Google to Begin Storing Patients' Health Records

mytrip writes with news that Google's health record archive is about to be tested with the assistance of the Cleveland Clinic. Thousands of patients (who must approve the transfer of information) will have access to everything from their medical histories to lab results through what Google considers a "logical extension" of their search engine. We discussed the planning of this system last year. "Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that's also required to use other Google services such as e-mail and personalized search tools. The health venture also will provide more fodder for privacy watchdogs who believe Google already knows too much about the interests and habits of its users as its computers log their search requests and store their e-mail discussions. Prodded by the criticism, Google last year introduced a new system that purges people's search records after 18 months. In a show of its privacy commitment, Google also successfully rebuffed the U.S. Justice Department's demand to examine millions of its users' search requests in a court battle two years ago."

Great...

[ihaveamo]

Now I'm going to get TARGETED Viagra spam....

Re:

[bennomatic]

Sorry to hear about your problem; even more sorry to hear that it's on the record.

Re:Great...

[AltecZZ]

Google is wayyyy behind Microsoft.

Microsoft's HealthVault came out several months ago, and has more partnerships than Google.

http://www.healthvault.com/ [healthvault.com]

Re:Great...

[WK2]

Yes, but we can't use the beevil tag for Microsoft, because that would be redundant.

Re:Great...

[jerdenn]

Google isn't actually behind Microsoft, as Microsoft's implementation of healthvault is actually somewhat questionable. It's as if the company paid no attention to existing standards, and decided to implement a PHR system however they damn well pleased. CDA or CCD support? What's that? IHE standards?

If anything, Microsoft is ahead in the game of press releases, but certainly not in a functioning and useful Electronic Health Records system.

Re:

[somersault]

It's as if the company paid no attention to existing standards, and decided to implement a PHR system however they damn well pleased

Surely not.. this is Microsoft we're talking about here? You know, the famous one - not the toilet paper manufacturer - Bill Gates, Steve Ballmer, BOB, Clippy? I refuse to believe that they would follow the path you have laid out, and humbly request to see some evidence that they could ever do something so moronic.

Re:Great...

[gsslay]

No no no no no nooo. Not spam; adsense.

Just think how useful this could be for your doctor. No more tedious working out what to prescribe you. Just type the diagnosis into your google page, refresh, and adsense will immediately deliver links to drugs that are just the job!!

And you get paid for the click-thrus! It's a win-win scenario and almost worth being ill for!

Re:Google VS Microsoft

[jo42]

In fact, I can think of very few companies I would trust with all of my medical information other than Google.

You must be 20-something to make a statement that naive.

Re:

[EmotionToilet]

why? Can you list other companies I could trust as much? I don't mind anyone going through my medical records. I haven't been to the doctor in years so there probably isn't anything there. And I don't think microsoft or google are interested in going through my medical records. But I would feel more secure having them on a google server than a MS server. Some companies I trust and some I don't. I trust google. I like how they do business. I don't care for microsoft. I don't feel I can trust them.

Re:

[AltecZZ]

You fail to offer any standing reason why you should trust Google more than Microsoft.

At the very least, Microsoft's Live Hotmail doesn't scan your email like Gmail does. Google's policy on privacy is questionable at best. The minute Microsoft starts scanning my email to target me with ads, I'll quit defending them.

Microsoft's security division dwarfs that of Google's. In the past year, was Live Hotmail any less secure than Gmail? Microsoft has its faults too, but so does every company, including Goo

Re:

[cheater512]

You must be new here. :P

You use Hotmail for a example, I'll use MSN.
Google defends your privacy strongly. MSN will hand over anything the government asks for with no reason.
Wonderful privacy eh?

A machine reading my email, not for information gathering but to target ads is fine.
Its a very straight forward process and your privacy cannot really be compromised in any way because of it.

I do pay $50 a year for a premium Gmail account.
I do it for the other features though like domain support and not the lack of a

Re:

[LingNoi]

At the very least, Microsoft's Live Hotmail doesn't scan your email like Gmail does.

At least Google doesn't delete your file attachments [hubpages.com] for no reason.

At least Google censor web links [adiumx.com] you send to your friends.

Who gives a crap if a machine reads my email?!! It's going through the intertubes, EVERYONE can read my email unless I encrypt it.

Re:

[AltecZZ]

Um, you were saying?

Gmail loses attachments [liewcf.com]

Gmail loses all mail [ehmac.ca]

Censorship by Google [wikipedia.org]

Again, a lot of mistakes that Google does get swept under the rug, because they're Google. Meanwhile, any mistake that Microsoft does gets put in the spotlight.

Re:

[mgblst]

It it didn't scan your email, how would it check for viruses, or even allow you to search your email, so clearly it does. Your problem might be that Google then uses that scan to provide the before mentioned services, as well as targetted advertising, which consists of nothing more than picking out keywords.

Re:

[FreeUser]

You fail to offer any standing reason why you should trust Google more than Microsoft.

More to the point, no company should be trusted with that kind of personal information. Not Google. Not Microsoft. No one.

Re:

[quanticle]

Not only has Microsoft attempted such a thing, but they've succeeded and already have a working version. [healthvault.com] Its Google that's playing catch-up here, not Microsoft.

To be fair, though, I wouldn't like either company to be snooping around in my health records.

Cleveland Clinic

[fractalVisionz]

assistance of clinic in Cleveland

It's Cleveland Clinic, and it's pretty much in every major city. So there are more people affected then just in Cleveland.

Re:Cleveland Clinic

[tomhudson]

Over my dead body? Ha! Not even then!

Fortunately, this sort of activity is illegal in Canada (PIPEDA [privcom.gc.ca]), so I for one won't ever have to welcome your google overlords.

Re:

[penix1]

Given this country's penchant for "opt-out" instead of "opt-in", it is prudent that these things be protected in some fashion. Sure, the info from medical providers to Google is opt-in but from there it is a different story. How soon before insurance companies or the highest bidder gets the data from there is anybody's guess.

In short, I trust Google about as much as Microsoft when it comes to making profits on this. And will the cost associated with it trickle down to patients? Probably.

Re:Cleveland Clinic

[penix1]

You are still missing the point. The privacy MUST be throughout the entire chain of custody. You can't say that in this case because Google can sell to the highest bidder. Sure, you have to say "yes" now but how long will that last? How long before health care providers start including "check this box to opt out" language on the forms you sign at their facility? Again, given this country's penchant for calling "opt-out" a real choice, I think sensitive data like health records should remain the perview of the health providers and patients ONLY.

Re:Cleveland Clinic

[burner]

But I _do_ want online access to my health records. Does this mean my health provider must build and maintain a health record server onsite in order to provide me this? If I see multiple providers, do I have to carry around a list of URLs so they can share this data?

It only makes sense for a trusted third party (with technical expertise) to hold onto this data. Personally, I trust a government (state or federal) or non-profit program with community oversight to a for-profit corporation for this. Others may simply not want any digital health records, just like some folks don't want to have online access to their bank account.

Re:Cleveland Clinic

[MindKata]

"trusted third party" and the parent comment about "Fortunately, this sort of activity is illegal in Canada"

"This sort of activity is illegal" (currently) ... the point is, if a government wants to redefine what is allowed, they simply change the rules to allow it in some way. As for trust, in general, marketing people cannot be trusted.

Google's marketing argument to a government is likely to include the idea that Google are using its own computers, so it saves the government money, while still giving the government control. The small print however, is that a marketing company would have direct access to everyone's details and they will do data mining on it.

Google's "do no harm" PR smoke screen marketing theme is sounding more hollow, every new move Google makes. Their goal is to become some kind of marketing version of Big Brother, but with the total knowledge they are building up, they will also have immense political power as well. Google data mine everything they have. They are not holding medical records for free. They will do some data mining on them.

Each new chess move of Google reminds me of the saying "The road to hell is paved with good intentions". Google is becoming Big Brother. Yet few people seem to be able to see its slowly happening.

This Hospital data move is like Googles Knol idea, its yet another facet of their move towards Big Brother ...
http://science.slashdot.org/comments.pl?sid=389296&cid=21697432 [slashdot.org]

and as for trusting marketing people ... their ethics are definitely not what I would trust...
http://science.slashdot.org/comments.pl?sid=448546&cid=22377974 [slashdot.org]

Re:

[tomhudson]

Each new chess move of Google reminds me of the saying "The road to hell is paved with good intentions". Google is becoming Big Brother. Yet few people seem to be able to see its slowly happening.

You know, you're right. Its like the "how to boil a frog" analogy. Time to switch default search engines ...

Re:

[bkr1_2k]

What's wrong with doing it yourself? You keep all your own records. You can keep them in hard copy or digitally and take them wherever you need. You'll also have access to them whenever you need. Yes, difficult in emergencies, but certainly not impossible.

Re:

[tomhudson]

It's "fortunate" that your country prevents two entities from engaging in a consensual exchange of information? That sounds quite repressive to me. I prefer to live somewhere that allows me to make my own decisions, but I understand we all can't handle that level of responsibility.

My medical data is mine. Not any health-care providers ... they have absolutely zero right to share it with any business entity, and the law backs me up on it.

We don't need slippery slopes. There are already too many people w

Re:

[tomhudson]

For now ...

Just look at the history of the Social Security Number - it was supposed to be used ONLY for Social Security ... now what? Its used as an ID almost everywhere.

And I dumped my gmail account over a year ago - and today (because of creeping big-brotherism) I've changed my search engine as well.

Is it scary yet?

[Anonymous Coward]

When your email is parsed for relavent ads, many just let that go.

But when you associate my email, calendar, documents, health info and who knows what's next, I start to wonder if that might not be too many eggs in one basket?

And if you are like me, your handle/username/login is the same across many sites.

Re:

[BunnyClaws]

Using the same handle on many sites is always a bad idea. Its way to easy to track information that way.

Re:

[Nemilar]

This is exactly the point of "Identity 2.0" You can prove who you are, to any site on the web. It gives you a constant identity.

Granted, you can have more than one identity, but generally I think people like having single handles. It lets you build a reputation across multiple sites.

Re:

[causality]

The GP was saying that this could have a serious downside. Reminding us of the advantages (i.e. "how it will be sold") does not magically negate this disadvantage. Unfortunately, most people are passive enough that they won't consider this downside until something undesirable happens, like the situation with Myspace/Facebook/etc where suddenly employers became interested in that information. Better to foresee such a possibility ahead of time.

Personally, I think "Identity 2.0" is a solution in search o

HIPAA compliance?

[palegray.net]

I have to wonder how Google is approaching the legal requirements for HIPAA [hhs.gov] compliance with respect to the storage and retrieval of healthcare information. Anyone got any pointers on this?

Re:

[Urkki]

If you have *one* service with more information about you than the rest combined, then have a different password (and login if possible) for that one service at least. Not too much hassle, but improves your information security tremendously.

Also, change the password of that one "critical" service regularily.

Re:

[SpottedKuh]

And if you are like me, your handle/username/login is the same across many sites.

Anonymous Coward?

Re:

[urcreepyneighbor]

But when you associate my email, calendar, documents, health info and who knows what's next, I start to wonder if that might not be too many eggs in one basket?

What could possibly go wrong? ;)

Re:

[iBod]

>>And if you are like me, your handle/username/login is the same across many sites.
[ Reply to This

Well your username is certainly very prevalent on most of the sites I visit.

I wonder how you find the time!

Double-edged sword

[calebt3]

On one hand, it would be convenient to have this archive available so that we can access our records without the hassle of dealing with the healthcare system. On the other side, all that data has only the strength of your password standing between it and the Black Market.

Re:Double-edged sword

[zappepcs]

There is more to it than that. Recently (thanks to the immigration process) I was in the unexpected position of trying to find my immunization records which are now scattered among several states, doctors, and the military. If you think gathering that information was either fun or easy, you are wrong. Having this information to hand would have been a REAL time and money saver.

The trouble is that I don't want anyone else to have it. We have technology that can go anywhere with us. You can carry a key fob that will hold it all etc. More to the point, you can carry a key fob with better security than a password with you to access, and allow access for updates by those of your choosing.

Yes, Google will make it convenient, but we need to do more about the security of it both in access to it, and what happens to it while stored somewhere other than in our homes. The mobile devices that we carry around, ordinary telephones, and other simple items make 2 part authentication easy (well easier) than you think. We should be using them.

Additionally, we already have rules about sharing health-care information. Lets use those laws, not make more, to ensure the integrity of that privacy.

Anyone here who thinks that their privacy is safe because their health care information is not yet stored by Google is completely mistaken. It's very easy to get your health care information from the current system through human error, and social engineering.

Re:

[QuantumG]

immunization records

Umm, why the hell do you care if someone can see what you've been immunized for?

Seriously, what's the secrecy here?

Re:

[Fjandr]

Someone seeing immunization records is hardly the point. Someone seeing everything can be a lot more of an issue. Employers, insurers, advertisers, etc.

It's called looking at the big picture, not using a trivial example to attempt to trivialize the whole issue.

Re:Double-edged sword

[zappepcs]

That was just an example of why it would be useful. There are many things that fall under health care that people don't want anyone to know about:

Abortion
Substance abuse
Domestic violence counseling
Prescriptions for drugs associated with a disease that has a bad stigma

And those are just a few examples of what people would want protected. I'm pretty sure that you would not want people to know that you are seeing a doctor about impotence? right? Perhaps you don't really want people to know that you are color blind or deaf in one ear. Maybe you are embarrassed if people know you have herpes.

Perhaps you don't want people finding out that your kids have been treated for sexual abuse (the record probably won't say it wasn't you that committed the abuse).

There are way more things that you don't want people to know than things you do. Hardly anyone goes to the doctor for something good.

But, if you want to tell the world that you have warts on your 1 inch penis, go ahead... we won't stop you.

Re:

[pthor1231]

I hope you know that your parent and the parent of your other comment about immunization records are the same person.

Quant, call it a night

[WindBourne]

You have really turned into an asshole. I am guessing that something is on your mind, but normally, you are not like this.

Re:

[QuantumG]

How am I being an asshole here? He made a statement that I didn't understand, I asked him to clarify. Furthermore, what business is it of yours?

Re:

[QuantumG]

ummm.. He said immunization records.. I asked why he cared about people seeing his immunization records.. you're talking about treatment for depression and alchohol (sic) dependency for some reason. If he had said treatment for depression or alcohol dependency I could see his point, but he didn't.. he said immunization records.

Re:Double-edged sword

[thanatos_x]

You know, it's a real pity that there is no competent organization that can offer this that's in theory not motivated by profits and has the resources, like say... the US government. Everything aside, this kind of information is something that should be likely held by the government, if only people trusted this to not expand into a serious invasion of their privacy. It's a pity that the one organization that's supposed to regulate everything and hold such information (if anyone beyond yourself is) is considered too untrustworthy to do so.

I suppose it all comes back to things being run by human nature, and sooner or later you'll have to make a deal with the devil and give him his due; increased convince (eventually to the point that it will be impossible to function without it) for a decreased amount of privacy. In theory your SSN is only related to taxes; in practice you can't get through life easily without giving it to every Tom, Dick, and Harry.

Security by obscurity might be the only measure of protection we have, but that's not terribly comforting when someone *thinks* you did something wrong, or when someone *gets* your data (though google seems much better at protecting data than most banks and governments).

On the plus side it might be nice to see spam for drugs that you can actually use, compared to everyone getting offers to increase penis size with drugs to keep it up for hours.

Re:

[kylehase]

not motivated by profits and has the resources, like say... the US government

The Singapore government is already planning this for their country. [zdnetasia.com]

Re:

[rtb61]

Nice, consider funeral homes targeting terminally ill patients, or lawyers offering will services, just your friendly googlite reminder when you are trying to escape on the internet about to die and they have to suck every last cent of marketing dollar they can out of you and even get in early on your grieving family.

As long as the details of all hospital and doctors that use these services are effectively sell you details for free data storage are publicly and clearly displayed across the internet so th

Re:

[QuantumG]

Ya know, most everywhere else in the world lawyers are not allowed to advertise at all. It's called "soliciting".

If the government has it

[elucido]

If the government has it, the governments get it.
If the governments get it, the corporations get it.
If the corporations get it, the mafias get it.
If the mafias get it, the rich and powerful own it.

No information is secure because powerful/rich individuals can access anything stored anywhere on earth. Just because the governments can hold the information, doesn't mean there aren't moles and terrorist cells in the US government who will sneak the information out and sell it to terrorist groups. And of course

Re:

[gnick]

The trouble is that I don't want anyone else to have it.

So, don't volunteer. Personally, I figure that the convenience of having my records available anywhere I happen to be traveling outweighs any paranoia over somebody hacking Google's security. If you don't want Google making your information available, don't volunteer it...

Re:Double-edged sword

[Knuckles]

I was in the unexpected position of trying to find my immunization records which are now scattered among several states, doctors, and the military. If you think gathering that information was either fun or easy, you are wrong. Having this information to hand would have been a REAL time and money saver.

Meanwhile, we in stone-age Europe usually receive little booklets at our birth and whenever a doctor immunizes us, he enters a stamp plus some info there. Same as with voting machines, really: not everything is in need for a fragile high-tech solution.

Re:

[MightyYar]

We get the same little pink/blue booklet here in the US. I don't know where mine is, since I didn't ask my parents for it when I went to college. Presumably in a drawer somewhere. I don't know what a doctor would do if presented with it at my age, but it would probably involve laughter.

I'm not sure they are legal as proof anyway - I know that my daughter's day care won't accept it, and I have to have the doctor fill out a separate form.

Re:Double-edged sword

[DancesWithBlowTorch]

I live in Europe, and I have no idea where my immunization passport currently is. I've moved five times in the last twelve months, changing countries twice, so it could be anywhere on the continent, really. Since I've forgot what I was immunized against, the only way to find out is to take blood sample and run it through expensive lab tests.

Same as with tax records, really: Not every paper solution is automatically non-fragile.

Re:

[Knuckles]

Yeah well, that sucks, but is it really worth it to implement complicated technical solutions with unforeseen implications just so that one can be sloppy? Did you lose your passport too, and if you did would you be in favor of implementing a people tracking database to set it off?

Re:

[aggieben]

Uh, we in Texas (and elsewhere in the U.S., no doubt) receive the same stamp booklets for vaccinations, and we still stamp our voter ID cards.

The motivation for high-tech solutions is
a) high-tech is cheap enough now that at scale, it could actually be cheaper than printing booklets and buying ink and stamps

and more importantly

b) people have too much information for paper storage and organization to be as practical as it once was. It would only take a couple years to fill up an entire drawer of a filing cab

Re:

[TheRaven64]

Meanwhile, we in stone-age Europe usually receive little booklets at our birth and whenever a doctor immunizes us, he enters a stamp plus some info there

We do? I don't think I've ever seen mine, nor been asked for it by a doctor when I've received immunisations. They just go on my (computerised) record. Or is this another one of these European things that the UK opted out of?

It's a waste of time.

[elucido]

Look, you could store the information in encrypted form, and due to the flaw in the windows random number generator, it would still be accessed and sold by hackers. But to tell you the truth, the black market operators don't even have to go through the trouble of hiring hackers, they can just bribe the individuals who do have access to your medical records, or threaten to violently harm the children of these individuals, or use blackmail on these individuals by threatening to tell their wife what they've do

Too late, the black market always has it.

[elucido]

1. If the government has the information, the black market has it.

2. The black market can simply buy the information from the people who work in the hospital.

The lesson? No information which is stored in plaintext anywhere on earth is secure. As long as a pair of eyes can see it, whoever owns that pair of eyes, can capture and sell whatever information. It's already too late.

Password Protected?

[Bieeanda]

...with the same password that you use to log in to gMail, Google Pages, your Google home page and virtually every other service they offer? Come on. It isn't like Google mandates passwords of any particular strength, or that accounts haven't been hijacked through one means or another.

Re:

[TheRaven64]

Is this the same password that GMail defaults to sending in plain (non-SSL) text across the Internet every day for most GMail users? I wonder how long it will be before corporate firewalls are sniffing GMail passwords and using them to check employee medical records...

"a clinic" in Cleveland?

[VP]

Cleveland Clinic is one of the top healthcare institutions in the US and the world. Calling it "a clinic in Cleveland" is like calling the New York Times web site "some guy's blog"...

Re:

[Bill, Shooter of Bul]

Not really. There have been many slashdot stories that have linked to the New York Times. No one has ever misidentified it. As far as I can recall, this is the first one referencing Clevland Clinic and it was misidentified. Its not as famous to the general public as NYT. I would say something like the Mayo Clinic is more akin to the Times. Maybe Cleveland is more like the Chicago Sun Times of Health care.

Re:"a clinic" in Cleveland?

[schnikies79]

"Best investigative reporting on the planet."

If that is the case, then they really blew it with todays headlines. That McCain piece is about the most unsubstantiated news un-worthy gossip I've seen in a while. If the Obama campaign touches that one, he loses my vote.

I would be surprised if he does

[WindBourne]

He has not been the type to do personal attacks, just attacks on policies and actions. In fact, overall, I would say that McCain has been the same way, and Clinton was until Wisc (sent her ppl in to do a hatchet job on obama).

there are others doing this already

[acvh]

my former employer offered us the option to buy into an online health records system. the selling points were that we could easily be sure that any doctor we saw could have instant access to all of our history, and we could review treatments and billing records.

I chose not to participate, because the provider was new and unknown to me. I don't think I would want to use Google, because they ARE known to me.

I'll just keep asking for copies of records when I visit a doctor, and keep them in my filing cabinet.

Do I get access to my own records?

[Animats]

Can I log in and see everything myself? And can I see the list of everyone who ever accessed my records? If not, it's no good.

Re:

[pembo13]

That's kinda the entire point.

Re:

[giafly]

Can I log in and see everything myself? And can I see the list of everyone who ever accessed my records? If not, it's no good.

Here's that list: Mickey Mouse, Princess Peach, and Dr Watson. Happy now?

The full solution

[LarrySDonald]

Give people their medical records. Digitally signed by the docs that made them so they're authentic if the medical system must. If people would like to store them at Google or host them anywhere else, great. Make a standard for appending and signing that makes some kind of sense, but that is general and will work with any storage system. How is sheets of paper being faxed/mailed between docs the best possible standard? The whole system is jive, adding storing it with Google might make it slightly less jive, actually fixing it would, well, fix it. The whole system is so antiquated it make POTS look like a good standard for sending audio, but so ingrained and unquestioned that it's just there.

Re:

[NIckGorton]

Giving people their records doesn't solve it. Its not just a question of whether the notes/docs in that system are digitally signed, but also whether every note that a provider wrote is included. Say for example, your name is Rush and you like oxycodone and hydrocodone. A lot.

So on Monday you go see Dr Smith, who writes you for 120 x 10mg doses. Then you just erase Dr Smith's note from your record, and on Tuesday go see the good Dr Mendez, who writes for 80 x 10mg doses. Then delete again and go to see t

Future Killer App

[clang_jangle]

DeGoogle. Removes all traces of you from Google.

Re:

[moosesocks]

The current governor of California has been operating a similar service since 1996.

World Privacy Forum

[John Norris]

World Privacy Forum's [worldprivacyforum.org] report "Personal Health Records: Why Many PHRs Threaten Privacy" released yesterday goes into considerable detail as to why PHR's are a privacy nightmare.

They discuss how PHR vendors may not be covered by HIPAA nor patient/provider confidentiality laws (esp subpoenas.)

They particularly note that PHR vendors that also provide email services have a lot of data that can be easily linked together (...and to you.)

I'd really like to see this sort of thing work, but am cautious.

For the privacy worriers...

[NerveGas]

      This is a very big step up from what you now have. I worked for some time in the client-server programming department of a health care organization with 20,000+ employees, on projects ranging from inventory management to patient records to corporate salaries. This company did much better than most, and I can tell you that your privacy is not terribly secure.

      When you're dealing with a situation which requires thousands of people (doctors and nurses) immediate access to your records, from anywhere in the organization (spannint numerous states), even if you ruled out network security, system security, etc., the possibilities for social engineering are absolutely ENORMOUS. And more than that, with that many employees, it's simply a given that some of them will misuse their power. Just within my friends who work for the company, I know of a very good number of times when information of others was accessed, used, or disseminated for personal use or amusement. Never anything nefarious, but still, not only unethical, but against the law as well.

      Google has a much better idea of how to warehouse data, manage access to it, and audit usage and access than any of the individual health care companies out there. They may not be perfect, but they'll probably do a whole lot better than what we/you have now.

Re:For the privacy worriers...

[BunnyClaws]

You make a very good point. I have spent a majority of my I.T. career working in the health care industry. Just like you I have seen people misuse the information that they have access too. One guy I worked with at a very large health insurance company would scour records for people he knew. Once he even looked up a girl he used to date and called her up from the number that was stored under her insurance information. It was common to see employees read through malpractice suits just for entertainment. Years back I worked for a drug store chain and I remember one employee who would look up the prescriptions of people she went to school with to see what meds they were on.

The idea of HIPPA securing medical data can be considered a sense of false security. Companies must show they are making a reasonable amount of effort to secure PHI. Making a reasonable amount of effort does not mean the information is very secure.

In my opinion HIPPA does not ensure the privacy of an individual's health information very much but merely gives everyone a false sense of privacy.

In fact

[WindBourne]

I have thought that when AQ (or even China) decides to get real serious with attacking the west, it will be via a computer attack. Most likely, they will hit a number of windows systems which have loads of our information on it. With the data on us, simply run the banks. By doing that, they could transfer not just billions out of the country, but cause such chaos here, that it would be difficult to have a unified front. WHile I really want to see Linux come on strong, I like that Gates has been pushing Wind

Re:

[QuantumG]

Dear nut-job,

Please explain how "health data" has "enough info" to "allow the run on the bank". And for the readers who have no idea how to read crazy, please also explain what you mean by this fragmented poor english.

kthxbye.

Re:In fact

[WindBourne]

Ah, quant, you have lost you perspective all because I called you out on one of your statements a couple of weeks ago. I thought you were above insults as well as being an asshole. I guess I was wrong. BTW, I am working late because I have a project due and am beat, so the English is not quite as nice. But this is /., not an English class.

Many of the Health data systems are built on Windows and built poorly. The security that everybody thinks is there, really is not. 25-15 years ago, I worked at various medical facilities including Metpath/corning, BlueCross/Blueshield (just at time of going private), and IBM/Kaiser (worked on the system that was in there for over a decade). I am aware of a at least a few of the systems that currently exists. From talking to a few others that still work in the industry, I know that security STILL is not taken as serious as it should be. Hippa has made changes, but from what I understand more of trying to control who sees what, and not as much on the computer. The health system is NOT just your patient info. Most of the systems contain your insurance and ultimately has loads of information on your checking and/or CC (assuming that you are not visiting a money only doc). All somebody has to do is hack these systems to obtain information. They then build up a DB and use it to attack in one clean shot, or chose the option of quietly and methodically taking the money.

Here's some medical records privacy horror stories

[nbauman]

Here's some of the problems you can have when the confidentiality of your medical records is compromised.

http://www.post-gazette.com/pg/06362/749444-114.stm [post-gazette.com]

WSJ, 26 Dec 2006, Medical dilemma: spread of records stirs patient fears of privacy erosion; Ms. Galvin's insurer studies psychotherapist's notes; a dispute over the rules; complaint tally hits 23,896, Theo Francis.

(My notes, for people who are too lazy to even click on the link:)

In 1996, after her fiance died suddenly, Patricia Galvin left New York for San Francisco and was hired by Heller Ehrman LLP.

In 2000, Galvin began psychotherapy sessions at Stanford Hospital & Clinics with clinical psychologist Rachel Manber, who discussed her problems at work, her fiance's death, and her relationships with family, friends and co-workers. Manber assured Galvin that her notes would be confidential.

"I would never have engaged in psychotherapy with her if she did not promise me these notes were under lock and key."

In 2001, Galvin was rear-ended at a red light and suffered 4 herniated disks, which worsened.

In 2003, she applied for long-term disability. Her employer's carrier, UnumProvident Corp., said it would deny her claim unless she signed a release.

Manber assured Galvin her therapy notes would not be turned over. 3 months later, Unum denied her claim, because of psychotherapy notes about "working on a case" and a job interview in New York, which, Unum said, showed she was able to work. Galvin says they misinterpreted the notes.

In 2004, Galvin sued Manber, Stanford and Unum for malpractice and invasion of privacy, under California law. Galvin said "my most private thoughts, my personal tragedies, secrets about other people" were exposed.

In 2005, Galvin learned that Stanford had scanned Manber's notes into its system, making them part of her basic medical record. Stanford sent this file to Unum and the other driver.

Stanford said that "psychotherapy notes that are kept together with the patient's other medical records are not defined as 'psychotherapy notes' under HIPAA." It would be "impracticable" to keep them separate.

The health-care industry is scanning documents into electronic record systems. HIPAA gives psychotherapy notes special protection, but not when mixed in with general medical records.

Peter Swire, law professor, Ohio State U., explains why they wrote the rule giving confidentiality only to separate psychotherapy notes.

Stanford refused to separate her psychotherapy notes from other medical records. "Any time anybody asks for my medical records, my psychotherapy notes are going to be turned over."

In 2006, DHHS rejected Galvan's HIPAA complaint. From Apr-Nov 2003, DHHS had 23,896 privacy complaints, but hasn't taken any action. HIPAA exceptions allow release in connection with "payment" or "health-care operations."

Galvan, 51, is representing herself, because she couldn't find a California attorney with privacy experience.

Deborah Peel, Austin TX, psychiatrist and head of Patient Privacy Rights, says, "How many women want somebody to know whether they are on birth control?"

http://online.wsj.com/article/SB116709136139859229.html [wsj.com]

NYT, 26 Dec 2006, Costs of a crisis: Diabetics confront a tangle of workplace laws, N.R. Kleinfield.

Some companies fire diabetics for ostensible safety reasons, even though there's no evidence that they're unsafe. Courts nationwide have split on whether diabetes is a disability under the test that a "major life activity" is "substantially limited".

John Steigauf, 47, was a truck mechanic for United Parcel Service, but UPS put him on leave because of his diabetes. UPS claimed his blood sugar might plummet while he tested a truck, causing an accident, and he couldn't get an interstate commercial driver's license with insulin-dependent diabe

How much access?

[teslatug]

Just how much will they be able to access? They can already access some type of information through the MyChart website. Why do they need Google anyway? Why not keep it permanently on CCF's site?

Re:

[pembo13]

You give them the access, so I guess you get to find out how much before you give it to them.

National Security Letters?

[saratchandra]

Google also successfully rebuffed the U.S. Justice Department's demand

Can anyone be sure that they haven't complied with a National Security Letter(NSL) demanding them to hand over user data? And even if they did comply, we wouldn't know about it because of the terms of a NSL.

So all this talk about Google standing up to protect user data from the US Administration is as true and verifiable as their motto itself ("Don't be evil").

"Searching" structured data is hard!

[copdk4]

Google has done a great job in searching raw free-text data. However, healthcare data is a different beast. The sheer number of datatypes is mind-boggling -- the number of different labs, drug classes, diseases etc that can get coded in patient records runs in to millions. So over the years healthcare databases have been constructed differently - they follow an EAV [yale.edu] (Entity Attribute Value) representation, which means that the patient databases are generally just ONE BIG TABLE! Here is the database schema used at New York Presby. Schema [columbia.edu] - all past 20 years patient data is stored in one table! oh yeah.. DB2 Baby!

Essentially all data/knowledge complexity is present in the Ontology/Terminology (such as SNOMED or LOINC) and the patient data itself instantiates from these.

Also doing NLP over medical notes is a difficult problem requiring years of tuning and domain knowledge to construct one -- which again is so specific to a given institution or region that it just does not work elsewhere.

It would be interesting to see what *real* innovations Google brings on the table.

i'm in ur...

[MyOhMyOhMy]

...HOSPITAL, GOOGLing ur MEDICAL RECORDS

Sorry, I just couldn't resist.

Privacy Ammendment

[Phoenix666]

I sincerely hope that Obama wins the Whitehouse, and I sincerely hope that he acts to finally put a Constitutional Ammendment guaranteeing the right to Privacy on the books.

As a professor of Constitutional law at the University of Chicago, he should be abundantly aware of how fragile our right to privacy is in this country, being that it's an inferred right that rests only on precedent.

Re:

[kellyb9]

I sincerely hope that Obama wins the Whitehouse, and I sincerely hope that he acts to finally put a Constitutional Ammendment guaranteeing the right to Privacy on the books.

Man, you're being really sincere.

Potential for research?

[homesteader]

I've been wondering for the last few years why no one is doing this. I read about studies that are considered HUGE where there are 50,000 participants. Many studies are only in the hundreds. What happens when you can do statistical analysis on millions of patient records? It would seem to me that the potential for finding trends amongst otherwise disparate symptoms would be amazing.

As a poster above noted, finding a way to query the data is a problem. Finding ways to anonymize patient information is a problem(how many elements of medical history does it take to identify a human?) But in the end, if google were subsidizing my health care, I just might say do whatever the fuck you want with my charts!

Which brings this back to one of the question of the century: When will the consumer own it's own data? Today this might be a service Google looks to sell as "You pay us to data warehouse your medical records", but tomorrow it might be "You pay us to mine the data warehouse that we've established."

Are the inconsistencies of patients chart data too much of an obstacle to overcome? I'd hate to think that Google is just doing this as a form of Web 2.0 SAS, 'pay me to do what you used to do yourself' service. I've always imagined that Google figures, if they get enough data in one place, something magical will happen. Medical research of millions or hundreds of millions of patient histories seems like it could be magical.

I want my medical records...

[HangingChad]

...but I don't necessarily want to store them at Google or any other 3rd party vendor, unless Congress amends HIPPA to cover them. I'd rather have the option of carrying my records around on an encrypted USB or other portable device. That would mean getting health care providers to use common file formats and standard forms. Not holding my breath.

I wanted to something similar with my pets. Put their vet records on a little memory stick card I could put in a special holder in their collar. Treatment h

Employers

[kellyb9]

Are these records going to be freely available? One has to wonder regardlessly if employers might use it as a basis for hiring an employee. Maybe I'm paranoid, but this was really my first thought, and Its not to far from the present anyway. Employers use peoples' facebooks and myspaces as a guideline right now.

Highly volatile

[Bigmilt8]

I work for a healthcare organization in IT. And don't get me wrong, being able to have access to a patients's health records at anytime is very useful (and something the government is working on implementing), this information is very sensitive and Google and Microsoft leave themselves open to numerous lawsuits if there are any issues.

Google already compromised?

[octaene]

I'm a little shy on facts and links to information, but I'm sure I read not long ago about attacks against GMail and Google Accounts where passwords were compromised, etc. It seems to me that tying this authentication into health care information is just asking for trouble...

Re:Not Mine

[DebateG]

Actually, HIPAA does not cover third party databases [computerworld.com].

Re:

[Anonymous Coward]

IAALS - HIPAA does cover health information on third party systems under the "Business Associate" rule (which means, anyone doing business with a HIPAA CE (Covered Entity) must comply with HIPAA guidelines (there must be a contractual provision providing that the business associate will comply with the same HIPAA regulations that the Covered Entity must).

The REAL issue is that HIPAA has no teeth. No one has yet really had a judgment entered against them on a HIPAA privacy violation that I am aware of, and

Re:Not Mine

[QuantumRiff]

Actually, no, they probably won't have to comply with HIPPA. Google for it (yeah, I know).. You are authorizing the transfer of your records to a 3rd party. You have to give permission. If you give your records to a neighbour, they are not bound by HIPPA. Yes it would be stupid of them to allow anyone to see your health history, and will probably break some state laws, but HIPPA, no..

Re:

[QuantumG]

I'm guessing you're about 19 years old right? The 1980s called, they said you should really pay attention [slashdot.org] to the world around you.

Re:

[compro01]

umm, just so you know, that link doesn't work.

Re:

[schnikies79]

You give them the right, but agreeing to use their services.

If you don't like it, don't use it. This isn't a mandated thing by any means.

Re:

[schnikies79]

Thats true. As it stands, I won't use this service.

Re:I for one welcome our new informational overlor

[QuantumG]

It'd be so much better in Australia too, because Google would have to declare why they are collecting the information and what they are going to use it for and if they used it for purposes other than that they would be in violation of privacy laws.

Unlike the USA, where they are free to collect any information and not say who they are going to sell it to.

Re:

[DrDitto]

Why is this flamebait? I feel the same way. I move around quite a bit and I'm sick and tired of Doctors not understanding my history when I try to explain the prior tests and lab results.