Personal Health Records May Be Dangerous to Your Privacy

Analysis of News Events
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Many entities are offering consumers a way to store their healthcare information, but are these pie-in-the-sky offerings anathemas to privacy?


Many entities--from the U.S. Department of Veterans Affairs, to many insurance companies, to WebMD, Microsoft, and now Google Health--offer healthcare consumers (note: we are no longer patients; now we are consumers) the ability to store their personal health information online. This information, known as a personal health record (PHR), is maintained for individuals on secure Web sites and permits owners to organize their medical information and indicate who may access their information and how--whether read-only or the ability to add, modify, or delete information.


Microsoft jumped onto the build-it-and-they-will-come frenzy last fall with its HealthVault, but skeptics opine that consumers maintain a caveat emptor attitude--even though the services are free.


Why might that be, and why are consumers reluctant to jump in the PHR pool?

You Say PHR; I Say EHR. What's the Difference?

First, it is a good idea to get some housekeeping out of the way. You may have heard the terms electronic health records (or EHRs), personal health records (PHRs), and even other similar acronyms bandied about and used interchangeably. Well, there is a difference. A personal health record is a record the healthcare consumer (i.e., you) creates on a Web site such as Microsoft HealthVault, Google Health, or United Healthcare's (but only if you are a member).


Sometimes, personal health records are called portable health records (PHRs)--same acronym (why do we have so many acronyms?) but a slightly different meaning. A portable health record may be a card that has the look of a credit card, but it has an embedded chip with a portion of your medical record encoded on the chip. A portable health record can also be a card that can be swiped at a local hospital to which you were admitted previously. It can also simply be a card you carry in your wallet. This article will not examine portable health records and the technologies that support them.


While personal health records can and usually are maintained electronically, the term electronic health record (EHR) usually refers to the record your physician or other healthcare entity creates and maintains electronically.


So far so good?


Returning then to personal health records (PHRs), sites such as Microsoft HealthVault, Google Health, or, for example, United Healthcare's allow you to add, modify, or delete your healthcare information and (if you accept) will allow you to connect to other "programs" to learn about your medical conditions (e.g., diabetes, high blood pressure, etc.), track your medical information (e.g., blood pressure, glucose, weight, etc.), and so forth. And depending on the entity offering the service, sometimes you can e-chat with a nurse, receive lab results, refill prescriptions, have an online consult with your physician, email your physician, etc. Moreover, you as the consumer are the custodian of your information. And you can give that responsibility over to someone else as well as decide who (e.g., your physicians, spouse, pharmacy, etc.) can access your information and how.


So, what's the problem? First, even if you have granted access for your physician to view your PHR in the event of an emergency, and while it can be incredibly helpful to access information about your medical condition, allergies, and prescriptions quickly, it is still unlikely that a physician will rely on the information you have entered into your personal health record? Why? In a word: malpractice. No one knows if you entered incorrect or incomplete information that can be deadly to you and potentially result in a malpractice suit for your physician. So the physician will likely re-create the wheel and take an oral history as well as run a bunch of tests to determine your medical condition or at least corroborate your PHR.


Second, information that you enter onto a site--even if it claims to be secure--can still be compromised by a security breach. While we have come to entrust our financial information to our financial sources and can literally conduct virtually every financial transaction online, we are very hesitant to trust our medical currency (information about our health) to a third-party entity that appears to want to help us take control over our health.


As the banking and financial services industries became more and more automated, it took many years and many fits and starts (remember, ATMs did not always work virtually flawlessly, and they have been around for a long time) for them to earn our trust. In addition, if you look at IT spending as a percentage of annual revenue, the financial services industry has continually outpaced healthcare. Table 1 below shows healthcare IT spending compared with financial services IT spending as percentage of annual revenue as reported by InformationWeek over a three-year period.


InformationWeek 500 Industry Annual Revenue Spent on IT



and Medical

Banking and Financial Services

Net Spend

(Healthcare v. Financial Services)














Moreover, the banking and financial services sector has always been an IT leader, although it too has been attacked by hackers and has had its share of security breaches. While healthcare IT (HIT) has been around for more than three decades, it has been a slow follower--with siloed systems, islands of automation, and great fragmentation. And it has not traditionally invested a great deal of resources in R&D--certainly not compared to the banking and financial services industries. However, healthcare IT is catching up to its financial services brethren.

Privacy Policies and Persnickety People

Of course, every entity that offers you the ability to create and store your health records has a privacy policy, and for the most part, they are good. However, I am very persnickety about privacy policies, and they tend to unravel like cheap scarves under my scrutiny. (In some circles, I am known as "Oh Persnickety One," but I digress.)


It is not my desire to focus solely on Microsoft's HealthVault, but I did go through its privacy policy line by line, and while Microsoft may well provide great security and virtually guarantee privacy, the aforementioned "programs" that you may be accessing to receive data about a particular medical condition may not have privacy policies as good as Microsoft's. This is the weak-link-in-the-chain syndrome in which the "program" with the least solid privacy policy and/or the least bulletproof security could be the culprit responsible for your medical currency being scattered through cyberspace as well as falling into diabolical hands intent on stealing your medical identity.    


And medical identity theft, especially electronic medical identity theft, can both ruin you financially and, well, kill you. In the U.S. today, it is easier to detect financial identity theft than medical identity theft, which occurs when someone assumes someone else's identity (without permission or knowledge) for the purpose of obtaining medical treatment, services, and/or prescription medications. Medical identify theft could actually kill you because your medical records could be either combined with, or replaced by, the perpetrator's medical records so that recorded medical diagnoses, blood type, allergies, contraindications, and medications may be incorrect, inviting medical error in treatment, especially if you were to present unconscious to an emergency department. This could result in your death if you were transfused with an incorrect blood type or were given a medication to which you were deathly allergic. 


The fact is, it is easier to correct financial infringements such as fraudulent credit card charges than it is to navigate and unravel the labyrinth of medical identity theft. In addition, many people may not know for a long time, if ever, that medical fraud or medical identity theft has been committed, and others simply do not report it. Moreover, the biggest obstacle is that there are no reporting agencies that specifically handle medical identity theft. And few perpetrators are ever actually caught, let alone prosecuted.


A third (if we are counting chronologically from above) problem is with aggregated data. Microsoft's HealthVault Beta Version Privacy Policy has a section on how it uses aggregate information and statistics. The company states that "[it] may use aggregated information from the Service for marketing of the Service (for example, to tell potential advertisers how many Service users live in the United States). This aggregated information is not associated with any individual account." The privacy policy goes on to inform you that there are certain legal conditions, such as subpoena, under which Microsoft would surrender your personal health record. And, as if this is not enough...


...the Health Insurance Portability and Accountability Act (HIPAA) of 1996 permits data mining by certain healthcare entities--that is, as long as the information is anonimized (i.e., all information linking you personally to your health data is removed). Given the enormity of cyberspace and the fact that information about us is likely scattered everywhere, how long will it be before a snippet of our personal healthcare record here and another there are assembled into the whole enchilada? Ah, the rub!

Mining for Gold?

Through data mining, healthcare entities can examine large amounts of data, optimally for altruistic reasons such as for trends and national public health. Data mining is usually done with anonimized information--that is, the patient's name is not affiliated with the data. The downside is, if an individual's name as well as other identifying information (such as credit numbers, social security number, and other medical insurance identification numbers) were somehow accessed, the individual could become a victim of identity theft or experience discrimination, job loss, insurance cancellation, credit compromise, and/or excessive monetary expenditures to correct the violation.

Bottom Line

Caveat emptor. Privacy policies on PHR sites may provide some assurance, but they do not unilaterally protect consumers' medical currency. Technology has far outpaced policy. This was true 30 years ago, and it is painfully true today. HIPAA needs to be updated. Baseline's Ericka Chickowski recently wrote an article entitled "Are Privacy Standards Enough to Push Electronic Health Records?" In the article, she reports on the The Markle Foundation's Connecting for Health Common Framework for Networked Personal Health Information. The Common Framework is a needed next and crucial step toward actually defining realistic and viable security and privacy standards. We have too-long tolerated HIPAA's inchoate babble without substance. However, as Chickowski's article notes, "Perhaps the Achilles heel of the Common Framework is the matter of enforcement. Unlike HIPAA, this standard is not an enforceable government regulation. Nor is there legal and contractual leverage for compliance as is the case between retailers and credit card companies regarding PCI data security standards." And HIPAA's track record has not been great, with few actual cases prosecuted. Watch this space for more on the Common Framework Initiative.


Given my above dissertation, the question is, which will it be? Either "Fuhgeddaboudit;" we're all going to relinquish a little privacy here or the potential for, and reality of, privacy violations and their resulting staggering implications? I think federal legislation has to be passed that enforces privacy legislation, and violators should be prosecuted to the fullest extent of the law.


What do you think?