Google Health offers an interface that allows users to build comprehensive health profiles, including information on conditions, medications, allergies, and procedures. The information may be typed in directly, chosen from drop-down menus, or uploaded from participating providers. The drop-down menus contain mind-numbing lists of conditions, from Aarskog syndrome to Zollinger-Ellison syndrome. And each menu item points patients toward information that can help them manage their health. The link beside diabetes, for instance, takes users to a page featuring lists of symptoms, treatments, and complications, search results from Google Scholar, news items, and illustrations. HealthVault’s welcome page looks more like an interface for online banking, but like Google Health, HealthVault lets users link to third-party applications.
Since they deal with sensitive personal data, however, both HealthVault and Google Health raise significant privacy concerns. Such services are not covered by the Health Insurance Portability and Accountability Act, or HIPAA, under which hospitals, doctors, and third-party payers typically cannot release information without a patient’s consent. Google and Microsoft do promise not to share personal health data without consumers’ permission: “We make a very clear promise to consumers about what we will and won’t do with their data, and we’re happy to be accountable for those claims,” says Peter Neupert, corporate vice president of the Health Solutions Group at Microsoft. But those promises are not backed by law.
Privacy experts are particularly worried about the release of data to vendors of third-party applications. If a drug company offers a medication reminder, and patients opt in, giving the company information about their drug-taking routines, can that information later be used for marketing? There’s a risk of personal data “leaking out through these applications,” says Kenneth Mandl of Children’s Hospital in Boston, who cochaired the Harvard Medical School Meetings on Personally Controlled Health Record Infrastructure in 2006 and 2007. (Google and Microsoft say that vendors will have to disclose how they intend to use consumer data.) What’s more, many vendors offering advice on medications and treatments could have conflicts of interest–and their advice might not be sound in any case. There’s “really no oversight,” says Mandl. He argues that some combination of regulation and certification of third-party vendors is needed.
The privacy issues aren’t insurmountable. Microsoft and Google could be brought under HIPAA’s umbrella, or new rules could be enacted that give consumers stronger protection–and greater legal recourse if their records are leaked or improperly sold. But it needs to be recognized that medical information–histories of mental illness, paternity tests, genetic information–can be far more sensitive than browsing histories or even financial records. While Google and Microsoft promise to put users in control, they are also inserting themselves between patients and their most intimate data. Until their legal responsibilities to patients are clarified, only a very trusting soul would sign on with the new platforms, however appealing they may be.
Amanda Schaffer is a science and medical columnist for Slate and a frequent contributor to the New York Times.