More on Google and the Cleveland Clinic

For a start, as I said in my last post  and many times, and at least one of these commenters has written at length, the benefits of sharing health data in clinical situations massively outweigh the risk. So that should be the focus of the discussion.

I am NOT saying that there shouldn’t be privacy protections and there is no reason in my mind why, for all HIPAA’s flaws, it cannot be extended to PHR providers as covered entities.

However, as far as I can tell nothing that is happening here violates HIPAA. Showing you keyword based advertising may not to everyone’s taste, but it does not mean your private health data is being transferred to anyone. And presumably your data will only end up in these services if you give them permission to accept it, which will include consent to provide whatever services and advertising you’ll see.

And that’s assuming that either company does advertising based on records rather than search terms (which is Google make that 98% of their money).

But exactly where are Microsoft and Google suggesting that they’re going to be selling private identified data? Nowhere. Microsoft has bent over backwards to demonstrate that they have no intention of allowing themselves or anyone else to access your health records without permission. And Google will likely do the same when it announces its plans officially.

And of course if you’re paranoid about your health records being
with them, I’m sure someone else has a solution that you’ll like
instead, or you can be free to not use any solution.

And as for consumer reaction? Dmitriy really needs to begin to
understand what shapes consumer opinion and action. It’s what gets
written in the press. And if reporters consistently concentrate on
irrelevancies and miss the bigger picture, that consumer opinion will
take a while to get to the right opinion on the important issues. (Did
you notice the Iraq war, Dmitriy?)

And if Dmitriy thinks I’m promoting this simply for my personal
gain, and that there’s no benefit to better, more controlled sharing of
health information using Google, Microsoft or any other vendor as a
vehicle….well I’m not sure a shake is enough.

Categories: Uncategorized

Tagged as: , ,

24 replies »

  1. Soon after study some of the blog posts on your webpage now, and I genuinely like your way of blogging. I bookmarked it to my bookmark site list and will likely be checking back soon. Pls take a look at my web webpage also and let me know what you feel.

  2. I can’t begin to tell you what a nightmare it was to have surgery with this guy.
    From his inept office to University hospitals billing, the whole experience was awful. I should have used Cleveland Clinic.
    First, his staff overbooks his surgeries. After waiting in a hospital bed for 8 hours, he greets me politely, then informs me he is way behind because I arrived at the incorrect time. I tell him that I arrived 15 minutes before the time that was shown on the letter from his office and offer to retrieve it for him. He declines the offer, and says ‘the office must have screwed things up’. No apology for the accusation, but whatever. I’m there to get my rotator cuff done, not strike up a friendship.
    After the surgery, my bicep, chest and shoulder were black and blue. Blood had gathered in the bottom of my bicep and skin looked like it was transparent. That’s probably very common for this type of surgery, I don’t know. After the pain block wore off, the pain was terrible. I was given a prescription which I proceeded to take as often as needed for pain relief. I soon found I did not have enough to make it to the next office visit. I would call Dr.Victoroff’s office, and of course he was never there so I was passed on to his assistant who is very capable of making you feel as though you’re an addict. I asked Dr. Victoroff if he thought I was addicted to the pain killers and he informed me, he did not think that was the case. I informed him I was going on vacation to California with my family, and I would like to be comfortable and not in pain. This was a once in a lifetime vacation for my kids and I did not want to be in misery. So off I go with the scripts written by Dr. Victoroff only to find out mid way through my vacation that he had reduced the usage amount and I could not fill the second script for another 10 days. Thanks a lot Doc you prick.
    So, I come back from vacation, make an appointment with Dr. Prick and as it turns out he has some other guy standing in for him (Don’t know his name, but he is a kid from California and he’s good)
    Dr. Victoroff shorted me at least 2 months worth of pain meds, so if you’re looking for a comfortable post op, don’t go here.
    You can go ahead and think I’m a wuss, but I’ve had several knee surgeries on both knees and nothing ever came close to this.
    I’ve reached the point of posting this blog after billing issues have me enraged. Each time I pay these yahoos it needs to be done twice. Even when you get confirmation numbers from them, you will be called by a collection agency as I was today. I spent my entire day on the phone with a collection agency and U.H. billing department trying to get this crap corrected. Included in this debacle, is a bill to me (that I stupidly paid) which they sent to an insurance carrier that was not mine. Of course, payment was denied by the insurance company and I didn’t notice this single charge for $333 amongst ten other charges.
    After a day on the phone with UHC I finally think it’s correct due to the manager of billing by the name of Laurence Mosley. Laurence seems to be more than capable. However it is too little, too late. I will tell everyone within ear shot what I think of Dr. Victoroff, his office and the University Hospitals

  3. What Google and Microsoft are doing is vaporware. This issue about privacy is also overblown. I think Google and Microsoft have a very short term memory because WebMD tried this last decade and failed. What makes this different? In my opinion it is the same stuff.
    The only way healthcare will be changed is from the inside out, not from the outside in.

  4. Patient Privacy issues are seriously overblown. The information has little to no value to an outsider other than for the purposes of gossip (see the incidents at UCLA medical center as an example). This is not financial information, which if obtained by an outsider can ruin your life. With the advent of on-line banking the security measures are in place for IT tools like google health to be implemented safely.

  5. Most hospitals are still struggling to connect the dots and collect everything that happens inside their walls, never mind deal with information a patient may have. So while both of these applications might help the physician/patient face-to-face interaction become a more informed experience, they don’t do much to address the operational failure in healthcare of how data is distributed in a system.

  6. As to your quote “Showing you keyword based advertising may not to everyone’s taste, but it does not mean your private health data is being transferred to anyone”.
    Well, I hate to say it, but if you actually combine a EHR/PHR with context-triggered ads, it is more than a matter of taste, in fact, you are leaving the door wide open to trick people into releasing their data (why? see the blog entry cited below).
    Fortunately, Google Health will NOT put any ads into Google Health (or so they say), but other online PHR vendors may.
    Eysenbach, Gunther. Online PHR + Google AdWords/AdSense = A Privacy Disaster. Gunther Eysenbach Random Research Rants Blog. 2008-03-08. URL:http://gunther-eysenbach.blogspot.com/2008/03/google-health-google-adwordsadsense.html Accessed: 2008-03-08. (Archived by WebCite® at http://www.webcitation.org/5WB7C9LS5)

  7. However, as far as I can tell nothing that is happening here violates HIPAA. Showing you keyword based advertising may not to everyone’s taste, but it does not mean your private health data is being transferred to anyone. And presumably your data will only end up in these services if you give them permission to accept it, which will include consent to provide whatever services and advertising you’ll see.
    I agree. The Internet is completely voluntary, you do not have to post your information or have an e-mail account. As with anything new and worth trying there is a little risk. I think that Google and Microsoft will do everything in their power to keep all data as secure and private as possible. It is their reputation at stake. Healthcare is going to go digital, we might as well be at the front leading the way and not hanging out on the sideline whining and complaining. It is so much more fun to lead…

  8. tcoyote, to think that a PHR must be a “chilly data archive” is a narrow view. If by definition a PHR is only an inert record, especially one in which you have to enter the data yourself, then sure, it’s a turkey.
    A better way to think about it is as the record of medical information designed for use by the patient and controlled by the patient. It is useful to the extent that it is populated more or less automatically with the person’s complete clinical and claims record, organized in a way that makes sense, shareable with others (such as caregivers) and connected to tools that help one to track one’s health status and manage care. Ultimately, EMRs, lab results, HRAs, drug interaction checkers and all sorts of things need to be integrated with PHRs.
    We’re a long way from that, but Medical Homes are in just as much a nascent state as PHRs, if not more so. With the Medical Home, you not only need interoperable EMRs, you need to change the culture and economics of medicine. I agree it should be done, but it is a much more massive undertaking than creating useful PHRs….and more likely to fail given the dominance of Specialists in American medicine.

  9. Matthew, there are a lot of exciting things going on in healthcare IT right now-
    the Internet based claims systems like AthenaHealth and Availity, Subimo (now a part of WebMD), the intelligent voice response companies, social networking sites for physicians and patients, the ferment around RPM and the stunning advances in imaging (which, now digital, is absolutely IT), plus a lot of the stuff I don’t even know about but would learn about if I could come to your 2.0 Conference.
    It’s just that the PHR isn’t one of them. It’s a turkey. It’s already made one dive into the dumpster (remember Dr. Koop.com started as a PHR company), and, like the CHIN (oops, I meant RHIO) has somehow managed to scale even higher on Gartner’s peak of inflated expectations than it did the first time. It may fill a social need, but if consumers don’t want to buy it and/or don’t trust the commercial vendors, it ain’t going to transform anything We’re nearing wagering territory, I think (but you can’t do that legally on the Internet, can you?).
    P.S., I think you get much better safety and health improvement mileage out of the medical home, because there is a person on the other end of it, than you do out of some chilly data archive. Have we beaten this to death yet?

  10. tcoyote wrote

    “I don’t think any of these commercial PHR’s are going anywhere, not only because of privacy concerns but because they do not fill a felt personal need of most consumers.”

    You’ve touched on a blindingly obvious – thus invariably ignored – fact of healthcare and healthcare spending: most people, most of the time, are not in need of ‘data-intensive’ care. The care requirements of most people, most of the time, do not require data management capabilities of any sophistication surpassing a contact management application.
    Worse, the discussion of PHR/EMR pros/cons frequently seems to assume a ‘record’ that is principally for PEOPLE to read, rather than for computing applications to sort/sift/reassemble for use by various concerned parties.
    That people’s health, even when healthy, CAN be made a more data-intensive affair is another matter altogether….
    I’m convinced, as Matthew apparently is, that the discussion of PHR/EMR is emphatically upside down – and in a number of directions, to scramble the metaphor for emphasis.
    The most vital aspect of any PHR is simplicity of creation – since most users will do little more than set up the shell, and that, quite probably, more than once. A close second? Simplicity of sharing, in an environment where privacy concerns – especially for the well – rank very high.
    (I’ve seen, and I’m sure others also have, survey summaries that indicate the relationship between privacy and ease of sharing is closely connected with, influenced by, the severity of a person’s health condition – the more severe, thus ‘data-intensive’ the person’s health condition, the less concerned they generally are with privacy/security issues.
    If anyone has a cite or a link, I’m always in the market. I can’t seem to keep track of them).

  11. tcoyote, you conflate two different things. Are PHRs trustworthy? and are they filling a need? As JD explains at excellent length in his comment, it’s the second that matters not the first. And it’s the second issue that we should be talking about not the first. If the second becomes true, then the privacy issue will take care of itself.
    And as for foolish optimism about the future potential of IT in health care, well at least I’m not the first commentator accused of that. I vaguely remember criticism of a certain book on the topic before http://content.healthaffairs.org/cgi/reprint/23/2/276.pdf

  12. “HIPAA” is an acronym for the Health Insurance Portability & Accountability, which is requiring improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards.

  13. If people don’t trust an PHR ( or it doesn’t fill a felt personal need), they aren’t going to use it. If people think contributing their personal health information to a commercial PHR sponsored by a company that makes 98% of its money on advertising is going to cause their diabetes or incontinence to suddenly start showing up in pop-up ads, and then unsolicited emails, it will inhibit their willingness to put their data on line. How hard is that? That isn’t a Luddite sentiment, it’s simple realism.
    Just as in our political system, an absence of trust is like sand in the gears. There is a pervasive absence of trust in medical institutions, commercial enterprises like Microsoft and Google (despite how focused and effectively managed they are), our health plans, our employers, or even, perish the thought, our doctors. If we cannot assure people that personal information will not be used to harm or embarrass, then they won’t get that genetic test, or molecular image, or bloodwork which they need in the first place.
    There is an embarrassing amount of “deus ex machina” thinking about IT in healthcare right now, and nowhere is it more prevalent than in this debate. We’ve simply assumed that easy access to health information is a technological problem which technology companies will effortlessly solve for us. The technology is the easy part. It is necessary but not sufficient.
    I think putting our personal health information on some powerful company’s Internet server will prove to be a halfway technology. I don’t think any of these commercial PHR’s are going anywhere, not only because of privacy concerns but because they do not fill a felt personal need of most consumers. Call ’em idiots if you like, Matthew, but they are still the boss.
    I actually think the technology itself is going in a different direction: the PHR will be written on the person him or herself, somewhere, as a tattoo or piece of jewelry, or on a fob with their car or house keys, with encryption and personal rules about access. (HP’s Memory Spot or some competing company’s microstorage device will enable). It will truly be a “personal” health record. Where the person goes, so goes their “record”, and providers will update it via every encounter, and providers will keep a backed up copy in their offices or ER’s. Their enterprise software will tell them what to do with our information when they receive it.
    And this technology won’t end medical errors or overtreatment or save us billions of dollars or make us all chocolate milkshakes either.

  14. It’s remarkable how little Matt’s point sunk in. No one on planet earth is saying that privacy is not important. That isn’t the argument. The argument is over whether we let security concerns paralyze us, when we know that thousands die every year from medical mistakes that could be avoided with better procedures (hand washing) and, more relevantly, better systems (RFIDs, eRx, etc.).
    We live in a world in which identity security is compromised every day. Identity theft is a global problem. And yet, we continue to use our credit cards and do business online. Mark Nelson, Dmitriy, Health Links, and others….do you use credit cards, debit cards or bank online? Do you shop online? I bet that you do some or all of these things, and that you don’t want to go back to a much less connected world even though you know that identity theft is a real possibility. So why be a Luddite about health information?
    Yes, your health information may be stolen. How many examples are there in which health information has been used to harm someone? You may be able to think of a few cases, but many of those involve instances in which financial harm was done: Social security numbers were stolen, etc. There is nothing specifically health related in the most common sort of harm done from stolen health records.
    Cases in which health information as health information has been illegally and harmfully used against someone are exceedingly rare. It’s hard to resist the thought that someone may want to embarrass you by publicizing your old positive VD test (or whatever), but the reality is that overwhelmingly, people just don’t care enough to do this. If you’re a movie star, or a politician, OK, but paper records have a way of coming to public attention in these cases too.
    I understand the concern that insurers may be tempted to get their hands on the electronic records. But think about it: These are very large corporations that will face very, very large penalties if ever caught. HealthNet was just fined $9M for a much smaller infraction in which the means of getting the information was not challenged so far as I know. You would have to be the stupidest insurer on Earth to try to systematically gain access to electronic medical records without being given explicit permission.
    But what really gets me is this: the best way to use the fear of insurers cancelling policies is to advocate for universal health care and guaranteed issue! When I see progressive/liberal privacy advocates argue against the spread of HIT on the grounds that information could be used to rescind policies, it’s like they’re engaged in a form of jujitsu in which you grab your opponent’s arm and flip yourself onto the floor. Take the opportunity to make a stronger case for universal health care, and at the same time move forward on HIT with reasonable but not perfect privacy controls. Because we’ll never get to perfect.
    Privacy matters. So does the efficacy and efficiency of medical care.

  15. this is an interesting debate…but i don’t think knocking joe conn is a good way to start (especially for health 2.0) as joe is a good journalist and covers both (or more) sides of the issues.
    privacy IS important, and more important every day as more boomers become afflicted w/ chronic diseases.
    google/microsoft will not win – the ‘platform’ winner will solve real problems for those looking for solutions (either to improve their businesses or mandated by governement). ‘build it & they will come’ is a waste of time, money & human capital – glad MS & google are playing as they’ll move the market toward a solution(s).
    so far, software/IT is not looking at this from the right angle – it’s not from the patient or the payer; it’s from the healthcare service providers; an incredibly fractured and arcane market/model.
    good luck.

  16. Take the example in the UK – where on several occasions large amounts of public data have been “lost” – usually on cds or “lost” laptops.
    Storing large amounts of sensitive data will always be prone to rogue elements within or outside the organisation.
    What happens if lost health data finds its way to a health insurance companies? Will “ill” people be able to buy insurance at any cost?

  17. I am sorry if I hit a nerve, Matthew.
    Lately I have been trying to stay away from arguing over Health 2.0 and hype, but your latest post was just too juicy to ignore. I will repeat it again, you are the only person who sees absolutely no problem with these PHR projects.
    I have no doubt you really believe what you say and not just doing this for profit. So I would just leave it at repeating a famous quote: “It is difficult to get a man to understand something when his salary depends upon his not understanding it.” Hmmm… Sounds like the kind of beef you had with Consumer-Directed Health Plan community for ages.
    Thanks for enlightening me as to how consumer opinion is shaped. If not for that damn press (and bloggers) asking tough questions the world would be a better place. I am sure life is better in places like North Korea where these pesky critics do not get in the way of “people who know better”.
    Back to real work now…

  18. We did a survey of 470 primary care physicians in January 2008 regarding physician attitudes toward Microsoft HealthVault and EMR. The results are interesting and show that more doctors trust Microsoft than Google with regard to EMR. See question #20 at http://whatdoctorsthink.com/EMR-results/SurveySummary.html
    In the mean time, all the different EMRs will just cause confusion and chaos down the road since every patient will have their records on differnet EMRs that are not compatible, and every doctor will have their own EMR. The ultimate solution is for the government to set a standard with Medicare patients which are already in a database with doctor providers.
    Robert Cykiert, M.D.

  19. I won’t go into a detailed comment on this post because I can’t get past the error in the second paragraph. HIPAA is spelled with two A’s and one P. It may seem picky, but that misspelling seems to be a litmus test for folks who have studied the law versus those who are not familiar with it.