Pages

February 21, 2008

Information about you

Regular readers know that the race for our personal health information has been going full steam ahead by government agencies, insurers, pharmaceutical companies and those selling “health and wellness.” Participating in those health risk assessments and voluntarily providing information about our health and lifestyles onto online personal health records allows our private information to be shared, sold and used, all without our permission. And it can and will be used against us.

Today the Cleveland Clinic, which says it has the online personal health records of 120,000 people, announced that it has partnered with Google and will turn over the records on up to 10,000 people, to start, “to help create national access to electronic medical records.”

“The partnership with Google is an example of true innovation in health care which brings value to patients and providers,” said Delos M. Cosgrove, M.D., President and Chief Executive Officer, Cleveland Clinic, and member of the Google Health Advisory Council.

As JFS readers know, no online health record service can protect the privacy of your information or let you control who has access to that information or how it may be used. When you volunteer personal information on your health, diet and lifestyle to participate in a “health risk assessment” or an online health record service — whether it’s to get a free gym bag, discounts on insurance premiums for participation, or you believe it provides a convenient service and will give you personalized health information — the ultimate price is your privacy and ability to make your own health decisions.


Online health record service databases

As you’ll remember, last year, Google created an online health record service, called Google Weaver. It asks consumers to share personal information about their health and lifestyle habits, family history, health history, lab test results, etc. You can even add your pharmacy records. Creating a database with detailed information about your health and lifestyle behaviors will hold considerable commercial value and vast marketing potential for Google. Google Weaver also offers custom “Health Guides,” information that’s been selected for you to “manage” your health care.

Simultaneously, Google created its “Google Health Advisory Council,” to manage health information you are given to what its stakeholders “believe is relevant for you.” The health information accessed through Google can be selected for you, even down to your internet searches — information you use in making healthcare decisions. Commercial interests who’ve purchased access to your online health data can also guide you, through ads and content, to their products and services, and help you make the “right” healthcare decisions.

Online health records such as Google’s assure privacy protection and that consumers will have control over their personal information. But, in fact, these services are not covered or bound by any medical privacy laws. As Twila Brase, RN, president of Citizens’ Council on Health Care, cautioned: “Google could share the data broadly. They could sell it to anyone, including insurers and government. They could use it anyway they wished... Health plans, hospitals, government, employers and the data industry will have ready computer access to comprehensive medical records on anyone.” The potential for abuse includes using the information to deny medical treatment, insurance coverage or benefits, employment or to financially penalize those not complying with government or insurer treatment protocols.

As CNN Money reports today, more than 200 vendors, which include insurance companies, internet and information tech companies, are vying to provide electronic health records and thereby, gain access to personal information. As we’ve seen, the enormous databases of private health information these services are compiling hold tremendous commercial value, as well as potential for abuse.

The sources of information for database creation can come from a variety of sources, some more surreptitious than others, such as through genetic research projects, or online weight loss and preventive health programs. The largest and first database ever assembled in the history of the country of personal health information on ‘overweight’ and ‘obese’ African-Americans is using a quack diet to lure participants and hopes to have 5 million in its database when its done.

Employers also promote personal health records and health risk assessments, often working with health plans. Multiple commercial online services have also surfaced. Revolution Health, founded by AOL co-founder Steve Case, got into the act last fall, making it the second-largest online health information, health products vendor, PBM, and electronic health record giant on the internet.

The largest online health information company, WebMD — which owns and operates WebMD Health, Medscape, MedicineNet, e-Medicine, e-Medicine Health, RxList and theheart.org — also provides personal health record services to more than 90 large employers, pharmaceutical companies and health plans (Aetna, Cigna and Wellpoint); and was awarded the government contract last summer to develop personal health records for the Centers for Medicare & Medicaid Services using its claims data. It also supplies the financial technology and health information applications for large employers, the pharmaceutical industry, health plans and financial institutions; has a Weight Loss Clinic and produces obesity materials in collaboration with The Cleveland Clinic.

Aetna, WellPoint, Kaiser, Blue Cross and other coverage providers have been building personal-health records, tying them with pharmacy records and their own pharmacy benefit managers (PBM), and laboratory and medical billing/claims data they hold; and partnering with health information services.


HIPAA privacy protections real and imagined

As you can already see, the lines are blurring between the health records held by insurers and healthcare providers, that are covered entities under the Health Insurance Portability and Accountability Act of 1996 and bound by the law’s privacy protections, and those that aren’t. Technically, HIPAA provides minimal national privacy and security standards for the disclosure, access, correction and other elements of fair information practices relating to personal medical information. Covered entities are bound by HIPAA and, for example, aren’t supposed to disclose information for marketing purposes and are supposed to notify people if their records have been subpoenaed by the courts or government. But in actuality, this federal law gives the government and insurers use of our private medical and pharmacy information for just about any purpose it desires, to compile databases for surveillance, and to share it without our permission or knowledge.

The recent push by the government, insurers and pharmaceutical companies for a national electronic health information network has included policies for how the government and third party interests can collect, use and sell our personal health information without our consent. Electronic records are of paramount importance, according to stakeholders at the Alliance for Health Reform conference, because it will allow the tracking of patients’ and doctors’ behaviors for their compliance with screening and prescriptions and care management; is essential for provider performance measures; and is key to enabling control over medical information reaching providers and consumers.

As minimal as HIPAA privacy protections might be, HIPAA doesn’t apply to commercial vendors who offer personal health records or health risk assessments, such as internet services like Google. That means, consumers have no protections at all with what happens with their personal information... except to not voluntarily give it to them.

The World Privacy Forum, a nonprofit organization, has just issued a guide with information every consumer needs to know about the potential risks to their privacy resulting from personal health records. One important point made by Robert Gellman, a privacy and information policy consultant based in Washington, D.C. who co-authored their guide, is that when a personal health record service uses the term “HIPAA-compliant” that should not be confused with “HIPAA-covered.” If it’s not covered under HIPAA, it is not bound by any laws that protect you.

Their investigation found that every personal health record vendor’s privacy policy statement said the vendor reserved the “right to change the policy at any time, without notice, and without the user’s ability to object.” What this means, said Gellman, is that:

[E]ven if a PHR vendor has a current set of policies that protect privacy, the vendor can change those policies at will and with retroactive effect on previously collected information. If a PHR vendor finds that it is not making a profit, it can amend its rules about sharing information with marketers and try to increase its revenues. It is unlikely that PHR users will have the right to consent before a commercial PHR system changes its privacy policy. As the PHR industry consolidates, there could be a race to the bottom because the vendors who share information more broadly have the best chance to survive.

“Many consumers have this deeply held belief that their health information, no matter where it travels, is protected in the same way as when you have a doctor/patient relationship,” said Pam Dixon, World Privacy Forum executive director and co-author of its consumer guide. In reality, consenting to have your information shared to a noncovered system would likely be viewed as demonstrating that you had waived your privacy privilege. Especially worrisome, she said, is the potential for how your personal health information will be sold and used for marketing purposes.

While nationalized electronic health record databases under HIPAA may not be something an individual feels empowered to stop, they can choose to not voluntarily turn over their private health information. Gellman and Dixon closed by saying that one option is to maintain your own records:

You have the right to obtain a copy of your health records from your health care providers and health insurers, and this is something that is generally a good idea. There are software tools that you can use on your own computer to help keep your records organized, or if you wish, you can store your files in other formats, such as paper or on discs. The American Health Information Management Association has a helpful and useful site on this topic, http://www.myphr.org/.