I’m a card carrying member of the ACLU. I oppose the Patriot Act. And I absolutely oppose the current Administration’s decision to ignore the FISA law that already bends over backwards to help the government spy on Americans whom it suspects of criminal activity. I’m also appalled when I read stories like this one—in which the FBI has been illegally abusing its power by issuing “National Security letters” willy nilly.
I say all this because it’s now a couple of weeks since Google announced it’s health initiative and during that time we held the second Health 2.0 conference. And all the mainstream press can write about is the potential for privacy violations in online health sites, and PHRs, whether it’s been in the San Diego Union Tribune, ZDNET, USA Today or Modern Healthcare.
So even this balanced article in the Washington Post leads with Deborah Peel from Patient Privacy Rights and you have to wade through her incendiary rhetoric before you get to some sense from John Rother, while David Kibbe’s rational applauding of electronic health records only appears towards the end. Here’s what Peel says:
Many online PHR firms share information with data-mining companies, which then sell it to insurers and other interested parties, Peel said.
Well I’m still waiting to see the proof about this. Essentially she’s saying that consumers’ identifiable data is being sold and used against them, and so PHRs are bad.
Much data is of course sold in health care, but as far as I’m aware it’s all de-idenitifed. Whether PHR companies are systematically selling data is unclear. Whether they are selling identifiable data (the thing HIPAA bans and everyone agrees is a bad idea) I severely doubt.
And the problem is that this type of allegation gets the conversation completely off track. The biggest problem with the US health care system and its use of technology is not privacy violations. It’s inefficient use of data causing harm (and costs and poor quality care).
I am getting more than a little annoyed with this focus on the wrong thing. As my commenter JD paraphrased in my earlier piece on the topic (5th comment down here), do the Deborah Peels of the world not use bank accounts or credit cards? Do they not buy houses or have credit scores? Do they not know about what is already known about them in the real world? People understand this data flow and they accept it because it brings them a return that they value. And the same will be true for health information—if health information technology produces valuable results
So what are the nay-sayers going on about? Well I actually suffered and read the World Privacy Forum report on PHRs by Robert Gellman. It’s a hash of conjecture with its main complaint being that HIPAA doesn’t explicitly cover PHRs. Well, no shit Sherlock. HIPAA passed in 1996. It was actually was prepared years earlier and it’s about the automated transactions that existed then. No one had heard of a PHR in 1995, so why should the law cover them? What will happen is that PHRs will start being provided by covered entities and will be under the aegis of HIPAA (in this country at least—it’s called the “World” privacy forum but in reading the report Gellman only has heard of one country apparently).
But even if PHRs are not covered by HIPAA, what are the terrible consequences? Well let’s see. I’ve taken a few excerpts from the report. In the first Gellman says:
Regardless of the PHR’s policy on marketing disclosures, advertising can provide a method for a consumer’s health information to escape into marketing files. Marketers already have millions of names of consumers categorized by specific diseases and diagnoses. Most of the information comes from consumers who provided it in response to “consumer surveys” or through other stealthy methods for collecting health information for marketing use. Health records maintained by health care providers have been unavailable to marketers directly, but commercial PHRs operated outside of HIPAA offer marketers the promise of more and better health information from consumers.
So the problem is not PHRs. It’s consumer surveys taken over the years by marketers. But let’s blame PHRs because they might potentially be used for the same thing.
But hang on, if I’m a transparent PHR vendor won’t I drive out the scummy guys who are secretly selling data which will be used to harm their customers? And aren’t Microsoft and Google and many others being transparent about that? Yes they are, and why won’t consumers vote with their data?