Google's public unveiling of Google Health yesterday occasioned many commentaries from bloggers. One that resonates with my own concerns is Paul Pallato's post in First Read: Placing Our Trust in Google Health.
Electronic medical records management is the new frontier on the Web. And it's a potentially rich new source of revenue for Google and other companies in the field who are developing similar systems. Consolidating their records online is a complex and difficult task because these are the personal records that are the least organized.
Medical records are always scattered among a multitude of doctors, hospitals, insurance companies and pharmacies. Most of them are still on paper and haven't been converted to digital forms. All of the current custodians of these records are bound by federal law to carefully guard the privacy and integrity of these records. [italics mine]
Herein lies the rub, if there is one. Google Health and Microsoft HealthVault both claim to be exempt from the provisions of the 1996 Health Insurance Portability and Accountability Act (HIPAA). Don't believe it? See Larry Dignan's post yesterday that quoted Google's Terms of Service.
4. Use of Your Information
If you create, transmit, or display health or other information while using Google Health, you may provide only information that you own or have the right to use. When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services. However, Google may only use health information you provide as permitted by the Google Health Privacy Policy, your Sharing Authorization, and applicable law. Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party. [some italics added by Larry, more by me]
Hmm... what is a "covered entity"? According to 45 CFR 160.103:
Covered entity means:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in
electronic form in connection with a transaction covered by this
subchapter.
Google Health is clearly not a health plan or provider. Is it a "health care clearinghouse"? Back to 45 CFR 160.103:
Health care clearinghouse means a public or private entity,
including a billing service, repricing company, community health
management information system or community health information system,
and ``value-added'' networks and switches, that does either of the
following functions:
(1) Processes or facilitates the processing of health information
received from another entity in a nonstandard format or containing
nonstandard data content into standard data elements or a standard
transaction.
(2) Receives a standard transaction from another entity and
processes or facilitates the processing of health information into
nonstandard format or nonstandard data content for the receiving entity.
One of the value-added services touted by both the Google and Microsoft offerings is standardization of information. But is it true that Google actually "processes or facilitates the processing of health information received in a nonstandard format into standard data elements"? From what I can see of their APIs, they do not. Instead, they accept, maintain, and transmit the information in a subset of the Continuity of Care Record (CCR) format, pushing all inter-format translations onto the API callers.
Google's attorneys offer some reassurances in a blog post that also went up yesterday, which includes a link to a chart showing the protections afforded by HIPAA and the corresponding protections offered by Google.
What about HealthVault? Chillmark Research put up a post earlier this month arguing that HIPAA coverage of PHRs is a bad idea anyway, with links to a number of good primary and secondary sources, including a page put together by the Microsoft HealthVault and legal teams explaining the relationship between HealthVault and HIPAA, most of which sounds like it applies equally to Google Health. They too assert that they do not transform data, hence are not a healthcare clearinghouse. I'm a teeny bit more skeptical of HealthVault's assertion, but for a laudable reason: they support more than one format, adding support for the HL7 Continuity of Care Document (CCD) standard.
Disclaimer: I'm not familiar with CCD, and I haven't time to do the research to make sure I have the acronym translation correct. This may seem like a nitpicky disclaimer, but I am arguably legendary in the HL7 community for having put up an AMIA poster in which the title translated CDA as "Common Document Architecture" instead of "Clinical Document Architecture".
Arggh!!! If you are going to make mistakes, it's best not to use a 96-point bold font when doing so.
CCD is the HL7 harmonization of CCR with its CDA format, with which I am somewhat familiar, having worked with it as data architect on an NIH Roadmap "Re-Engineering the Clinical Research Enterprise" contract for 3 years. I applaud Microsoft's use of both standards, and encourage them to flout the law of the land if necessary in order to encompass as many health data interchange standards as possible.
I feel a lot more comfortable with HealthVault and Google Health as custodians of quasi-universal PHRs than I would with a governmental entity playing the same role. Both are commercial entities with extraordinarily deep pockets, representing fine targets for tort litigators should they fail in their custodial duties. The same cannot be said for the US government, which is the world's largest debtor nation, and statutorily protected to some degree from lawsuits.
Will there be breaches of privacy involving Google Health and Microsoft HealthVault? That's like asking in the 1950's whether there would ever be an accident at a nuclear power plant. that was then, and this is now, a statistical inevitability. Will such a privacy breach bring the world to a halt, or even outweigh the benefits these systems will provide? Not a chance. Instead, I believe that maybe, just maybe, these two new services will provide a light at the end of the long, painful tunnel that is our national healthcare system.
Someday soon, I hope to think more deeply about the implications of Google Health and Microsoft HealthVault on clinical and translational research.
I noticed your article about Personal Health Records. My company was part of the Google Health launch and we've solved some of the privacy and security issues raised. As a freelance journalist, I started writing about these a couple of years ago and was so impressed by one of them, MyMedicalRecords.com, that I recently joined to company to handle its media relations. You may find this of interest for future articles.
Contrasting MMR to other companies in the PHR space, MMR delivers the most user-friendly, convenient and versatile web-based personal health record available today. Using proprietary patent pending technologies, complete patient information including actual lab test results, radiology reports and images, progress notes and all of a patient’s charts can be faxed, voiced or uploaded into the user’s password-secured account. Users do not need to install any special software or use any special hardware to use our service.
MMR also has integrated other advanced features, such as multilingual translation, a drug interaction database of more than 20,000 medications, calendaring for prescription refills and doctor appointments, and private voicemail for a doctor’s message and other personal uses.
There also is a special “Emergency Log-In” feature that allows a doctor to access a user’s account to view their most important medical information in the event of a medical emergency. To ensure individual privacy, specific data, such as prescriptions, allergies, blood type and copies of actual medical files or images, are pre-selected by the user for inclusion in the online read-only Emergency Folder. The site has been repeatedly tested to be sure no unauthorized person can break into any account.
In addition, MMR also includes an online ESafeDeposit Box feature that enables users to securely store any important document in a virtual “lock box” and access them anytime from anywhere using an Internet-connected computer or PDA. These documents can include advanced directives, wills, insurance policies, birth certificates, photos of Family, pets and property, and more. MMR is clearly one of the most complete user-friendly personal health records available today. I can provide you with more extensive information how MMR compares with other products on the market.
Incidentally, when Google Health was launched on May 19, MMR was included as an integrated service on its platform. This will enable users to move information from their Google Health account to their MyMedicalRecords account and vice versa. This will enhance the Google Health user experience by allowing the individual to store documents, images, and other personal information in MMR’s easy-to-use personal health record and will have the benefit of all the additional features MMR has that are not available directly within Google Health.
I would encourage you to visit MMR and join with a complimentary membership. Simply go to www.mymedicalrecords.com and sign up using registration code MMRMEDIA. I believe you will impressed with how comprehensive and easy-to-use it is. I will contact you after you have had a chance to experience the service with the hope that you will include us in any further discussions of the subject.
Sincerely,
Scott S. Smith
Director of Public Relations
MyMedicalRecords.com
10100 Santa Monica Blvd. #430
Los Angeles CA 90067
Ext 123 (Cell: 310/254-4051)
ssmith@mmrmail.com
Encl.
Posted by: Scott Smith | May 20, 2008 at 04:47 PM
Hi there,
I loved your blog! I wanted to extend an initiation to blog at our site. I think you could offer some very interesting content to our blogs. Plus, it would be a great opportunity to gain exposure. Our site currently receives approximately 1.2 million unique visitors a month and we are one of the fastest growing online health communities. New blogs are featured on our home page, as well as recent posts and we also feature the blogger with the most quality content on our homepage with a mini bio, which changes each week.
Or you could feed existing posts to our site as a means to drive additional traffic to your site, if you are too busy to write an additional blog.
If you are interested, you can sign up here http://blogs.healthcare.com otherwise feel free to email me.
Have a great day!
Alexandra Snyder
Content Editor
HealthCare.com
1749 NE Miami Ct, Suite 604
Miami, FL 33132
asnyder@healthcare.com
305.371.9724 x224
Posted by: alexandra snyder | May 30, 2008 at 12:36 PM