Google's public unveiling of Google Health yesterday occasioned many commentaries from bloggers. One that resonates with my own concerns is Paul Pallato's post in First Read: Placing Our Trust in Google Health.
Electronic medical records management is the new frontier on the Web. And it's a potentially rich new source of revenue for Google and other companies in the field who are developing similar systems. Consolidating their records online is a complex and difficult task because these are the personal records that are the least organized.
Medical records are always scattered among a multitude of doctors, hospitals, insurance companies and pharmacies. Most of them are still on paper and haven't been converted to digital forms. All of the current custodians of these records are bound by federal law to carefully guard the privacy and integrity of these records. [italics mine]
Herein lies the rub, if there is one. Google Health and Microsoft HealthVault both claim to be exempt from the provisions of the 1996 Health Insurance Portability and Accountability Act (HIPAA). Don't believe it? See Larry Dignan's post yesterday that quoted Google's Terms of Service.
4. Use of Your Information
Hmm... what is a "covered entity"? According to 45 CFR 160.103:
Covered entity means:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in
electronic form in connection with a transaction covered by this
Google Health is clearly not a health plan or provider. Is it a "health care clearinghouse"? Back to 45 CFR 160.103:
Health care clearinghouse means a public or private entity,
including a billing service, repricing company, community health
management information system or community health information system,
and ``value-added'' networks and switches, that does either of the
(1) Processes or facilitates the processing of health information
received from another entity in a nonstandard format or containing
nonstandard data content into standard data elements or a standard
(2) Receives a standard transaction from another entity and
processes or facilitates the processing of health information into
nonstandard format or nonstandard data content for the receiving entity.
One of the value-added services touted by both the Google and Microsoft offerings is standardization of information. But is it true that Google actually "processes or facilitates the processing of health information received in a nonstandard format into standard data elements"? From what I can see of their APIs, they do not. Instead, they accept, maintain, and transmit the information in a subset of the Continuity of Care Record (CCR) format, pushing all inter-format translations onto the API callers.
Google's attorneys offer some reassurances in a blog post that also went up yesterday, which includes a link to a chart showing the protections afforded by HIPAA and the corresponding protections offered by Google.
What about HealthVault? Chillmark Research put up a post earlier this month arguing that HIPAA coverage of PHRs is a bad idea anyway, with links to a number of good primary and secondary sources, including a page put together by the Microsoft HealthVault and legal teams explaining the relationship between HealthVault and HIPAA, most of which sounds like it applies equally to Google Health. They too assert that they do not transform data, hence are not a healthcare clearinghouse. I'm a teeny bit more skeptical of HealthVault's assertion, but for a laudable reason: they support more than one format, adding support for the HL7 Continuity of Care Document (CCD) standard.
Disclaimer: I'm not familiar with CCD, and I haven't time to do the research to make sure I have the acronym translation correct. This may seem like a nitpicky disclaimer, but I am arguably legendary in the HL7 community for having put up an AMIA poster in which the title translated CDA as "Common Document Architecture" instead of "Clinical Document Architecture".
Arggh!!! If you are going to make mistakes, it's best not to use a 96-point bold font when doing so.
CCD is the HL7 harmonization of CCR with its CDA format, with which I am somewhat familiar, having worked with it as data architect on an NIH Roadmap "Re-Engineering the Clinical Research Enterprise" contract for 3 years. I applaud Microsoft's use of both standards, and encourage them to flout the law of the land if necessary in order to encompass as many health data interchange standards as possible.
I feel a lot more comfortable with HealthVault and Google Health as custodians of quasi-universal PHRs than I would with a governmental entity playing the same role. Both are commercial entities with extraordinarily deep pockets, representing fine targets for tort litigators should they fail in their custodial duties. The same cannot be said for the US government, which is the world's largest debtor nation, and statutorily protected to some degree from lawsuits.
Will there be breaches of privacy involving Google Health and Microsoft HealthVault? That's like asking in the 1950's whether there would ever be an accident at a nuclear power plant. that was then, and this is now, a statistical inevitability. Will such a privacy breach bring the world to a halt, or even outweigh the benefits these systems will provide? Not a chance. Instead, I believe that maybe, just maybe, these two new services will provide a light at the end of the long, painful tunnel that is our national healthcare system.
Someday soon, I hope to think more deeply about the implications of Google Health and Microsoft HealthVault on clinical and translational research.