Google Health: influential, controversial and gone.

Google Health is no more.

Thats a shame, because I am writing a book on Health IT for O’Reilly and before this announcement, my rough draft featured Google Health extensively.

I guess this is better, though, than having Google Health shut down just -after- I finished writing my book.

Of course, I am going to have to change lots of content in the book, but Google Health will still be there.

For a project that no longer exists, it will end up being one of the most influential Health IT projects of our era. Google Health, and for that matter Google generally, has always been willing to make strong statements when they evaluate technology and technology protocols. In fact, Google has made two controversial technology picks and the opening and closing of Google Health.

At the opening Google decided that they would support CCR (Continuity of Care Record) from ASTM and AFFP rather than the much more complex CDA/CCD from HL7. The CCR vs CCD debate has been one of the most controversial and long-standing arguments in Health IT. HealthVault, the Microsoft product which survives Google Health has always elected to support both standards. But Google insisted that the CCD standard was too complex, and not only insisted on CCR, but a smaller subset of that standard.

Now, as the end support for Google Health, Google is choosing to allow export under the Direct Protocol. Again this is the simpler of the two protocols that is supported by ONC to be part of the NWHIN (the precursor to the Health Internet). The other protocol, IHE, is getting no love from Google Health.

Goodbye Google Health, whatever else I may have said about you, I must admit that you made some ballsy technical stands.

-FT

Google Health is dead, HealthVault Indivo win

Recently, Google announce that the Google Health PHR will be retiring.

I posted the announcement to the Society for Participatory Medicine mailing list, and there has been alot of discussion about this, there. There are several issues that lots of people do not seem to understand, and some implications of this that have been missed.

Losers: Google Health Users

Let me be perfectly clear. If you trusted Google Health with your healthcare data you are screwed, unless the Microsoft HealthVault team rescues you. Even then, you are likely screwed anyways.

The whole point of Google Health was that it was more than a mere store of your XML patient data. It was a network of providers, like pharmacies, drug companies, non-profits and countless other service providers who added value to your health record.

I love the Direct Project but it only makes health data mobile, it is another matter altogether to make your health data semantically useful again. There is no way that the HealthVault team will be able to replicate 100% of the value that Google Health was providing based merely on the XML output from Google Health. As service providers and patients themselves added to their Google Health record, it made those records more complex than HealthVault, or any other PHR system, can easily understand. This is called Lossy Data Conversion.

The patients who will lose the most useful data, are those patients who leveraged Google Health the most. The more you invested in Google Health, the more screwed you are now. Of course, the other group who is going to be really screwed are the people who do not pay attention to announcements like this at all, (and ignore or filter email warnings) who will try to find data they stored in Google Health four years from now, only to discover that the deadline for data download had passed, and their data is gone. Ironically, the people who this is most likely to happen to are older people, who are not terribly tech savvy -and- who might have stored data in Google Health precisely so that they could ensure it would be available as they aged. Again the more they invested, (seemed like a good idea at the time), the more screwed they are today. Not good.

Probably the most important lesson to take away from all of this is that trusting proprietary health software vendors or services with critical health data is a bad idea. But sadly, that will not likely be a lesson learned here.

Losers: PHR vendors

Second, there is the implications for  PHR vendors. It does not look good for you. Google is in a unique position as a company. It is capable of making money giving away very valuable services, because it makes more money on advertising when someone merely uses the site. The business plan on Google Health was, essentially

“Lets spend a few 10’s of millions on this, and then make it back because a few million people will click on ads, after leaving Google Health to do a web search of some kind.”

Your average PHR company cannot make that kind of play. Most companies do not have a way to translate mass visitors into dollars. That is what makes the gmail service work for Google. Enough people click on ads through the service to pay for the entire thing for everyone. Google specifically admitted this problem in the post above with:

But we haven’t found a way to translate that limited usage into widespread adoption in the daily health routines of millions of people. That’s why we’ve made the difficult decision to discontinue the Google Health service

So if you are trying to start a PHR business and you cannot afford to give away a product you spent millions developing for years… this spells trouble. Google Health and Microsoft Healthvault together spelled the end of the still languishing dot-com bubble PHR services. I cannot imagine an investor in their right mind who would touch this space with a business model anything like Google Health.

Here is the basic takeaway from Google Health PHR:

People are not willing to use a good stand-alone PHR, even if it is free.

That word  “stand-alone” is critical.

Losers: Me

I have been wondering, as a right this, if I should be a winner or a loser on this one. I get to say “I told you so” to everyone I warned not to invest in a proprietary platform… which is fun. But I also now have to almost entirely re-write a chapter in my new book.

I (along with intrepid David Uhlman) am writing the first book on Health IT for O’Reilly media, called “Getting to Meaningful Use and Beyond“. I wrote the chapter on patient-facing software, and I featured Google Health extensively. After all, it was relevant, last week. I felt reassured after I asked Roni Zeiger a month or two ago if Google Health would survive? After all, I had heard rumors. He told me not to listen to gossip and I left feeling like my chapter would be published intact.

So much for meeting my deadline.

Winners: Direct Project

As Google Health dies it is giving a ringing endorsement to the Direct Project (of which I am a contributor). Hopefully this will raise some awareness regarding Direct as the foundation for the first generation of the Health Internet.

Winners: Microsoft HealthVault

Most of the industry pundits, like myself, have recognized for years that the “build the platform” business model that worked for Facebook and Itunes, was not going to work for Personal Health Records. Why? No “killer app”. Itunes+Ipod was the killer app for the Iphone platform, for Xbox it was the original Halo. For Facebook it was your ‘wall’, or perhaps (shudder) FarmVille.

The killer app for a PHR is dead simple: Healthcare. The two most widely used and successful PHR deployments in the country are the Kaiser Permanente and the VA’s My Healthevet. Why? You can get a message to your doctor through them, and receive replies back. They are a component of your actual healthcare. You do not have to type data into them, its just there. If you want to schedule an appointment or view your lab results you can do that. If you want to renew a prescription, the PHR can help. In short, the PHR is a workhorse in your actual healthcare process.

The Microsoft Healthvault team gets this. That is why they have been working on the Direct Project for months. They know that the Direct Project is the only way that they can have their PHR connect to -all- doctors the same way that Kaiser and the VA connect to their doctors.

Moreover, HealthVault has the only working mass-scale Direct beta in deployment: It is very likely that the only place you will be able to transfer Google Health records will be directly into HealthVault, for the foreseeable future.

HealthVault just became the 800 gorilla in the space.

My only question is why didn’t the Google leadership see the strategic significance of the Direct Project? They were obviously aware of it technically, and they usually do a good job translating technical understanding into strategic understanding.

Seems pretty simple to me. PHR usage is high -only- in systems where you can communicate with your healthcare provider in various ways. Google was disappointed by how few people were using their PHR. Direct is the only chance in hell that you have to reach every healthcare provider in the United States in the next five years. When you put it like that, Microsoft’s strategy seems pretty obvious… why didn’t the Google leadership catch on? Probably the Direct opportunity was too little too late for the internal political process at Google.

Winners: Indivo X

Indivo X has almost all of the same benefits as HealthVault (they are little behind on the Direct implementation and beta deployment), but if you actually want to avoid a repeat of the Google Health fiasco, this is the way to go. If you import your Google Health record into an Indivo X instance, you are not locked-in again.

Indivo X is Open Source, you can run your own instance if you want..

From now on, people will regard Indivo X as the safe option for PHR deployment, and rightly so, it is the only safe option. Until I can convince Sean and the rest of the HealthVault team to go full kimono, Indivo X is by far the most mature Open Source option available.

Why I do not think Google Health will, or should go Open Source

If Google drops code for Google Health, thats cool and I would take a look…  but I am not going to hold my breath.

Its pretty simple; Indivo was Open Source and available before Google Health launched. Some people believe that Google Health, like Dossia, is actually a long-ago fork of Indivo.

Indivo has moved on to bigger and better things. Indivo X, the current version of Indivo already has substantial functionality that Google Health is missing. It is already a mature codebase, with a community, and is generally operating openly as an Open Source project should. The Indivo project is not perfect, but they have steam.

Steam, motion, community, these are the things that make the Open Source garden grow.

Google Health would not actually help the Open Source community that much. We already have a better PHR project, and anything coming out of Google would compete for developers and attention with Indivo X.

Even if they wanted to, I am not sure that Google could usefully Open Source the whole Google Health codebase. Google projects often run on Googles custom, and proprietary database and network services. It is entirely possible that Google  Health would be useless without that back end.

What -would- help is for Google Health to release any components that Indivo X is missing. If they have an interesting Blue Button parser (which I happen to know they do) for instance, or some generalizable code for managing CCRs (that CCR-in-a-feed thing was a nice trick for instance…) then those components would be very useful.

Moreover, any components that would help people to parse their own Google Health data would be very welcome.

Probably the most important thing that they can do is license their API under several Open Source licenses. This way, Indivo X and HealthVault would be able to write a bridge that would allow currently existing Google partners to interface with Indivo X, without re-writing code. That would be pretty cool.

Claims data in PHRs

Today the Boston Globe has published an article about Dave deBronkart’s problem with claim data in his Google Health PHR. I think it is awesome that the main stream press is picking up on the problem of using billing data for clinical work!

A little digging reveals that there is an much better post over at e-patients.net that details exactly what his experience is.

I have been aware of this problem for some time. For me it all started when CVS Minuteclinic imported a ‘condition’ of ‘Blood Pressure Screening’ as  ‘Active’ condition onto my record.

Why did they do this? Because their system must have an ICD code for the purposes of billing for my procedure, even though I payed in cash.

One of the best things about being deeply involved in both FOSS Health IT and a blogger, is that when something hits the main stream press, I get to prove that ‘I told you so’ with reference to posts that are months or even years old. Heck, I bet that ‘I told you so’ feelings are a full 25% of my motivation to blog! That puts it way ahead of ‘joy of shameless self promotion’ and ‘muuust raaannt’ as motivation components!

The problem here is that the current diagnosis onotology system in the United States is based on billing data. With the migration to ICD 10, this problem will only get worse. Most doctors do not really understand how to use ICD 9, and ICD 10 is muuuch bigger.

I got wind of this article from the Modern Healthcare Health IT Strategist.

-FT

Google Flu Trends and Privacy

Google.org, which is the philanthropic arm of Google, has released Google Flu Trends to great fanfare and criticism.

Google Flu tracks searches for flu symptoms on Googles search service. So if I type “achy headache” into Google, it might count the search as evidence that I, or someone I was caring for, had the flu. Enough people use Google for search that Google can use searches like this to track the spread of the virus across the country. The science of tracking diseases is called epidemiology.

Currently epidemiologist use anonymized data from several sources to track the outbreak of disease. They can get data from pharmacy purchases, or from Emergency Room visits. They merge this data against other information like weather patterns. Using these data sources the Centers for Disease Control and Prevention (CDC) can get a pretty good picture of what is happening in the US regarding the outbreak of disease. It should be noted that these “traditional methods” allow the CDC to watch out for far more than just influenza. They use the system to ensure that any number of potentially catastrophic diseases to silently spread across the planet. What is interesting about Google Flu is that it is more effective than the methods mentioned above at predicting flu outbreaks by two weeks.

While I think that Google Flu Trends is fascinating, I am more interested in the privacy implications. I use gmail. I use Google Maps extensively ( I make map labelled with the cool things in my neighbourhood). Google has a photo of the front of my house on Street View. I have used Google Checkout to make purchases so Google knows my credit card information (or did). It is pretty obvious that Google is sensitive enough to make an educated guess that I might have influenza based on a search that I make. It is probably capable of making a guess that I have HIV, or Cancer, or Diabetes. All of this is independent of me using their Google Health application to track even more detailed information about allergies, procedures and drugs. “Google knows” is a bloody good assumption without evidence to the contrary.

Sounds pretty scary doesn’t it? The only reason I am even the least bit comfortable with this is the Google Corporate Motto: Don’t Be Evil.

Google takes this pretty seriously, you can tell because they loose money not offering gmail in China, where they cannot guarantee privacy of communications. They also told the Justice Department to shove off, when they asked for search histories. Both of these efforts cost them money so that they could live up to their motto.

That does not mean that I trust Google, it means that I do not trust them less.

I have been an on/off critic of Dr. Peel and her Patient Privacy Rights group for quite some time. But I must applaud her recent efforts to advocate for patient privacy rights regarding Google Flu Trends. 

In move consistent with their model Google responded to the Google Flu Trends concerns. Google specifically claims that their search data retention policy applies to the flu related data as well. That is very good news for people like me, who tend to obsess about the details of security and privacy of health information.

-FT

The coming problem with the ASP-lock

Here is an interesting post about a person who was locked out of their google account.

Apparently, this person lost access to:

  • Google Docs
  • Gmail
  • Family photos in Picasa

If you read the updated post, you will find that he has already gotten back in.

But this person knew to write a blog post. And knew how to get it covered by the most popular blog on the planet.

What if this person had a PHR using Google Health?

I am not trying spread FUD here. Google Health and HealthVault are good ideas and I generally support them. But these kinds of issues are going to become more and more important as time goes on.  Both Google and Microsoft have relatively fair ways of dealing with these kinds of issues, but “relatively fair” means there will be ways to fall between the cracks. Once we have PHR usage begins to go up, these kinds of issues will become extremely important.

(Update 09/29/09:  I am not the first person to point out that ASP EHR systems are a threat to the freedom of healthcare providers.  This short post is just to say that it impacts patients too)

 

 

-FT

In all Fairness

Its time to set the record straight on what are valid criticisms of HealthVault and Google Health and what are not. If you have ever read my posts, then you can be sure that when an organization needs criticizing I am the first to give it them with both barrels. But here both Google and Microsoft need defending.

  • Neither Google Health nor HealthVault are HIPAA covered.
  • This is a very good thing

But to understand why, I must beg the reader for patience.

My mother died of ovarian cancer. My Grandmother had a bout of cancer, but survived. Now she is battling Alzhiemers and it will probably kill her. I have talked about this before as the fundamental basis for the Seven Generation Test.

Now read the sentences above again… and ask yourself: “what has this writer just revealed?” Extremely sensitive personal medical information about himself. Note that I did not say “information about my mother or grandmother”, though I did reveal information about them too (obviously).

I have two people in my direct line of parentage that have both had cancer. Statistically, that makes me substantially more likely to get cancer. Further, alzheimers also has a genetic component. So I just revealed to you critical information about my personal health, specifically something that would go into the “family history” section of my health record. It is exactly the kind of information that a Health Insurance company would love to be able to use when setting my premium. It is exactly that kind of information that HIPAA was designed to keep my healthcare providers from telling insurance companies without my knowledge.

Just because HIPAA protects me from my doctors making this type of disclosure does not, and should not, mean that I should not be able to make that disclosure myself. There are many reasons why I might want to make this disclosure: I might want to make a point on my blog. I might want to explicitly tell my insurance company about this, in writing, so that they could adjust my insurance premiums accordingly. This way I would be well-armed in the event that they should try and deny me coverage for cancer treatment.

Lets consider the current paradigm of personal health information management. To facilitate this lets imagine that I was allergic to anticonvulsants (which is common). I have been to about fifteen or twenty doctors, each of whom has extensive records regarding my healthcare. I had knee surgery, and somewhere I have a orthoscopic video of the inside of my knee during the surgery (in VHS format). I have pages and pages of immunization and dental records from my in-processing during bootcamp for the USMC. I did not have a seizure in bootcamp, and if I had they would have sent me packing. But lets imagine that I did, and that the navy docs discovered that I was allergic to anticonvulsants. They would have promptly added it to my record.

I have all of my Marine Corps records in my file cabinet. But, these are just the records that I have in the house. I probably have about 1/10th of the medical information that is available, somewhere, regarding my healthcare.

Lets imagine that I had some kind of life event that would require me to gather those records together. To do that, I would need to call every doctor I have ever visited, and request a copy of my records. Healthcare providers are mandated by HIPAA to give me this information, and many of them, as a professional courtesy, would waive the costs of transferring my record to me. All of the providers I might contact would prefer to fax me my records. Faxing is simple, easy and well-understood by the medical practices. Faxing over phone lines is the de facto “health exchange network”  in the United States. (Unless you are lucky enough to be a Veteran, and have a record in VA VistA)

If my Marine Corps comrades understood the implications of this, they would say “that sucks salty balls”. Or something even more uncouth, but just as disturbing. Why does that suck? Because the resulting documents are largely valueless.

After making all of the requests and getting all of the faxes. I would have a briefcase full of documents of my healthcare. 95% of it would be redundant, showing my slowly rising cholesterol and blood pressure scores. The 5% that was really critical, like my imaginary allergy, would be buried so deep in my briefcase of papers that it would never be seen.

Given current primary care reimbursements, my doctor is incented do everything in his power to spend under 10 minutes talking to me. If he actually had to read through my briefcase of papers, then he would spend an hour doing nothing but shuffling papers. It is a much better use of his time just to ask “are you allergic to anything?”. I would of course say “not that I know of” in response. (Marine Corps boot camp is largely spent fluctuating between extreme emotions of hate, anguish and triumph. While you are guaranteed to learn some things, obscure allergies are not one of them. For all I know, I really am allergic to anticonvulsants)

I will not belabor my point. If I am lucky I will not convulse. If I do, they would give me an injection which will probably kill me. Why would I be dead? It is not because I had an allergy, that is only the proximate cause, the ultimate cause was very different.

The ultimate cause would have been: our ability to generate medical information has vastly outpaced our methods for handling that information.

That sentence should explain why we need storehouses of health data, that we can use to effectively deal with our own health information. HIPAA is designed to cover healthcare providers and those who come into contact with patient data, serving the business needs of those healthcare providers. Assuming that the same kinds of rules are a good idea for “data about me that me providers hold” as for “data that I hold” is silly once you see that they are very different circumstances.

Now lets imagine a world in which my various doctors medical records professionals all understood how to connect with HealthVault and Google Health. When I called them for my records, they would enter my email address instead of my fax number and press “send”. On their side, Google, Microsoft or Dossia (based on open source) would sift that information and allow me to transfer the resulting summary to anyone I wanted to, including my family, my friends, and my future healthcare providers. I could also forward the information to my insurance company, if I felt like that was a good idea. All three system would recognize the significance of an allergy and would prominently display the information.

HIPAA covers healthcare providers. Healthcare providers are the only people who know your health information, without you giving them permission to know it. Here are some of the things that HIPAA prevents your healthcare provider from doing:

  • They cannot tell your aunt Sue about your health conditions
  • They cannot tell cousin Joe, Rick, or uncle Eddie about your health conditions.
  • They cannot tell your insurance company about your health conditions.
  • They cannot post your name and information to their blog
  • They cannot tell the press about your health conditions, even if you are famous.

Here is what HIPAA does not cover.

  • If you tell aunt Sue about your health conditions she can tell uncle Eddie.
  • If you tell your health information to cousin Joe, he can tell cousin Rick.
  • You can post any medical information to your blog that you want.
  • If you post to your blog, that does not mean that wordpress needs to be HIPAA compliant.
  • You can tell your insurance company whatever you want.
  • You can do an interview about how rehab went for you.

Google and Microsoft are not healthcare providers. To have accurate data in those PHR systems your healthcare providers, at your request, must send them your data. Then Google and Microsoft help you to sort out the information. Compared to the way it works today, both systems are an improvement. Both of them help you organize your health information and both of them will help you to transmit that information where it needs to go.

Are they useful? Not really, and they will not be until your medical practices understand them as well as they do the fax machine. Will they be useful when that happens? Yes and very.

HIPAA stands for Health Insurance Portability and Accountability Act. It is not an accident that HIPAA does not include Google or Microsoft. The whole point was to make healthcare providers accountable for certain issues, while generally encouraging data to move around. Sadly, paranoia about HIPAA has caused data moving to grind to an almost standstill. Everyone is paranoid about it and to data transfer does not happen. Or worse, as Dr. Peel suggests, they transfer the data anyway, but in secret.

Under HIPPA the patient has a right to force data transfer to themselves. Currently providers do this with faxes which is ends up creating a massive problem. If they used Google Health, HealthVault or Dossia instead, the patient would actually be able to exercise those records!!

Saying that Google “should be covered” by HIPAA means that somehow, the person on the other end of the fax machine should be covered by HIPAA too! That means that if you faxed your records to aunt Sally, and then she showed them to uncle Bob, she could go to jail for a HIPAA violation? Or if you actually faxed them to yourself and then accidentally left them on the table at your local burger joint that the burger boy who cleans the tables needs to be sure to not just throw your records away, and instead have a policy for maintaining those records? Perhaps you had them faxed to Kinkos; should they have to maintain a separate safe for holding your faxes?

People who are shocked that Google and Microsoft are not covered by HIPAA, never actually understood the point of the law at all. Instead they generalized HIPAA into a kind of “patient right to privacy” umbrella that is just not there. You do have the right to privacy for those with whom you must share your secrets with; your healthcare providers. You do not have a right to privacy that covers your own stupidity, your gossiping family or your tendency to leave papers in the grocery store.

Both Google Health and HealthVault are designed to make the process of dissemination of your health information to people you want them to be disseminated to easier. Are they doing that in a secure, privacy respecting way? Excellent question; fodder for further posts. Should they be covered by the same laws that cover your healthcare providers? No. The law does not work that well for your healthcare providers anyway.

The whole point of a PHR is to allow a patient to control who gets to see their data. HIPAA works at “limiting” who can see your data. Because of HIPAA medical provider typically never share your data without written consent for every data sharing instance. Think about that. Suppose I have a chronic condition and I want everyone in my family to get regular updates on my lab results. Do I need to sign a document, for each family member and for each test? It does not take much time for me to get sick of the process. Also, my doctor might get sick of it too. He has the right to charge me a nominal fee for access to my record, and after a while he would probably feel he had to use that right. On the other hand, if there were an automated way to share the same information…

A PHR is all about balancing the ability to share and the ability to limit access. If a PHR were HIPAA covered, then it would lean strongly towards limiting and sharing would be impaired.

Everyone who talks about Google Health and HealthVault needs to stop harping on the HIPAA issue. HIPAA was not meant to cover the services that Google and Microsoft are offering. Here are some examples:

Quoting from Nathan McFeters at ZDnet:

Hawhhhaaaaattttt??? So Google doesn’t have to respect HIPPA laws?!

Thats HIPAA with two AAs man… Google respects HIPAA just fine. Google is probably relieved to find that the law makes some sense here, as opposed to the typical knee jerk legislation.

It feels like, and this is just a gut reaction here, law should have a strong and violent reaction to Google skirting around HIPPA concerns.

Again. There is no skirting. Google is not “slipping” out of responsibility. It is not covered, and that is a good thing.

The article linked to above also details that Google does not typically follow standard procedures for publicly disclosing flaws. That is a big problem and one that deserves attention, but it is not a HIPAA problem.

Quoting from Robert “RSnake” Hansen:

I think it’s a shame Google found a legal get out of jail free card to absolve themselves from securing consumer medical records in the same way everyone else who handles this kind of data does.

Here we have two problems. First the assumption that Google should be covered by HIPAA, which I hope I have shown is not true. Second, the assumption that Google would invest more technical security if they had HIPAA liability. Perhaps Google is not doing enough for security, but its not like security programmers code better when lawyers stand over them. They might code “differently”, but not “better”.

If there is a structural flaw in Google or Microsoft’s architecture, that is something that they should both fix and take public responsibility for but that does not mean that they should be covered by HIPAA.

Frankly these two bloggers, who have been featured on slashdot are only the start of the problem. I had the privilege of covering HIMSS as a blogger, and as a result I got to ask one question to Google CEO Dr. Eric Schmidt, upon his announcement of Google Health, as did every other reporter in the room.

Three different reporters asked “Is Google covered by HIPAA?”. Each one got the same answer: “No we are not”. All three of them asked these questions in such a way that it was obvious that they had read to many “tough reporter” novels. A little hint: perhaps the first time a really good question is asked it might trip up the executive at the massive fortune 500 company. But the second and third times the question is asked in a press conference is waste of time for everyone.

This kind of useless heckling is not just a problem for Google. I just came from TEPR where a Microsoft guy was talking on HealthVault. It was the same “HealthVault is a platform” story that you can read about in the brochure, but at the end, there was time for only one question. Guess what it was? “Is HealthVault covered by HIPAA?”

I really really wish we could stop talking about this issue and talk about real problems. Real issues include:

  • Google does not typically disclose vulnerabilities.
  • Microsoft still has terms that indicate that it can host your HealthVault data in China.
  • How are we going to make connecting to HealthVault or Google Health simple enough for small medical office personnel to handle? Do you know how many “HIPAA violations” we have every year because people do not understand how to dial 9 before getting an outside line when faxing?

Critics also have silly notions about how people who are covered under HIPAA are behaving. Most of the healthcare in the United States are delivered by practice with under 5 physicians. I cannot tell you how many practices I have seen that have a locked closet for paper records but have the EHR server sitting under the receptionists desk. If you want to illegally access my medical records which do you honestly think is easier:

A: walk into my doctors office at three in the afternoon with a shirt with “IBM” written on it and just grab the server and walk out.

or

B: hacking Google or HealthVault, who both have extensive Firewalls and Intrusion Detection systems, along with well-educated network security personnel on duty 24-7.

If you really felt that Hacking was the way to go, then you would have a much easier time hacking through the average clinics firewall than Microsoft’s or Google’s. Most of the doctors I know do not even know what a firewall is, much less the steps to lock one down. (that is not a criticism, I have no idea how to remove an appendix.)

I am not making the case that Google Health or HealthVault are secure. I am not saying that they are respecting privacy. Those are discussions that we need to have.

But HIPAA is not the answer.

-FT

Google Health vs. HealthVault round 1

Everyone is talking about Googles new PHR offering vs. Microsoft HealthVault. Mostly the talk is drivel. I was able to get a seat at the Press Interview with Google CEO Eric Schmidt at HIMSS and, I kid you not, two reporters asked “Is the data in Google Health covered by HIPAA?” within five minutes of each other. Frankly, not-covered-by-HIPAA is an industry standard for PHRs, and the fact that the question was asked at all is an indication that the press covering this largely have no idea what is going on. (I will talk more about HIPAA and PHRs in a future post.)

Rather than finding drama in all of the wrong places, I wanted to highlight a couple of differences that really are worth paying attention to. I have had the privilege of speaking with the programming leads for both projects extensively, and it is not yet time to give a close blow by blow of where these two system are in comparison to each other. (that will happen after Google Health goes live) I hope that what little technical meat I was able to dig up will be interesting to you.

Privacy Policies:

Google has not published its privacy policy. However, it has historically given great weight to privacy concerns. Most notably take the Google Toolbar privacy notice. It begins “Please read this carefully, it’s not the usual Yada Yada”. It does a fair job of warning a user about the considerably privacy issues surrounding a tool placed directly within a browser. In fact, the sites you browse on the internet is probably as great a privacy concern as any health information you have. If you have any serious health conditions you have probably already searched for them and visited sites with content relevant to that condition. If you use toolbars, the information about where you visited was potentially transmitted back to the author of that toolbar. Google is upfront about this, and gives you an opt-out. This is much better than your average toolbar.

Microsoft’s Privacy Policy is awful. It has language that includes things like: “you give us permission to host your data off-shore”, and “we can change this policy anytime we like”. The current HealthVault privacy policy does nothing to protect a patients privacy from future policy changes within Microsoft. Based on the current language, the privacy policy might as well not exist. I discussed this with the HealthVault team and their response was “boiler-plate language”.

Frankly, the fact that ANY boiler-plate language was included in a privacy policy is a good indication that the thinking at Microsoft Legal is totally backwards. It is currently thinking “What will the market let us get away with” rather than “Hey this is a new moral sphere, if we do the right thing here, maybe the Government(s) will not make our lives completely miserable by over-regulating this industry.”

Privacy Policy Verdict:

Google wins. Without even releasing a Privacy Policy. On a scale of 1-10 Healthvaults scores a -2 which in English translates “hell-no”. That makes Google’s lack of score actually come out ahead.

API Design:

Google Health uses a CCR record wrapped in some of its standard web-service APIs. It would be better if they could have adopted CCD. But they said it was not ready when they started, which is a fair response. Still CCR is already a popular standard and a smart move for Google.

HealthVault has released its own XML specification. While they have promised to promise not to sue the pants of people like me who decide to use those specifications, creating a “new standard” in the healthcare space is regrettable step backwards.

API Design Verdict:

Google wins for respecting current standards.

Security Architecture:
Google is using their authsub system to allow users to provide token based access to other people (care-givers etc) for temporary and limited access.

HealthVault is using a “root” user notion that is transitive. That means that if I trust bob enough to make him a “root” user on my PHR record, then he can do anything with my record. Including passing the root privilege to Jenny, who can pass it to Sam, who can pass it to Ruth who can then do anything with my PHR account. See the problem? While the HealthVault system does allow for finer grain control, there is no concept of passing along “complete control” without also passing along the ability to create other “root” users.

(updated 03-04-08 Sean Nolan from Microsoft has posted a rebuttal to the previous sentence, while the rebuttal does not address my criticisms of a “transitive root” privilege system, it does argue that this design can be considered a feature rather than a flaw)

Security Architecture Verdict:

Obviously Google has time to screw this up before coming out of beta, but it looks like its access control system has been better thought out.

Time to Market Verdict:

Obviously, Microsoft wins here. HealthVault has been out for months. However, if they do not get their act together they will not have any remaining first-mover advantage. Google is obviously making very sharp moves, in fact, maybe their best move was not coming to market before they were ready.

Now that Microsoft has made some FOSS friendly sounds, I will take a closer look at their software. When Google Health is finally released, I will do a complete comparison.

-FT