Earlier this month, Google announced a pilot program with the Cleveland Clinic to store patients’ medical records online. Privacy and security concerns were raised, notably that Google doesn’t have to abide by confidentiality rules that govern doctor-patient relationships dictated by HIPAA. However, Google’s plan to put […]

Earlier this month, Google announced a pilot program with the Cleveland Clinic to store patients’ medical records online. Privacy and security concerns were raised, notably that Google doesn’t have to abide by confidentiality rules that govern doctor-patient relationships dictated by HIPAA.
However, Google’s plan to put patients in control of their own records and make those records transferable is a useful one, especially to anyone who has filled out four or five paper forms every year at three or four different doctors. As for the very real privacy concerns, medical records aren’t too secure, anyhow. And think about the synergies created by storing medical records online combined with the genetic data provided by Google-backed 23&Me.

  1. Not to be pedantic, but HIPAA only has one P and two A’s. I work in healthcare IT and this irritates me to no end.

    As for putting the Patient’s EHR online, it’s an interesting idea, but I’m not sure that there’s a good mechanism in place for me to go from one healthcare system (Cleveland Clinic) to another (say, University of Chicago). Unless you have an agreed framework to work with, it might be easier and less of a hassle to stick with the paper forms. Between HealthVault (Microsoft’s entry), there’s no agreed standard, just two companies leading the charge.

    In my opinion of living in the world of healthcare IT, this is a solution looking for a problem.

    The idea of “portability” is a cool thing, but for a vast majority of patients the solution will be too difficult.

  2. Carolyn Pritchard Thursday, February 28, 2008

    That typo has been fixed, Nick. thanks, Carolyn.

  3. Exactly what do you mean by “Google Creates Giant SSN Database”? SSN implies Social Security Number. The title is not consistent with the content of the article.

  4. @Tim: ditto!!

  5. Nick,

    No flame here, but saying that this is a solution looking for a problem is like those folks that said, “what do I need a mobile phone for? I have one at home.” Of course they were perfectly correct, but a touch short-sighted. I agree with you that an agreed upon framework will make your life a lot easier and probably entirely necessary for that “vast majority” you are speaking of.
    With the 800-pound Google leading the way that “agreement” may be whatever they say it is. And you are right, it is an interesting idea–interesting enough to merit Google’s attention. If they are on the scene it will get done. I just hope they are consulting with dudes like you who are in the trenches everyday on this issue so they get it right.
    I don’t love Google, but I would just as soon have them do it rather than leave the door open for four other players with competing philosophies to muddy the water for you and the public. We’ll see…

  6. So who is giving Google the right to put someone’s healthcare data in their own system? And simply saying that data is not secure anyway, so don’t worry about security, is well, rather lame don’t you think?

    What is next? Another unholy trifecta like Experian, Transunion et al, with all one’s financial data merging that with your health data–with NO say so from the actual user?

    What rights does a medical patient sign over to google for this data?
    Does google get to cross reference this to your google mail account and then offer targeted advertisements based on your health?

  7. Stacey Higginbotham Thursday, February 28, 2008

    @Tim and DEC, maybe I was getting too clever. Most medical records contain social security numbers, and as such, Google’s repository of health records will also contain SSNs. It’s just a reminder that medical records contain more than health information.

  8. I think we are way overdue for health information to be stored and shared electronically. However, regardless of who is in charge of that, I do think they need to be subject to HIPAA regulations. The problem is that no one really enforces those. I’ve worked on the business and IT sides of health care and 2 hands are definitely not enough to count all the major companies that blatantly violate HIPAA regulations (some trivial, some not) every day.

    When I was on the business side I would get several unsecured emails each week from insurance companies sending SSN’s, full names and other private data. After years of no repercussions many people feel they have no incentive to go through the extra time consuming steps required to save guard PHI.

  9. Alexander Sicular Thursday, February 28, 2008

    To say that Google does not have to abide by HIPAA is just plain wrong. I, too, work in healthcare IT and I know for a fact that when we work with outside vendors that need access to healthcare related data they need to sign a vendor agreement that legally binds them to the same provisions as the institution. Where do you think the medical data is coming from? Cleveland Clinic which just happens to be a major healthcare provider. There is no way Cleveland Clinic or any other medical data repository could hand over data to a third party without an obscenely massively thick legal accord that would require the third party to be a doggedly stalwart steward of that data.

    According to the linked Cleveland Clinic press release “…an invitation-only opportunity offered to a group of Cleveland Clinic PHR users, plans to enroll between 1,500 and 10,000 patients.” this is an opt-in program. Patients will be solicited and no doubt have to agree, in writing, to have their information be accessible to Google in the proposed system. Nevertheless once that data resides electronically within a vehicle that the patient has access to that patient has the right to share that data with whomever they see fit.

    This may be a bit off post but in regards to using this data in a research capacity, there is a board of governors at every research institution called the “Institutional Review Board” (IRB) that authorizes when and in which way data may be used for ongoing research. In order to use pre-collected data an investigator would have to seek and receive permission from the original primary investigator, consider patient solicitation is not permitted. I’m confident data may be used in aggregate for other purposes like public health purposes though.

    Regarding SSN information, it is true that SSN data has been routinely collected and maintained by healthcare institutions. However, new rules are being implemented that discourage this practice by enforcing strict penalties for SSN misuse. My institution happens to be located in NYC and we have been counseled by our legal staff to discontinue SSN usage in future projects and strictly limit access in current systems to comply with these new rules at the NY State level. If I were asked to advise Cleveland Clinic and Google on this project I would just as soon recommend that they omit SSN data when “integrating with the Google platform.”

    I would like to disclose that I am not a lawyer or an expert on HIPAA. However, I have been in the medical IT field for close to a decade creating systems that are in production at a major university teaching hospital in NYC and am well aware of the legal constraints of HIPAA and “personal, identifiable, health information” better known as PHI in the industry.

  10. I am sure Google will comply with the medical standards. I just want to ask you, do you have complete medical history? Many of us would say no. But if we have a good record keeping it will help the doctors to formulate a better plan for us. Would you rather have handwritten records that no body can recognize or digital records? It will help the pharmacies to give the correct prescription.

    Regarding the title, they may save the SSN number but that doesn’t mean Google will share it with everyone.

    We already have too much online data in Stocks (Etrade, Sharebuilder), Banks (Wamu, Mint), Shopping (Amazon, Buy.com), so what is the big deal as long they maintain security.


Comments have been disabled for this post