Google to Begin Storing Patients' Health Records

mytrip writes with news that Google's health record archive is about to be tested with the assistance of the Cleveland Clinic. Thousands of patients (who must approve the transfer of information) will have access to everything from their medical histories to lab results through what Google considers a "logical extension" of their search engine. We discussed the planning of this system last year. "Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that's also required to use other Google services such as e-mail and personalized search tools. The health venture also will provide more fodder for privacy watchdogs who believe Google already knows too much about the interests and habits of its users as its computers log their search requests and store their e-mail discussions. Prodded by the criticism, Google last year introduced a new system that purges people's search records after 18 months. In a show of its privacy commitment, Google also successfully rebuffed the U.S. Justice Department's demand to examine millions of its users' search requests in a court battle two years ago."

Re:Cleveland Clinic

[tomhudson]

Over my dead body? Ha! Not even then!

Fortunately, this sort of activity is illegal in Canada (PIPEDA [privcom.gc.ca]), so I for one won't ever have to welcome your google overlords.

Re:Not Mine

[DebateG]

Actually, HIPAA does not cover third party databases [computerworld.com].

Re:Not Mine

[QuantumRiff]

Actually, no, they probably won't have to comply with HIPPA. Google for it (yeah, I know).. You are authorizing the transfer of your records to a 3rd party. You have to give permission. If you give your records to a neighbour, they are not bound by HIPPA. Yes it would be stupid of them to allow anyone to see your health history, and will probably break some state laws, but HIPPA, no..

Re:Great...

[AltecZZ]

Google is wayyyy behind Microsoft.

Microsoft's HealthVault came out several months ago, and has more partnerships than Google.

http://www.healthvault.com/ [healthvault.com]

Re:2008

[Anonymous Coward]

google for president!

Been there, got the t-shirt [cafepress.com]

World Privacy Forum

[John Norris]

World Privacy Forum's [worldprivacyforum.org] report "Personal Health Records: Why Many PHRs Threaten Privacy" released yesterday goes into considerable detail as to why PHR's are a privacy nightmare.

They discuss how PHR vendors may not be covered by HIPAA nor patient/provider confidentiality laws (esp subpoenas.)

They particularly note that PHR vendors that also provide email services have a lot of data that can be easily linked together (...and to you.)

I'd really like to see this sort of thing work, but am cautious.

Re:Double-edged sword

[Fjandr]

Someone seeing immunization records is hardly the point. Someone seeing everything can be a lot more of an issue. Employers, insurers, advertisers, etc.

It's called looking at the big picture, not using a trivial example to attempt to trivialize the whole issue.

Re:Double-edged sword

[kylehase]

not motivated by profits and has the resources, like say... the US government

The Singapore government is already planning this for their country. [zdnetasia.com]

Re:Not Mine

[Anonymous Coward]

IAALS - HIPAA does cover health information on third party systems under the "Business Associate" rule (which means, anyone doing business with a HIPAA CE (Covered Entity) must comply with HIPAA guidelines (there must be a contractual provision providing that the business associate will comply with the same HIPAA regulations that the Covered Entity must).

The REAL issue is that HIPAA has no teeth. No one has yet really had a judgment entered against them on a HIPAA privacy violation that I am aware of, and there is serious doubt that such a judgment would amount to much (a sizable recovery is highly dubious).

For a comparison of HIPAA to another country's laws, see Canada's FOIPPA (might be one less P). Which provides among other things, that no Canadian citizens health information (ePHI) can be stored on a server on US soil (because of fears that the USFG can utilize the PATRIOT act at any time to gain access to such 'confidential' patient information (ePHI)).

Re:For the privacy worriers...

[BunnyClaws]

You make a very good point. I have spent a majority of my I.T. career working in the health care industry. Just like you I have seen people misuse the information that they have access too. One guy I worked with at a very large health insurance company would scour records for people he knew. Once he even looked up a girl he used to date and called her up from the number that was stored under her insurance information. It was common to see employees read through malpractice suits just for entertainment. Years back I worked for a drug store chain and I remember one employee who would look up the prescriptions of people she went to school with to see what meds they were on.

The idea of HIPPA securing medical data can be considered a sense of false security. Companies must show they are making a reasonable amount of effort to secure PHI. Making a reasonable amount of effort does not mean the information is very secure.

In my opinion HIPPA does not ensure the privacy of an individual's health information very much but merely gives everyone a false sense of privacy.

"Searching" structured data is hard!

[copdk4]

Google has done a great job in searching raw free-text data. However, healthcare data is a different beast. The sheer number of datatypes is mind-boggling -- the number of different labs, drug classes, diseases etc that can get coded in patient records runs in to millions. So over the years healthcare databases have been constructed differently - they follow an EAV [yale.edu] (Entity Attribute Value) representation, which means that the patient databases are generally just ONE BIG TABLE! Here is the database schema used at New York Presby. Schema [columbia.edu] - all past 20 years patient data is stored in one table! oh yeah.. DB2 Baby!

Essentially all data/knowledge complexity is present in the Ontology/Terminology (such as SNOMED or LOINC) and the patient data itself instantiates from these.

Also doing NLP over medical notes is a difficult problem requiring years of tuning and domain knowledge to construct one -- which again is so specific to a given institution or region that it just does not work elsewhere.

It would be interesting to see what *real* innovations Google brings on the table.

Re:Google VS Microsoft

[quanticle]

Not only has Microsoft attempted such a thing, but they've succeeded and already have a working version. [healthvault.com] Its Google that's playing catch-up here, not Microsoft.

To be fair, though, I wouldn't like either company to be snooping around in my health records.

It's a VOLUNTEER basis

[Anonymous Coward]

This isn't going to be mandated. The only way your medical records get up there is if YOU put them there and agree to use the service.

Might as well try to say Google forces you to use Gmail or use them as a search engine. There are alternatives to those too, including abstience.

Re:Google VS Microsoft

[AltecZZ]

You fail to offer any standing reason why you should trust Google more than Microsoft.

At the very least, Microsoft's Live Hotmail doesn't scan your email like Gmail does. Google's policy on privacy is questionable at best. The minute Microsoft starts scanning my email to target me with ads, I'll quit defending them.

Microsoft's security division dwarfs that of Google's. In the past year, was Live Hotmail any less secure than Gmail? Microsoft has its faults too, but so does every company, including Google. It's cool to bag on Microsoft, but at the end of the day, it's no different than other large companies, such as Citibank or GE.

Here's some medical records privacy horror stories

[nbauman]

Here's some of the problems you can have when the confidentiality of your medical records is compromised.

http://www.post-gazette.com/pg/06362/749444-114.stm [post-gazette.com]

WSJ, 26 Dec 2006, Medical dilemma: spread of records stirs patient fears of privacy erosion; Ms. Galvin's insurer studies psychotherapist's notes; a dispute over the rules; complaint tally hits 23,896, Theo Francis.

(My notes, for people who are too lazy to even click on the link:)

In 1996, after her fiance died suddenly, Patricia Galvin left New York for San Francisco and was hired by Heller Ehrman LLP.

In 2000, Galvin began psychotherapy sessions at Stanford Hospital & Clinics with clinical psychologist Rachel Manber, who discussed her problems at work, her fiance's death, and her relationships with family, friends and co-workers. Manber assured Galvin that her notes would be confidential.

"I would never have engaged in psychotherapy with her if she did not promise me these notes were under lock and key."

In 2001, Galvin was rear-ended at a red light and suffered 4 herniated disks, which worsened.

In 2003, she applied for long-term disability. Her employer's carrier, UnumProvident Corp., said it would deny her claim unless she signed a release.

Manber assured Galvin her therapy notes would not be turned over. 3 months later, Unum denied her claim, because of psychotherapy notes about "working on a case" and a job interview in New York, which, Unum said, showed she was able to work. Galvin says they misinterpreted the notes.

In 2004, Galvin sued Manber, Stanford and Unum for malpractice and invasion of privacy, under California law. Galvin said "my most private thoughts, my personal tragedies, secrets about other people" were exposed.

In 2005, Galvin learned that Stanford had scanned Manber's notes into its system, making them part of her basic medical record. Stanford sent this file to Unum and the other driver.

Stanford said that "psychotherapy notes that are kept together with the patient's other medical records are not defined as 'psychotherapy notes' under HIPAA." It would be "impracticable" to keep them separate.

The health-care industry is scanning documents into electronic record systems. HIPAA gives psychotherapy notes special protection, but not when mixed in with general medical records.

Peter Swire, law professor, Ohio State U., explains why they wrote the rule giving confidentiality only to separate psychotherapy notes.

Stanford refused to separate her psychotherapy notes from other medical records. "Any time anybody asks for my medical records, my psychotherapy notes are going to be turned over."

In 2006, DHHS rejected Galvan's HIPAA complaint. From Apr-Nov 2003, DHHS had 23,896 privacy complaints, but hasn't taken any action. HIPAA exceptions allow release in connection with "payment" or "health-care operations."

Galvan, 51, is representing herself, because she couldn't find a California attorney with privacy experience.

Deborah Peel, Austin TX, psychiatrist and head of Patient Privacy Rights, says, "How many women want somebody to know whether they are on birth control?"

http://online.wsj.com/article/SB116709136139859229.html [wsj.com]

NYT, 26 Dec 2006, Costs of a crisis: Diabetics confront a tangle of workplace laws, N.R. Kleinfield.

Some companies fire diabetics for ostensible safety reasons, even though there's no evidence that they're unsafe. Courts nationwide have split on whether diabetes is a disability under the test that a "major life activity" is "substantially limited".

John Steigauf, 47, was a truck mechanic for United Parcel Service, but UPS put him on leave because of his diabetes. UPS claimed his blood sugar might plummet while he tested a truck, causing an accident, and he couldn't get an interstate commercial driver's license with insulin-dependent diabe

Re:Cleveland Clinic

[MindKata]

"trusted third party" and the parent comment about "Fortunately, this sort of activity is illegal in Canada"

"This sort of activity is illegal" (currently) ... the point is, if a government wants to redefine what is allowed, they simply change the rules to allow it in some way. As for trust, in general, marketing people cannot be trusted.

Google's marketing argument to a government is likely to include the idea that Google are using its own computers, so it saves the government money, while still giving the government control. The small print however, is that a marketing company would have direct access to everyone's details and they will do data mining on it.

Google's "do no harm" PR smoke screen marketing theme is sounding more hollow, every new move Google makes. Their goal is to become some kind of marketing version of Big Brother, but with the total knowledge they are building up, they will also have immense political power as well. Google data mine everything they have. They are not holding medical records for free. They will do some data mining on them.

Each new chess move of Google reminds me of the saying "The road to hell is paved with good intentions". Google is becoming Big Brother. Yet few people seem to be able to see its slowly happening.

This Hospital data move is like Googles Knol idea, its yet another facet of their move towards Big Brother ...
http://science.slashdot.org/comments.pl?sid=389296&cid=21697432 [slashdot.org]

and as for trusting marketing people ... their ethics are definitely not what I would trust...
http://science.slashdot.org/comments.pl?sid=448546&cid=22377974 [slashdot.org]

Re:Google VS Microsoft

[LingNoi]

At the very least, Microsoft's Live Hotmail doesn't scan your email like Gmail does.

At least Google doesn't delete your file attachments [hubpages.com] for no reason.

At least Google censor web links [adiumx.com] you send to your friends.

Who gives a crap if a machine reads my email?!! It's going through the intertubes, EVERYONE can read my email unless I encrypt it.

Highly volatile

[Bigmilt8]

I work for a healthcare organization in IT. And don't get me wrong, being able to have access to a patients's health records at anytime is very useful (and something the government is working on implementing), this information is very sensitive and Google and Microsoft leave themselves open to numerous lawsuits if there are any issues.

Speaking as someone in the healthcare industry..

[Anonymous Coward]

Speaking as someone in the healthcare industry, who regularly sends appeals letters to insurance companies requesting additional payment for underpaid claims, I think this is a REALLY, REALLY, REALLY BAD IDEA. Most insurance Companies want to deny your claims as soon as possible, and if that doesn't work, pay as little as possible. All this sort of thing will do is give them more reasons to do that quicker. If they can instantly have your medical records from you, since you need to authorize them to have that info in order to get a policy, you just gave them tons of reasons to deny your hospital bills based on pre-existing conditions, Not being medically necessary, and all kinds of other reasons. A lot of hospitals are going to electronic records, but there are still lots of holes in the systems that are available... and that's not counting the potential Hippa violations and other issues. On top of all of that, there's electronic issues too. I know of at least one clinic where there is a computer in the rooms that the patients sit in to be seen... that computer has a screen saver, but not a password protected one. In other words any patient off the street can go to that place, see a doctor, and basically be left in there by themselves with that computer for 10-50 minutes behind a closed door while they sit and wait for the doctor. Most of you all know how boring that time is... and I'm sure if you had a computer in a room like that may fiddle with it a bit. The scary thing is that this computer actually has access to the Hospital's main network, including all databases, some of which are completely insecure with ids and passwords that match staff names, and occassionally is full of plain text files full of confidential info that was stupidly saved too high in the directory tree by uneducated staff moving files around... I won't say where that clinic is, but will say that it's somewhere in the midwest that just about anyone passing through on vacation could end up at if they are on an accident on a major highway.

Re:Google VS Microsoft

[AltecZZ]

Um, you were saying?

Gmail loses attachments [liewcf.com]

Gmail loses all mail [ehmac.ca]

Censorship by Google [wikipedia.org]

Again, a lot of mistakes that Google does get swept under the rug, because they're Google. Meanwhile, any mistake that Microsoft does gets put in the spotlight.