In all Fairness

Its time to set the record straight on what are valid criticisms of HealthVault and Google Health and what are not. If you have ever read my posts, then you can be sure that when an organization needs criticizing I am the first to give it them with both barrels. But here both Google and Microsoft need defending.

• Neither Google Health nor HealthVault are HIPAA covered.
• This is a very good thing

But to understand why, I must beg the reader for patience.

My mother died of ovarian cancer. My Grandmother had a bout of cancer, but survived. Now she is battling Alzhiemers and it will probably kill her. I have talked about this before as the fundamental basis for the Seven Generation Test.

Now read the sentences above again… and ask yourself: “what has this writer just revealed?” Extremely sensitive personal medical information about himself. Note that I did not say “information about my mother or grandmother”, though I did reveal information about them too (obviously).

I have two people in my direct line of parentage that have both had cancer. Statistically, that makes me substantially more likely to get cancer. Further, alzheimers also has a genetic component. So I just revealed to you critical information about my personal health, specifically something that would go into the “family history” section of my health record. It is exactly the kind of information that a Health Insurance company would love to be able to use when setting my premium. It is exactly that kind of information that HIPAA was designed to keep my healthcare providers from telling insurance companies without my knowledge.

Just because HIPAA protects me from my doctors making this type of disclosure does not, and should not, mean that I should not be able to make that disclosure myself. There are many reasons why I might want to make this disclosure: I might want to make a point on my blog. I might want to explicitly tell my insurance company about this, in writing, so that they could adjust my insurance premiums accordingly. This way I would be well-armed in the event that they should try and deny me coverage for cancer treatment.

Lets consider the current paradigm of personal health information management. To facilitate this lets imagine that I was allergic to anticonvulsants (which is common). I have been to about fifteen or twenty doctors, each of whom has extensive records regarding my healthcare. I had knee surgery, and somewhere I have a orthoscopic video of the inside of my knee during the surgery (in VHS format). I have pages and pages of immunization and dental records from my in-processing during bootcamp for the USMC. I did not have a seizure in bootcamp, and if I had they would have sent me packing. But lets imagine that I did, and that the navy docs discovered that I was allergic to anticonvulsants. They would have promptly added it to my record.

I have all of my Marine Corps records in my file cabinet. But, these are just the records that I have in the house. I probably have about 1/10th of the medical information that is available, somewhere, regarding my healthcare.

Lets imagine that I had some kind of life event that would require me to gather those records together. To do that, I would need to call every doctor I have ever visited, and request a copy of my records. Healthcare providers are mandated by HIPAA to give me this information, and many of them, as a professional courtesy, would waive the costs of transferring my record to me. All of the providers I might contact would prefer to fax me my records. Faxing is simple, easy and well-understood by the medical practices. Faxing over phone lines is the de facto “health exchange network”  in the United States. (Unless you are lucky enough to be a Veteran, and have a record in VA VistA)

If my Marine Corps comrades understood the implications of this, they would say “that sucks salty balls”. Or something even more uncouth, but just as disturbing. Why does that suck? Because the resulting documents are largely valueless.

After making all of the requests and getting all of the faxes. I would have a briefcase full of documents of my healthcare. 95% of it would be redundant, showing my slowly rising cholesterol and blood pressure scores. The 5% that was really critical, like my imaginary allergy, would be buried so deep in my briefcase of papers that it would never be seen.

Given current primary care reimbursements, my doctor is incented do everything in his power to spend under 10 minutes talking to me. If he actually had to read through my briefcase of papers, then he would spend an hour doing nothing but shuffling papers. It is a much better use of his time just to ask “are you allergic to anything?”. I would of course say “not that I know of” in response. (Marine Corps boot camp is largely spent fluctuating between extreme emotions of hate, anguish and triumph. While you are guaranteed to learn some things, obscure allergies are not one of them. For all I know, I really am allergic to anticonvulsants)

I will not belabor my point. If I am lucky I will not convulse. If I do, they would give me an injection which will probably kill me. Why would I be dead? It is not because I had an allergy, that is only the proximate cause, the ultimate cause was very different.

The ultimate cause would have been: our ability to generate medical information has vastly outpaced our methods for handling that information.

That sentence should explain why we need storehouses of health data, that we can use to effectively deal with our own health information. HIPAA is designed to cover healthcare providers and those who come into contact with patient data, serving the business needs of those healthcare providers. Assuming that the same kinds of rules are a good idea for “data about me that me providers hold” as for “data that I hold” is silly once you see that they are very different circumstances.

Now lets imagine a world in which my various doctors medical records professionals all understood how to connect with HealthVault and Google Health. When I called them for my records, they would enter my email address instead of my fax number and press “send”. On their side, Google, Microsoft or Dossia (based on open source) would sift that information and allow me to transfer the resulting summary to anyone I wanted to, including my family, my friends, and my future healthcare providers. I could also forward the information to my insurance company, if I felt like that was a good idea. All three system would recognize the significance of an allergy and would prominently display the information.

HIPAA covers healthcare providers. Healthcare providers are the only people who know your health information, without you giving them permission to know it. Here are some of the things that HIPAA prevents your healthcare provider from doing:

• They cannot tell your aunt Sue about your health conditions
• They cannot tell cousin Joe, Rick, or uncle Eddie about your health conditions.
• They cannot tell your insurance company about your health conditions.
• They cannot post your name and information to their blog
• They cannot tell the press about your health conditions, even if you are famous.

Here is what HIPAA does not cover.

• If you tell aunt Sue about your health conditions she can tell uncle Eddie.
• If you tell your health information to cousin Joe, he can tell cousin Rick.
• You can post any medical information to your blog that you want.
• If you post to your blog, that does not mean that wordpress needs to be HIPAA compliant.
• You can tell your insurance company whatever you want.
• You can do an interview about how rehab went for you.

Google and Microsoft are not healthcare providers. To have accurate data in those PHR systems your healthcare providers, at your request, must send them your data. Then Google and Microsoft help you to sort out the information. Compared to the way it works today, both systems are an improvement. Both of them help you organize your health information and both of them will help you to transmit that information where it needs to go.

Are they useful? Not really, and they will not be until your medical practices understand them as well as they do the fax machine. Will they be useful when that happens? Yes and very.

HIPAA stands for Health Insurance Portability and Accountability Act. It is not an accident that HIPAA does not include Google or Microsoft. The whole point was to make healthcare providers accountable for certain issues, while generally encouraging data to move around. Sadly, paranoia about HIPAA has caused data moving to grind to an almost standstill. Everyone is paranoid about it and to data transfer does not happen. Or worse, as Dr. Peel suggests, they transfer the data anyway, but in secret.

Under HIPPA the patient has a right to force data transfer to themselves. Currently providers do this with faxes which is ends up creating a massive problem. If they used Google Health, HealthVault or Dossia instead, the patient would actually be able to exercise those records!!

Saying that Google “should be covered” by HIPAA means that somehow, the person on the other end of the fax machine should be covered by HIPAA too! That means that if you faxed your records to aunt Sally, and then she showed them to uncle Bob, she could go to jail for a HIPAA violation? Or if you actually faxed them to yourself and then accidentally left them on the table at your local burger joint that the burger boy who cleans the tables needs to be sure to not just throw your records away, and instead have a policy for maintaining those records? Perhaps you had them faxed to Kinkos; should they have to maintain a separate safe for holding your faxes?

People who are shocked that Google and Microsoft are not covered by HIPAA, never actually understood the point of the law at all. Instead they generalized HIPAA into a kind of “patient right to privacy” umbrella that is just not there. You do have the right to privacy for those with whom you must share your secrets with; your healthcare providers. You do not have a right to privacy that covers your own stupidity, your gossiping family or your tendency to leave papers in the grocery store.

Both Google Health and HealthVault are designed to make the process of dissemination of your health information to people you want them to be disseminated to easier. Are they doing that in a secure, privacy respecting way? Excellent question; fodder for further posts. Should they be covered by the same laws that cover your healthcare providers? No. The law does not work that well for your healthcare providers anyway.

The whole point of a PHR is to allow a patient to control who gets to see their data. HIPAA works at “limiting” who can see your data. Because of HIPAA medical provider typically never share your data without written consent for every data sharing instance. Think about that. Suppose I have a chronic condition and I want everyone in my family to get regular updates on my lab results. Do I need to sign a document, for each family member and for each test? It does not take much time for me to get sick of the process. Also, my doctor might get sick of it too. He has the right to charge me a nominal fee for access to my record, and after a while he would probably feel he had to use that right. On the other hand, if there were an automated way to share the same information…

A PHR is all about balancing the ability to share and the ability to limit access. If a PHR were HIPAA covered, then it would lean strongly towards limiting and sharing would be impaired.

Everyone who talks about Google Health and HealthVault needs to stop harping on the HIPAA issue. HIPAA was not meant to cover the services that Google and Microsoft are offering. Here are some examples:

Quoting from Nathan McFeters at ZDnet:

Hawhhhaaaaattttt??? So Google doesn’t have to respect HIPPA laws?!

Thats HIPAA with two AAs man… Google respects HIPAA just fine. Google is probably relieved to find that the law makes some sense here, as opposed to the typical knee jerk legislation.

It feels like, and this is just a gut reaction here, law should have a strong and violent reaction to Google skirting around HIPPA concerns.

Again. There is no skirting. Google is not “slipping” out of responsibility. It is not covered, and that is a good thing.

The article linked to above also details that Google does not typically follow standard procedures for publicly disclosing flaws. That is a big problem and one that deserves attention, but it is not a HIPAA problem.

Quoting from Robert “RSnake” Hansen:

I think it’s a shame Google found a legal get out of jail free card to absolve themselves from securing consumer medical records in the same way everyone else who handles this kind of data does.

Here we have two problems. First the assumption that Google should be covered by HIPAA, which I hope I have shown is not true. Second, the assumption that Google would invest more technical security if they had HIPAA liability. Perhaps Google is not doing enough for security, but its not like security programmers code better when lawyers stand over them. They might code “differently”, but not “better”.

If there is a structural flaw in Google or Microsoft’s architecture, that is something that they should both fix and take public responsibility for but that does not mean that they should be covered by HIPAA.

Frankly these two bloggers, who have been featured on slashdot are only the start of the problem. I had the privilege of covering HIMSS as a blogger, and as a result I got to ask one question to Google CEO Dr. Eric Schmidt, upon his announcement of Google Health, as did every other reporter in the room.

Three different reporters asked “Is Google covered by HIPAA?”. Each one got the same answer: “No we are not”. All three of them asked these questions in such a way that it was obvious that they had read to many “tough reporter” novels. A little hint: perhaps the first time a really good question is asked it might trip up the executive at the massive fortune 500 company. But the second and third times the question is asked in a press conference is waste of time for everyone.

This kind of useless heckling is not just a problem for Google. I just came from TEPR where a Microsoft guy was talking on HealthVault. It was the same “HealthVault is a platform” story that you can read about in the brochure, but at the end, there was time for only one question. Guess what it was? “Is HealthVault covered by HIPAA?”

I really really wish we could stop talking about this issue and talk about real problems. Real issues include:

• Google does not typically disclose vulnerabilities.
• Microsoft still has terms that indicate that it can host your HealthVault data in China.
• How are we going to make connecting to HealthVault or Google Health simple enough for small medical office personnel to handle? Do you know how many “HIPAA violations” we have every year because people do not understand how to dial 9 before getting an outside line when faxing?

Critics also have silly notions about how people who are covered under HIPAA are behaving. Most of the healthcare in the United States are delivered by practice with under 5 physicians. I cannot tell you how many practices I have seen that have a locked closet for paper records but have the EHR server sitting under the receptionists desk. If you want to illegally access my medical records which do you honestly think is easier:

A: walk into my doctors office at three in the afternoon with a shirt with “IBM” written on it and just grab the server and walk out.

or

B: hacking Google or HealthVault, who both have extensive Firewalls and Intrusion Detection systems, along with well-educated network security personnel on duty 24-7.

If you really felt that Hacking was the way to go, then you would have a much easier time hacking through the average clinics firewall than Microsoft’s or Google’s. Most of the doctors I know do not even know what a firewall is, much less the steps to lock one down. (that is not a criticism, I have no idea how to remove an appendix.)

I am not making the case that Google Health or HealthVault are secure. I am not saying that they are respecting privacy. Those are discussions that we need to have.

But HIPAA is not the answer.

-FT