Posts Tagged ‘Privacy’

Here I am at the World Health Care Congress with what appears to be all the major movers and shakers in the healthcare sector, Chairmans, CEOs, Presidents, EVPs – some really big names, some very powerful players. Now I will never claim to be as brilliant as these people, after all, I’m writing this sitting in the audience and not up on the stage giving the presentation. But with all this cranium here at the conference, why do I hear so much dis-information?

For example, the session on PHRs and Consumer Engagement had panelists who could not accurately define the offerings of Dossia, Google, and Microsoft’s HealthVault and in some respects, had it completely wrong. These are the biggest players in this space, or at least will be soon, easily eclipsing WebMD, RevolutionHealth or any other PHR-like entity in the market today. Do they do this on purpose, or do they really just not know? Very disturbing when one thinks that these panelists were chosen due to their purported wealth of knowledge on the subject.

Another one is that red herring that I have ranted on in the past and is certainly a pet peeve, Privacy.  This issue still gets thrown out there by vested interests (and there are plenty of them here) who have little desire to release the records they control to some third party (or only reluctantly release them) that will stand between them and their relationship with the consumer.  Therefore, they throw out the Privacy Bogeyman to scare the consumer and it is really getting quite old.  I have yet to hear of one privacy breach at a PHR vendor, but weekly I hear of one breach after another at both payers and providers. So who is more secure?
The whining that physicians can not go digital because of costs. As I related in my notes from the first day, this should be viewed as an investment in the business.  Granted, there will not be an immediate ROI, but it will come in time, that I am sure of and ultimately, it will allow providers to participate in the future as more and more consumers look to engage their providers over the Web and desiring greater access and control over their records.  Again, a lot of dis-information on the topic that needs to stop.

Well, enough of my own whining.

There really are some great sessions here today including the keynote this morning from Safeway’s Chairman and CEO, Steve Burd. Safeway is doing some interesting things regarding promotion of health and wellness within their family of employees their families and even their customers.

Also intriguing story at EMC where to gain credibility for their PHR initiative, they brought in various medical research institutions to promote their ongoing clinical trials within the PHR and solicit employee participation.  Involving these research institutionsgave the PHR instant credibility and  was very instrumental in EMC’s internal push for PHR adoption. After about four years, adoption of the PHR at EMC stands at 50% of all EMC employees worldwide with adoption still growing.

Read Full Post »

As many who read here know, one of the biggest challenges I’ve discussed regarding consumer adoption of PHRs is making these systems simple and automated.

Simple – as in the example of what Google has done to create a great, yet simple to use  interface.

Automated – to automatically populate a consumer’s PHR with pertinent health data, regardless of data source, be it pharmacy, doctor, hospital, lab, you name it.

While I do not mean to discount the fine work Google has done to create a simple intuitive user interface, honestly, this is not all that hard to do.

What is extremely hard and will remain a challenge for PHRs, the vendors who create them and subsequently consumers for the foreseeable future is getting that data into a PHR automatically, rather than having to do self-entry.  But how does one get their hands on that data?

Yes, there are issues with standards adoption and more broadly, healthcare IT adoption among providers.  But it is also an issue of control.  Whoever controls the data, controls the relationship.  Thus, many a healthcare stakeholder will be reluctant to fully release such data to the care of the consumer for their PHR, even though by right, it belongs to the consumer.

Like myself, Dana Blankenhorn over at ZDNet has been in the IT industry for a number of years and like me, not just healthcare.  Dana posted a great piece on the issue of data control this morning that is well worth the read for he really hits the nail on the head as to what the real issue is and the Teutonic struggles that lie ahead between all the various stakeholders that are fighting for the mind-share and ultimately control of the consumer relationship.

Read Full Post »

While there has been plenty of press on privacy and security as it relates to PHR vendors, especially now that Google and Microsoft have jumped into the arena, it is absolutely critical that the press, various “privacy pundits” and the consumer realize that this issue is not just limited to PHR vendors.

Sure, it’s easy to pick on these companies, but honestly, it does not paint an accurate picture as to what the true risks are in the market today as we increasingly move to an environment where our medical records, and for that matter any information about us, will be in digital form. Yes, there are risks, but there are benefits as well, benefits which the majority of Americans are willing to accept in the pursuit of better care.

Now back to those PHR vendors. As I have stated before, the industry as a whole has not done a very good job of policing itself and insuring that the average consumer easily understands the privacy and security afforded to them in a given PHR.

But moving beyond PHR vendors, there are a number of others who also have information on your medical history. Earlier this week, one of the nation’s largest health plans, WellPoint, announced that it had a breach in security that exposed information on roughly 128,000 members. What is particularly disturbing in this case was that these records were exposed on the Internet for over a year and that this was far from an isolated incident at WellPoint.

And WellPoint is not alone. There was the stolen laptop in January that contained records of some 300,000 members of Horizon Blue Cross Blue Shield of New Jersey and the stolen laptop in late February of an NIH researcher with some 3,000 records. And there are many more such incidents you will find by simply doing a Google search.

And who said hospitals were safe? A report just released from the healthcare IT group, HIMSS (Health Information Management Systems Society) found in their survey of 263 HIT professionals that more work needs to be done to better protect and secure patients’ medical records.

This is, dare I say it, a universal issue that will affect any organization regardless of size and where they are in the broad supply chain of medical records, be they payers, providers, researchers, consumers and of course PHR vendors. There are no easy answers here and we may need to simply accept the fact that with the digitization of some of our most important and sensitive information, our medical records and history, that there will be risks which we will all share. Hopefully, the benefits that we will accrue through the adoption ad use of such digital records will outweigh those risks.

Read Full Post »

There is a tremendous amount of press with associated pundits pontificating on the issue of security and privacy of electronic medical records (EMR) and personal health records (PHRs). Cries of I’ll never put my information on Google Health or Microsoft’s HealthVault are commonly heard and widely reported.

But it is always easier to point the finger at others, than at one’s self.

This week’s InformationWeek has an absolute must read feature story on the risk of peer-to-peer (P2P networks). While P2P technology is a very viable and useful technology for businesses to use, such as in a research setting sharing for example complex bioinformatics data, P2P has its share of risks as well. Unlike actual theft of data via hacking into data centers, in the P2P world data on one’s laptop is often inadvertently shared via consumer-based P2P applications such as LimeWire.


Source: InformationWeek, March 17, 2008

For example, an employee or a consultant or even you may have sensitive data on your laptop, such as health records. All the recommended security precautions have been taken, but you also have BearShare, LimeWire, Gnutella or some other consumer-centric P2P app loaded on that laptop for music and video sharing. Unbeknown to you, however, is that if you have not configured the P2P app properly prior to use, you open the doors to not only share music and video data, but other files as well, including those health records.

It was a similar situation such as this that led to the very public data breach at Pfizer last summer as well as the inadvertent release of a terrorist threat assessment report by Booz-Allen Hamilton for the Chicago Transit Authority. And despite these clear security breaches, InformationWeek demonstrated in this article just how easy it is today to go out and find all sorts of files, (the reporter even found a nice set of health records) if you know what you are doing and where to look.

Now I am a strong believer in a consumer’s right to have control over their health records and if they have those records stored within an online PHR, that security and privacy are held paramount. I have also posted previously that I believe that PHR vendors have not been pro-active enough on ths issue. But what I am increasingly having a problem with are the sensationalist organizations such as the World Privacy Forum and the general press that are looking for quick sound bites without having to do any investigative reporting. As the above issue on P2P security clearly illustrates, maybe the problem with security and privacy of sensitive records such as health records is not “out there” on Google Health, HealthVault, WebMD or some other health record service but right “in here” within our own computers, those of a consultant or even the computer my doctor is using.

Time to take some personal responsibility folks.

And by the way, are you using P2P, or more importantly, do you share your computer with other family members, say a teenager who has downloaded a P2P app on to that computer? Don’t say I didn’t warn you.

Read Full Post »

This week, the “Live Free or Die” state of New Hampshire’s House voted down House Bill 1587, a bill that would have strengthened the privacy rights of consumers.

The biggest objections to this bill came from the medical establishment itself claiming that passage of the bill would stall adoption of healthcare IT (HIT) systems. In one of the more bizarre statements Kathleen Bizarro (I’m not making that name up), EVP of the NH Hospital Association stated the bill would “essentially put a halt to the development of electronic medical records.” The medical establishment went on to state that the bill was too onerous, would restrict a physicians ability to provide good care, and that it would exceed existing federal laws (HIPAA).

All of these are pretty empty statements for the following reasons:

  • The bill was designed to simply provide the consumer more control over who gets to see their records. That it not a major burden for providers.  In fact, if a consumer requested an audit trail, the provider/hospital could charge the consumer a fee for providing such a report.
  • Adoption of HIT is not struggling due to privacy/record access issues, nor will it be in the future. HIT is struggling simply because for most physicians, the value proposition is not there.
  • In many states, laws have been passed to strengthen privacy above and beyond HIPAA as HIPAA certainly has its fair share of weaknesses. Unfortunately, most do not know this and hold up HIPAA as the be all to end all for privacy requirements.

Clearly there were other factors at play here as to why these organizations were against the bill. I have not read the bill itself and there may very well be some good reasons to oppose it, but based on the aforementioned arguments that were used, I have the feeling that this was a good bill and that special interests who have a vested interest in keeping firm control of consumers’ health records were at work here.

In a little touch of irony, legislators were granted privacy on this vote as they were able to cast their votes anonymously thereby not showing the public what side of the issue they were on. And it was a close one, defeated 166 to 150. The measure has gone back to committee for revision.

Read Full Post »

Matt Holt, owner and master of The Health Care Blog, has an excellent post today on PHRs and privacy.  It is a long post, at times more of a rambling rant, but in the end it does a great job of thoroughly reviewing a lot of the brouhaha surrounding this topic and discrediting many of the privacy advocate statements that have been made recently.

I’ve written on this topic numerous times, (just click on the “Privacy” in the tag cloud on your right) most recently calling all of this a red herring with the press being extremely lazy and not willing to look beyond the “privacy issue” to what benefits might accrue to the healthcare system via PHRs.

And it is not like the PHR vendors have done all that great  job on the issue either, though I do see that changing with Microsoft now in the market.  Google, in time, can be expected as well to have some good policies in place but to date they have not shared them.  Google missed the boat on that one and I hope they will follow Microsoft’s lead.

Read Full Post »

Little over a week ago I had a post that discussed the recent release of the World Privacy Forum report on PHRs.  In that particular post I hit Microsoft pretty hard for not extending their tight privacy policies to the numerous partners that were signing on to HealthVault.  I based that comment on a conversation several months previous, shortly after the release of HealthVault, when during a briefing I asked about this issue was given a response basically saying that their partners were independent companies, had their own businesses to run, could define their own policies, blah, blah, blah.

Obviously, was not impressed and took Microsoft to task when the aforementioned PHR privacy report was published.

Of course, Microsoft contacted me immediately to tell me that I had it all wrong, that indeed they were requiring partners to adopt the excellent HealthVault privacy policies in order to participate in the HealthVault ecosystem and that this was a part of their standard Terms & Conditions (T&C) sheet.

I responded: “Prove it.”

At first, Microsoft was reluctant to send me a copy of the privacy requirements in the T&C.   Thn, out-of-the-blue, during my briefing with Microsoft at this week’s HIMSS I was told that I would be receiving the document post-haste.  Well, guess what, they not only decided to share the document with me, but have posted the T&C privacy requirements within the HealthVault Development Center for anyone to view.

It is an impressive privacy document that clearly gives the consumer control of their records.  It requires the partner to take numerous steps to insure privacy including among others, adopting HealthVault privacy policies, using explicit opt-out policies, prominently displaying their privacy policies on all web-pages and informing the user know of any changes that are made to policies.  Here is a direct link to that partner privacy policy page.

Good example of full disclosure that others would be wise to emulate.

Speaking of which, have yet to see Google’s privacy policies for Google Health, though Schmidt yesterday did clearly state that Google takes privacy very seriously.  Well…

Prove It!

Read Full Post »

Older Posts »