noFUD - No Fear Uncertainty or Doubt

For long, getting access to a common view of all of a patient’s medical records has been a shortcoming of the healthcare system. This is a curious situation since, patient records have been digitized  in several leading hospitals like the Mayo Clinic and the Cleveland Clinic for some years now. The technical mechanisms for transferring this data from one care provider to the next are also readily available. What is promoting (some say preventing) the exchange of medical information from happening is a law known as  Health Insurance Portability and Accountability Act (HIPAA).

HIPAA standards are meant to improve the efficiency and effectiveness of the health care system by encouraging the widespread use of electronic data interchange in the US health care system. The law defines the security and privacy standards for Protected Health Information(PHI). PHI is basically any information about health status, provision of health care, or payment for health care that can be linked to an individual and as is generally interpreted as pretty much anything medical related including name, medical record numbers, biometric data, payment information. Now all of this is great, but what really happens is that the entity holding your medical information will not share it with other entities unless it absolutely has to. This is because the liability to the originating entity from misuse of this data  is high.

Now that we have the background established, let’s get to the point. Recently Microsoft’s  HealthVault  and Google Health offerings have been released with a promise of making this data exchange easier and allowing the individual all the benefits derived from a complete view of their medical histories. Such services are generally known as health record aggregators.

Both market forces and the need for electronic data interchange for health records drive companies like Microsoft and Google to create these services. Users will be able to create health profiles, track prescriptions, track expenses and allow healthcare providers access to their records.  It is my opinion that this innovation is a necessary step in healthcare reform.

However, one very significant downside exists. The information uploaded to these health record aggregators is not currently covered under HIPAA. What this means is that any attack, breach of confidentiality or even potential harm from wrong data is not covered by the law. You are left to the best effort of the service provider. This increases the risk of disclosure of your private medical information. The law , today, is out of step with what technology can provide.

Some practical considerations also heighten this situation. Here are some guidelines that you may want to follow:

• Create a new Microsoft Live ID or Google account for your health information
• Do not use your “normal password” for this account. It needs more security
• Check with your medical service provider as to what information will be available to an aggregator
• Steer clear of any provider that shows you targeted ads based upon your medical information
• Opt out of sharing information with any partner sites
• Do not sign up for newsletters pertaining to your health info if you wish to keep it a secret
• Ensure that the providers policy states that they delete all your data if you wish to drop out of the service
• Question whether the healthcare data be sent to any offshore location (read more about this here)
• Ensure that the privacy statement states that the medical data will never be aggregated with other databases

So in conclusion, it is clear that there are significant benefits to having your medical data aggregated and available to you. Clearly the technology to do so exists. The laws have not kept up with this change in technology, leaving you with one choice to make… Are you comfortable having your medical records stored with minimal legal protection?