IAPP-GDPR Web Banners-300x250-FINAL

Google, Microsoft and Revolution Health Roll Out Personal Electronic Health Records Management Systems With Crucial Privacy Implications

By Lucy L. Thomson, Esq. CIPP/G

Information technology is transforming the way health professionals and the healthcare industry provide care to individuals and to the entire population. Privacy and information security are at the center of a sea change in the way individual health records are created, managed and shared. Electronic health records (EHR) management systems unveiled recently by Google, Microsoft and Revolution Health are being promoted as the key to consumer-focused healthcare that will enable individuals to manage their own health records and "take ownership of their healthcare decisions." A striking feature of the new personal EHR systems is that the individual who creates a health record can decide what health information to include and with whom it will be shared.

Some experts worry that the new services and convenience provided by EHRs come at the cost of patient autonomy and may pose serious privacy risks. This concern arises in the context of the trend toward EHRs—some call it a revolution—which is being driven by both government and business. In 2004 the White House issued an executive order mandating universal EHRs for all American citizens by 2014.

Emergence of a National Health IT Infrastructure

Governments at the federal and state levels are expected to take the lead in developing standards and policies for a Nationwide Health Information Network (NHIN). Much is being done at the state level, where major public sector health record adoption and exchange projects are underway. The development of a Health IT infrastructure is underway, and distinctly different models are emerging:

  • Longitudinal collection of electronic health information for and about individuals and populations feeding into "knowledge and decision-support systems." Institutional systems seek to maximize patient data in local or national systems, and focus on the interoperability and comparability of all patient data
  • Personal EHRs enable individual patients to aggregate their diverse records and make them selectively available to new or emergency providers.

Early this summer the federal government released a strategic plan for health information technology with two strategic goals that will be enabled by health IT: patient-focused healthcare and improved population health. The Department of Health and Human Services ONC-Coordinated Federal Health Information Technology Strategic Plan: 2008-2012 (June 3, 2008) articulates these lofty goals:

  • Patient-focused Healthcare: Enable the transformation to higher quality, more cost-efficient, patient-focused healthcare through electronic health information access and use by healthcare providers, and by patients and their designees.
  • Population Health: Enable the appropriate, authorized, and timely access and use of electronic health information to benefit public health, biomedical research, quality improvement, and emergency preparedness.

Available at www.hhs.gov/healthit/ resources/HITStrategicPlan.pdf, the Strategic Plan states that "the themes of privacy and security, interoperability, adoption, and collaborative governance" cut across all aspects of patient healthcare and population health, although in very different ways.

It is expected that private sector IT companies will develop interconnected electronic medical record systems and networks. Several companies offer electronic health records management systems that will exchange data among diverse public and private constituents, and will enable local, regional and national health networks. They will provide the flexibility to integrate applications such as lab systems, practice management systems, EHR, IVR, analytics tools, and other capabilities.

Launch of Personal EHR Systems

Google has announced a pilot project with the Cleveland Clinic to create a system of electronic patient health records—Google Health. Kaiser Permanente, the nation's largest HMO, is conducting a pilot to link its health records system to Microsoft's consumer health storage platform—HealthVault. Revolution Health, founded by AOL co-founder Steve Case, is a "consumer-centric health company" that allows consumers to make "informed choices and offers more convenience and control over their individual healthcare decisions."
There are major privacy improvements as well as concerns in these initiatives to create a "healthcare infrastructure" with EHRs.

Google Health is a Web portal where individuals can store and manage their health information. Users can create an account online, a health profile and medical history, and link to references about symptoms and treatments. Because Google has partnered with hospitals, labs and pharmacies, the patient can import medical records and prescription history from healthcare providers. Users can create health profiles for family members or "anyone you care about." When a person adds new health data to the profile, Google Health will check for potential interactions between the person's drugs and allergies. Google Health offers services such as refilling prescriptions online, requesting a second opinion, and searching for doctors and hospitals.

Microsoft HealthVault is a free, Web-based platform that enables patients to collect, store, and share health information with hospitals and physicians. Its stated goal is to "help healthcare providers increase efficiency, reduce errors, and improve care." Microsoft states that "HealthVault provides a foundation on which a broad ecosystem of partners—from medical providers, to health and wellness device manufacturers, to health associations—can build innovative new health and wellness management solutions to help put people in control of their family's health."

For its pilot with Kaiser, HealthVault has partnered with hospitals and medical information and laboratory companies to provide services such as "Clipboard-free Admissions" to hospitals and physicians' offices, Medical Reconciliation and a Direct-to-clinical Authorization Process that will make patients' medical records available anywhere and facilitate medical transactions and decisions. A wide range of technology companies have developed 40 new online health applications and devices to improve information sharing between patients and physicians, and promote fitness and workplace productivity.

Revolution Health
is a "free, comprehensive health and medical information site" that offers "best-of-breed health information as well as more than 125 online tools to help individuals take control of their well-being." Membership is a service primarily targeting businesses that helps people obtain answers to health questions, and provides assistance in settling health insurance claims.

The site states that it makes money by selling advertising, memberships to people—either directly or through their employers or organizations—and by selling products through an online store. Revolution Health also sells health insurance through an affiliated company.

Benefits and Risks to Patients

Advocates of EHRs cite numerous benefits to patients—including better quality of patient case, improved outcomes, lower costs, and increased efficiencies for the healthcare community. Healthcare providers will have access to comprehensive patient records so they will arguably make better healthcare decisions, save patients in emergencies, and save scarce healthcare resources by avoiding duplicating tests and procedures that have already been performed. Longer term benefits may be standardization of care among providers, providing medical alerts for drug interactions and patient allergies, and availability of clinical data for use in quality, risk, utilization, and ROI analyses.

Such a complex IT infrastructure of information sharing and continued connection among healthcare providers raises a variety of risks to patients. Personal EHRs may contain the most sensitive personal health information that must be protected: name, Social Security number, date of birth, address, insurance policy information, medical history (diagnoses, medical treatment and drug use) and, in some cases, credit card and financial information.

Potential for Discrimination — Many privacy advocates believe that aggregating large amounts of the most sensitive personal information from many sources into electronic databases poses serious risks to individual privacy, along with a significant potential for discrimination. Insurance companies and employers may request access to this data as a prerequisite to employment and insurance, just as employers routinely run credit checks on prospective employees, accessing the vast stores of financial information maintained by credit bureaus.

Leadership will be needed in government to prevent discrimination on the basis of a wide range of health conditions identified in EHR. The Genetic Information Non-discrimination Act, which makes it illegal for employers and insurance companies to discriminate against people based on DNA tests that show they are genetically disposed to diseases such as cancer, heart disease and other serious illnesses, is a model for what is needed on a broad basis. As a related concern, third parties may be tempted to use the data for marketing pharmaceuticals and health treatments, or to otherwise "personalize" each individual's healthcare options.

Privacy Policies — All three EHR systems have extensive privacy policies, emphasizing the control individuals have over their own health information. However, they are not "covered entities" subject to HIPAA. Generally, account owners can view, edit and even completely delete their information. They can determine with whom information is shared; and can revoke sharing privileges at any time. The privacy policies raise some important issues of concern. They are complicated, and illustrate some of the problems with protecting privacy in large, interconnected, decentralized systems such as is envisioned for the nationwide health information network.

Ownership and Control
— While privacy policies state that the individual who created the healthcare record has control over decisions about when and with whom the information may be shared, the privacy policies create a complex system of access control. Authorized third-party Web sites may access the user's health information, and store a copy of the information. That copy will be governed by the other Web site's privacy policy. Others at the facility may be able to view the information. The original owner can designate "custodians" who may also have control over the records. Individuals can give "proxy access" to others, such as family members, who may share in or assist in the person's care. Access control becomes even more complicated when the health records are shared. In some cases, the designated custodian can change the access control designation so the original owner no longer has control.

Information Sharing — Although the privacy policies of the personal EHR system apply while the information is in that system, when information is shared with another system the privacy policies of the receiving system(s) govern. This arrangement may create a vast system of inconsistent privacy policies that may contain gaps that do not fully protect the privacy of individual patient records.

Editing and Updates — The originating system enables the patient to edit and delete information from the records. As health records are transferred from one healthcare provider to another, they may also be edited and updated; however, it may be difficult to keep the records synchronized. Deletions may not be made from all copies. When copies of the records are made in other systems and retained, the information will be subject to other privacy policies.

Information Security — Each user account is protected by an e-mail address and password for access control. Considering the sensitivity of individual EHRs, user names and passwords do not provide the security that could be achieved by two-factor authentication and biometrics. Best practice in information security requires more than user name and password for authentication. Health Vault provides a digital signature functionality to verify whether the data has been altered. Appropriate implementation of encryption is often difficult in a decentralized system.

Hospitals are a source of birth and death records, which are often used in identity theft. Data breaches in hospitals have compromised large numbers of sensitive patient records. A 2008 HIMSS Analytics Report on the Security of Patient Data commissioned by Kroll Fraud Solutions found that the most frequent cause of security breaches was unauthorized use of the information by individuals employed by the healthcare organization. It is likely that different levels of security will be applied to EHRs depending on the security policies of each healthcare provider.

Release of Protected Electronic Health Records — While in theory patients may control their own health records, they can be subpoenaed by the government and private parties in lawsuits. Many states have established programs to monitor potential abuse of narcotic prescription drugs and life-threatening illnesses with broad access to patient data; there would be a strong temptation or incentive for government organizations such as this to seek access to mine this data for medical studies or even take specific actions against offending physicians or patients. The Revolution Health and Health Vault privacy policies specify a number of instances in which patient records may be disclosed for legal reasons, including a homeland security threat (to protect the health and welfare of the public), a threat to the system or network, or cases in which it is necessary to conduct an investigation. These broad categories provide wide latitude for the release of patient records that patients believed were otherwise protected.

Lucy Thomson, Esq., CIPP/G, is an attorney with extensive experience as both a litigator in complex federal civil and criminal cases and as an expert in privacy and information security. During this past year, she served as Consumer Privacy Ombudsman in two federal bankruptcy cases to oversee the sale of electronic consumer records. In her current position as Senior Principal Engineer and Privacy Advocate at a global IT company, she works on teams building modernized information systems for very large organizations. A career Department of Justice attorney, she litigated complex healthcare fraud cases in the Criminal Division, and cases to improve conditions at healthcare institutions in the Civil Rights Division. Ms. Thomson was awarded an M.S. degree from Rensselaer Polytechnic Institute (RPI) in 2001, and earned her J.D. degree from the Georgetown University Law Center.

This article was originally printed in the June 2008 issue of Peppers & Rogers Inside1to1: Privacy newsletter.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»