Both Google Health and Microsoft HealthVault are now offering their services – and servers – to consumers who want to store their personal health records (PHRs) online. Consumer advocates say they’ll be keeping a close eye on both technology giants to make sure they have a healthy respect for their customers’ privacy.
I asked the Center for Democracy and Technology in Washington, D.C. for its reaction to Google Health and Microsoft HealthVault. The email I received from Deven McGraw, director of the CDT’s Health Privacy Project, acknowledges that both companies have good privacy policies.
“But good privacy policies alone are not sufficient to protect consumers using these tools,” she says. If HIPPA has no impact on the policies, “consumers must rely on the Federal Trade Commission to ensure that the entities offering these PHRs abide by their privacy policies.”
The CDT has called upon the government and the private sector to come up with a new roadmap for dealing with this uncharted Internet territory. McGraw’s big worry is whether third-party vendors working with Google and Microsoft to offer products to their customers will also make privacy a priority. “It will be difficult for the companies offering these PHRs to monitor all of the vendors closely (particularly as the number of participating vendors increases over time) to ensure that they are meeting the company’s privacy requirements and other terms of participation. Consumers could end up authorizing the sharing of their information with a vendor who then turns around and sells the data or uses it to target them with specific ads or product offers.”
Concerns about online health records existed before both Google Health and Microsoft HealthVault went active. McGraw cites a study in early 2007 by the Office of the National Coordinator for Health Information Technology. More than 30 PHR vendors were surveyed; none covered criteria found in privacy policies. Only two could explain what would happen if the vendor suddenly ceased operations, and only one had a system in place for dealing with deactivated accounts. Not a good prescription for comfort if you are living with a serious medical condition and are trusting a company’s computer network to protect such sensitive information.