leaves the door open for legal proceedings and judicial precedent to define an area where the legislative branch has been (very) slow to act. It is very interesting that the NY Road Runners (who put on the NYC Marathon) are so proactive about privacy; that is fantastic to hear! They might not fall under HIPAA, but the area is so loosely legislated that you cannot be too safe.

As for the point about payment, Amy raises a very good point. If you want a great service, the money to not only keep it afloat but actively evolving, has to come somewhere. We’ll see a bunch of different business models at work here, and it will be interesting to see which work and which don’t. For SweetSpot, I decided to forgo advertising completely, whether through banners, online ads, or email campaigns, because I didn’t want there to be any doubt or concern about who has access to a persons protected health information. So I went with a straight-up subscription model, but that business model has its own downsides. We’ll see what business model becomes the norm in this space.

As for the comments about Google and Microsoft; the largest health violations, that are currently known, have come from large government agencies. Yes, Google and Microsoft make attractive targets, but I’ve interfaced with their services at a systems level, and they have very good security systems in place (especially microsoft!). I get concerned with the governments use of information and their lack of accountability. If Google and Microsoft have major breaches, they are required by law to disclose them or their executives can face criminal prosecution (This is under California law). The government is not under the same obligation. The fact that HIPAA is so darn toothless doesn’t bode well, in my mind.

Tmana, great post