As chief medical information officer at University Hospitals in northern Ohio, Holly Miller, MD, is playing a leading role in ushering in a new era of electronic health records for patients. And she is impressed by the potential that giant vendors like Google and Microsoft have in offering to draw together all of a patient’s scattered personal health records (PHRs) into one online site, regardless of who is treating them or covering their care.
“It is fabulous to have this fluidity of data,” says Miller. An individual treated by one physician doesn’t have to cart around records to see another doctor. Those records would be more easily accessible and providers could do a better job of treating patients. “It’s a huge enhancement on patient safety and the care we could provide. This is a tremendous advancement.”
There is just one, big problem.
While her hospital not only has to comply with the Health Insurance Portability and Accountability Act (HIPAA) on maintaining the privacy and security of the data, there is also a heavy demand by accreditation groups for regular data audits to make sure that the university is complying with privacy standards. None of those standards, though, applies to Microsoft or Google. And even though patients’ medical records can routinely contain some compromising personal information, says Miller, they may not realize just how much is at stake when they routinely agree to sign off on third-party Web sites’ terms and conditions that they are unlikely to even read.
Providers and insurers alike are paying considerable attention to that issue, especially after Kaiser Permanente triggered a pilot project that could eventually lead millions of its members to aggregate their health records in Microsoft’s HealthVault. And the Google Health platform is promising strong competition.
“We would have to choose whether we use one of the platforms,” says Dr. Miller, who is about a year away from rolling out electronic patient records. “I hope by then there is some regulation of the third-party vendors.”
The House Committee on Energy and Commerce’s subcommittee on health has already taken a first step in that direction, outlining a set of new privacy rules in late May and beginning to gather feedback. Coming shortly after Congress approved new rules governing the privacy and use of genetic information, the committee’s action appears to signal intent on extending the law’s reach not only to third-party vendors like Google and Microsoft, but also to regional health information organizations that were set up to foster the adoption of electronic records.
A rough outline of what the committee has in mind is raising concerns among insurers and providers that they still may face a future where different rules apply to different players taking the field of health records.
An even playing field?
Kaiser Permanente has long had a reputation as one of the technology innovators in the health insurance field. As an integrated network with its own enormous provider group, Kaiser has an inside track ramping up electronic health records that connect patients, doctors, and hospitals. And 25 percent of its 8.7 million members actually have their own online personal health records.
This new move by the country’s largest HMO, though, allows individuals to combine the clinical data now stored in their My Health Manager programs with more health and wellness information.
A doctor may only be interested in a patient’s medical care, says Jan Oldenburg, Kaiser Permanente’s “practice leader in the Internet services health portfolio,” but there’s much more information members may want to track on diet, exercise, blood pressure, and more that can help improve their health. And with a third-party vendor like HealthVault, members can also be assured of maintaining control of that record even if they switch insurers.
Microsoft is an experienced player when it comes to online privacy and security, she adds. Kaiser members have a trusted relationship with the company, and Microsoft has “formulated a series of policies on privacy and security, engaging consumer privacy groups in validating and participating” in the process.
“We are talking about a couple of companies [Microsoft and Google] that have really put some effort into doing the right thing,” agrees Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology. Both have worked long and hard at getting privacy and security right.
That said, she adds, “There is room for oversight. This is very sensitive health care information that is going to be more available on the Web than was ever the case before.”
And it’s not just about Google and Microsoft, says McGraw. A host of companies will offer ways for consumers to better manage their health care — and not all of them are going to have the same standards as the giants.
Oldenburg, though, is also quick to acknowledge that Kaiser Permanente and its members are in virgin online territory here. It is difficult to know what lies ahead.
“I don’t think any of us know what direction this will go,” says Oldenburg.
Members of the House subcommittee on health may not wait to find out.
Just weeks ago, the members began circulating a memo on draft regulations that would subject the PHRs to a breach-notification law requiring them to alert people to an unauthorized access and giving the Federal Trade Commission the authority to enforce it. And it calls on the secretary of health and human services to “submit recommendations to Congress on the security, privacy, and breach-notification standards that should apply” to PHRs such as Microsoft and Google.
The House subcommittee is doing the right thing by not just focusing on a new law, but directing the federal agencies to devise new regulations as well, McGraw says. New regulations may not come quickly, she says, but they are likely to be adopted faster than new legislation.
At least one IT expert on the managed care side is concerned that lawmakers won’t be entirely fair in crafting new legislation.
In prepared congressional testimony, James Ferguson, executive director of health IT strategy at the Kaiser Foundation Health Plan, agreed that consumers should be notified in the event of a breach and emphasized that all the players in this field —whether operating under HIPAA or not — should be held to the same privacy and security rules.
“The draft bill exempts PHR vendors from notification requirements if the data in question have been encrypted,” Ferguson told lawmakers. “However, it does not provide the same exemption for [HIPAA] covered entities and business associates. We are concerned about the unequal application of the notice provision and believe all entities should be held to the same rules.”
Adoption will be slow
This is one issue that insurers can’t ignore.
“The advantage to insurers is mainly around consumer engagement,” says Carlton Doty, a senior analyst who has studied the trend for Forrester Research. “When you look at national insurers, many have been promoting payer-based health records. Aetna has one. United has one. But what Google and Microsoft provide is true portability. The consumer controls the data and the access to it, and the industry is moving to portability and interoperability with the provider network.”
And with groups like Kaiser hooking up with Microsoft, he adds, “We’ll see some other insurers jump onto this as well.”
Just don’t look for this particular trend to grab the public’s attention anytime soon, says Doty. “It is likely to be at least five years before we see widespread adoption.”
Doty signed up for a Google Health account and found it “completely useless” because “It didn’t connect to my insurer. It didn’t connect to my doctor. There are a lot of barriers, but the main one is that consumers just don’t perceive the value of these things right now.”
Privacy advocates say that anyone who does appreciate the value is still likely to be put off by the prospect of opening his health records to prying eyes.
“My sense is that privacy and security are huge issues for individual patients, so there is a big, big legitimacy barrier,” says Lee Tien, senior staff lawyer at the Electronic Frontier Foundation.
A breach notification requirement is a good first step toward ensuring privacy and security, says Tien. And good encryption technology certainly can go part of the distance to reassuring a wary public. But when providers are routinely being exposed for improperly accessing even HIPAA-related data, there is a deep level of skepticism that laws and regulations will do everything that they are intended to do.
“You just can’t tell whether something is working properly,” says Tien. “We are promised lots of things, but if they leave doors open, how would you know?”
There is another big issue that also has to be sorted out, Doty says. Google, like Microsoft, is offering this for free, but its big money-maker is advertising. There is concern that the online giant may start matching health care advertisers with patients based on their online profile.
“This is a new sort of potential revenue stream,” he adds, with pharmaceutical companies, device makers and others eager to get their products in front of people who are most likely to be interested. If you are making a new diabetes drug, for example, identifying diabetics based on their health record would be an advertiser’s dream come true.
“I would expect we would see some more aggressive movement to regulation,” says Doty. “It’s inevitable.”
Patients may not realize what is at stake when they let Google or Microsoft collect and hold their personal information, says Holly Miller, MD.
Portability is a strong argument for using a company like Microsoft, says Jan Oldenburg of Kaiser Permanente.
Large PHR providers have done a good job, but still need oversight, says Deven McGraw, a privacy expert.
Regulation is inevitable, says Carlton Doty, a Forrester Research analyst.