Google, the Cleveland Clinic and the Privacy Zealots

So Modern Healthcare‘s Joseph Conn has a whole page to write about the Cleveland Clinic and he writes just about HIPAA and the fact that this pilot is not going to be covered by it. Writing in the San Francisco Chronicle Victoria Colliver talks about not a lot more, but at least she has someone stating the bleedingly bloody obvious—

"If it’s made convenient
enough and easy enough, people will be no more concerned about privacy
with these systems than they are with their financial information," he
said. "Far more people die because health information is not released
or difficult to get … than anybody’s ever been harmed because the
information has been inadvertently released."

OK so it was me she quoted, but someone needs to give Deborah Peel
and whoever the hell the World Privacy Forum is
a big shake. I say this
as a card-carrying member of the ACLU and Amnesty International who is
deeply concerned about anyone’s private information and what use is
made of it.

And the shake is, if a government overhears your private information
illegally (or quasi-legally) it can use that information to take away
your freedom and worse. So the standard for their ability to access
that information should be an awful lot higher than it is in virtually
every country—including this one.

If a private corporation unwittingly lets slip your private health
data, or even uses some aspect of it knowingly to target you for
marketing, the chances of you suffering much from it are very, very low.

These are vastly different things, and conflating the two does not help in the least.

Furthermore, the potential for improvements in health outcomes and
efficiency from the type of things Google Health, Microsoft and
everyone else working in this business are trying to do vastly exceed
any possible risks associated with this disclosure. The kind of
language used by the privacy zealots besmirches the honor of the people
at Google, Cleveland Clinic and many other places working very hard to
fix these problems.

Furthermore the potential for harm from inadvertent disclosure would
be even less if we had sensible insurance reform that prevented
discrimination against people with certain health conditions. Of course
that discrimination exists right now every day in America. It causes
far, far more pain than any potential privacy violation. And I have not
seen Deborah Peel in the paper complaining about it.

For that matter while Peel’s complaining about Google, and lots of
other HIT vendors—without any good reason or evidence—she’s been
publicly praising Microsoft without acknowledging any of the accusations Fred Trotter and others have been making about her basic technical understanding of Healthvault. Perhaps its about time she came clean on the economics of that relationship.

CODA: For the record—other than one or two employees of Google and
Microsoft attending the Health 2.0 Conference in which I am a partner,
and my doing a small amount of consulting with a contractor who was
working for Microsoft in 2006, I have no financial relationship with
any of these companies. Not that it would change what I thought.

Categories: Uncategorized

Tagged as: , ,

8 replies »

  1. I have to agree with Holt here. The P in HIPAA stands for portability not privacy, and its authors have been very open in their frustration that is has become an obstacle to portability rather than a guarantor of it.
    Isn’t the real concern here that employers could find out that an employee has a condition that will impact their productivity or make them expensive to insure and that the employee will be terminated and unemployable because of that information leak?
    There are many legal safeguards against that kind of behavior and if Microfoft or Google was ever found to have sold information for that purpose, or an employer was ever found to buy data for that purpose – they would be on the hook for millions in damages from any jury in the country and the wronged employee would be financially compensated for pain and suffering in good measure.
    The point is that reasonable protections – and more importantly very strong financial incentives – already exist to prenvent that kind of abuse. Going overboard with HIPAA to me just seems like political pandering and spotlight grabbing by jumping on the coattails of something that sounds good and polls well: “protecting the privacy of Americans’ health information”, but is actually doing much more harm than good.

  2. Until someone explains to me exactly how Microsoft and Google (disciplined and focused companies I really respect, incidentally) are going to make money doing this, I have to assume that it is by extending their existing business model to medical “applications”, e.g. by mining my records and selling access to my related search activity to those whose products are relevant. How else are they going to generate payback from these products? (And did I miss the press releases about how they are going to behave as if they are “covered entities” under HIPAA even though they are not?)
    There is the classic Health 2.0 question, of course. No-one I know is in a better position to answer the “business model’ question than Matthew. (Let’s leave the “Where are the customers?” question for a separate post). And PLEASE don’t tell me that PHR technologies are so revolutionary or the social benefits so large that investors and developers don’t need an ROI. It has to be there somewhere, or this ain’t business. Don’t tell me I don’t get it, dude. Make me get it.

  3. I don’t mind adding Dmitriy & tcoyote to the list of people who should give themselves a shake too!
    For a start, as I’ve said in this article and many times, and at least one of these commenters has written at length, the benefits of sharing health data in clinical situations massively outweigh the risk. So that should be the focus of the discussion.
    I am NOT saying that there shouldn’t be privacy protections and there is no reason in my mind why, for all HIPPA’s flaws, it cannot be extended to PHR providers as covered entities.
    However, as far as I can tell nothing that is happening here violates HIPP. Showing you keyword based advertising may not to everyone’s taste, but it does not mean your private health data is being transferred to anyone. And presumably your data will only end up in these services if you give them permission to accept it, which will include consent to provide whatever services and advertising you’ll see.
    And that’s assuming that either company does advertising based on records rather than search terms (which is Google make that 98% of their money).
    But exactly where are Microsoft and Google suggesting that they’re going to be selling private identified data?
    Microsoft has bent over backwards to demonstrate that they have no intention of allowing themselves or anyone else to access your health records without permission. And Google will likely do the same when it announces its plans officially.
    And of course if you’re paranoid about your health records being with them, I’m sure someone else has a solution that you’ll like instead, or you can be free to not use any solution.
    And as for consumer reaction? Dmitriy really needs to begin to understand what shapes consumer opinion and action. It’s what gets written in the press. And if reporters consistently concentrate on irrelevancies and miss the bigger picture, that consumer opinion will take a while to get to right opinion on the important issues. (Did you notice the Iraq war, Dmitriy?)
    And if Dmitriy thinks I’m promoting this simply for my personal gain, and that there’s no benefit to better, more controlled sharing of health information using Google, Microsoft or any other vendor as a vehicle….well I’m not sure a shake is enough.

  4. I see your point, Matthew, but I think people are concerned that this stuff will go live with safeguards that are only retrospectively realized to be inadequate, but by then it will be too late. Too often we let things go in our enthusiasm, only to be hit in the face with the possible pitfalls AFTER the cat is out of the bag. One non health-care example is the failure to legally bar the cell-phone-while-driving phenomenon early enough to effectively prevent it – now it’s like pulling teeth to get people to realize how dangerous it is; and it, too, is killing people every day.
    As they say, an ounce of prevention is worth a pound of cure.

  5. Doesn’t Google derive something like 98% of its rapidly growing revenues from advertising? Wouldn’t Microsoft like to have Google-like earnings growth by tapping into the same source? Can someone explain to me why I would want to stash my medical records with either company if there were no legal limits on who they could sell my personal data to or what could be done with it? This isn’t a defense of the Patriot Act, or the virtues of government spying on us in the name of protecting us from terrorism. That’s not OK either.
    Matthew, are you suggesting that HIPAA’s privacy protections were a bad idea to begin with or merely that it is bad to apply them to Google and Microsoft? Or were the protections simply inadequate to begin wih? Or are we presuming that the social benefits of these benevolent companies’ business plans vastly outweigh any conceivable benefits from having HIPAA’s privacy protections applied to their work?

  6. Well, well, well.
    Looks like you are the only pundit who covered the launch and sees absolutely no problem with these PHR services. I am hard-pressed to find positive coverage anywhere else. Like it or not, a mere perception of a privacy problem here makes this problem very, very real. Consumer Internet 101, for those who need to be “edicated”.
    You should update your disclosure to say that success of anything labeled Health 2.0 depends on the general level of hype in the industry (e.g. whether people are willing to drink Kool-Aid). Inconvenient facts kill the hype and make people ask inconvenient questions. Few things would stir more scrutiny than reaction to Google Health launch.
    That must be a bummer.

  7. I agree that th potential benefit of these personel medical record systems out weigh the privacy risk, and I am sure more laws will be passed. But for my money I would never trust Microsoft with this given tis track record with windows and Google has stumbled around now trying to team up with a big burecratic health system. For my money I sticking to the smaller companies like http://www.medicalrecords247.com to have the most relevant and easy to use system.