Privacy Advisor

Transforming Healthcare with Information Technology

July 1, 2008

Google, Microsoft and Revolution Health Roll Out Personal Electronic Health Records Management Systems With Crucial Privacy Implications

By Lucy L. Thomson, Esq. CIPP/G

Information technology is transforming the way health professionals and the healthcare industry provide care to individuals and to the entire population. Privacy and information security are at the center of a sea change in the way individual health records are created, managed and shared. Electronic health records (EHR) management systems unveiled recently by Google, Microsoft and Revolution Health are being promoted as the key to consumer-focused healthcare that will enable individuals to manage their own health records and "take ownership of their healthcare decisions." A striking feature of the new personal EHR systems is that the individual who creates a health record can decide what health information to include and with whom it will be shared.

Some experts worry that the new services and convenience provided by EHRs come at the cost of patient autonomy and may pose serious privacy risks. This concern arises in the context of the trend toward EHRs—some call it a revolution—which is being driven by both government and business. In 2004 the White House issued an executive order mandating universal EHRs for all American citizens by 2014.

Emergence of a National Health IT Infrastructure

Governments at the federal and state levels are expected to take the lead in developing standards and policies for a Nationwide Health Information Network (NHIN). Much is being done at the state level, where major public sector health record adoption and exchange projects are underway. The development of a Health IT infrastructure is underway, and distinctly different models are emerging:

  • Longitudinal collection of electronic health information for and about individuals and populations feeding into "knowledge and decision-support systems." Institutional systems seek to maximize patient data in local or national systems, and focus on the interoperability and comparability of all patient data
  • Personal EHRs enable individual patients to aggregate their diverse records and make them selectively available to new or emergency providers.

Early this summer the federal government released a strategic plan for health information technology with two strategic goals that will be enabled by health IT: patient-focused healthcare and improved population health. The Department of Health and Human Services ONC-Coordinated Federal Health Information Technology Strategic Plan: 2008-2012 (June 3, 2008) articulates these lofty goals:

  • Patient-focused Healthcare: Enable the transformation to higher quality, more cost-efficient, patient-focused healthcare through electronic health information access and use by healthcare providers, and by patients and their designees.
  • Population Health: Enable the appropriate, authorized, and timely access and use of electronic health information to benefit public health, biomedical research, quality improvement, and emergency preparedness.

Available at www.hhs.gov/healthit/ resources/HITStrategicPlan.pdf, the Strategic Plan states that "the themes of privacy and security, interoperability, adoption, and collaborative governance" cut across all aspects of patient healthcare and population health, although in very different ways.

It is expected that private sector IT companies will develop interconnected electronic medical record systems and networks. Several companies offer electronic health records management systems that will exchange data among diverse public and private constituents, and will enable local, regional and national health networks. They will provide the flexibility to integrate applications such as lab systems, practice management systems, EHR, IVR, analytics tools, and other capabilities.

Launch of Personal EHR Systems

Google has announced a pilot project with the Cleveland Clinic to create a system of electronic patient health records—Google Health. Kaiser Permanente, the nation's largest HMO, is conducting a pilot to link its health records system to Microsoft's consumer health storage platform—HealthVault. Revolution Health, founded by AOL co-founder Steve Case, is a "consumer-centric health company" that allows consumers to make "informed choices and offers more convenience and control over their individual healthcare decisions."
There are major privacy improvements as well as concerns in these initiatives to create a "healthcare infrastructure" with EHRs.

Google Health is a Web portal where individuals can store and manage their health information. Users can create an account online, a health profile and medical history, and link to references about symptoms and treatments. Because Google has partnered with hospitals, labs and pharmacies, the patient can import medical records and prescription history from healthcare providers. Users can create health profiles for family members or "anyone you care about." When a person adds new health data to the profile, Google Health will check for potential interactions between the person's drugs and allergies. Google Health offers services such as refilling prescriptions online, requesting a second opinion, and searching for doctors and hospitals.

Microsoft HealthVault is a free, Web-based platform that enables patients to collect, store, and share health information with hospitals and physicians. Its stated goal is to "help healthcare providers increase efficiency, reduce errors, and improve care." Microsoft states that "HealthVault provides a foundation on which a broad ecosystem of partners—from medical providers, to health and wellness device manufacturers, to health associations—can build innovative new health and wellness management solutions to help put people in control of their family's health."

For its pilot with Kaiser, HealthVault has partnered with hospitals and medical information and laboratory companies to provide services such as "Clipboard-free Admissions" to hospitals and physicians' offices, Medical Reconciliation and a Direct-to-clinical Authorization Process that will make patients' medical records available anywhere and facilitate medical transactions and decisions. A wide range of technology companies have developed 40 new online health applications and devices to improve information sharing between patients and physicians, and promote fitness and workplace productivity.

Revolution Health
is a "free, comprehensive health and medical information site" that offers "best-of-breed health information as well as more than 125 online tools to help individuals take control of their well-being." Membership is a service primarily targeting businesses that helps people obtain answers to health questions, and provides assistance in settling health insurance claims.

The site states that it makes money by selling advertising, memberships to people—either directly or through their employers or organizations—and by selling products through an online store. Revolution Health also sells health insurance through an affiliated company.

Benefits and Risks to Patients

Advocates of EHRs cite numerous benefits to patients—including better quality of patient case, improved outcomes, lower costs, and increased efficiencies for the healthcare community. Healthcare providers will have access to comprehensive patient records so they will arguably make better healthcare decisions, save patients in emergencies, and save scarce healthcare resources by avoiding duplicating tests and procedures that have already been performed. Longer term benefits may be standardization of care among providers, providing medical alerts for drug interactions and patient allergies, and availability of clinical data for use in quality, risk, utilization, and ROI analyses.

Such a complex IT infrastructure of information sharing and continued connection among healthcare providers raises a variety of risks to patients. Personal EHRs may contain the most sensitive personal health information that must be protected: name, Social Security number, date of birth, address, insurance policy information, medical history (diagnoses, medical treatment and drug use) and, in some cases, credit card and financial information.

Potential for Discrimination — Many privacy advocates believe that aggregating large amounts of the most sensitive personal information from many sources into electronic databases poses serious risks to individual privacy, along with a significant potential for discrimination. Insurance companies and employers may request access to this data as a prerequisite to employment and insurance, just as employers routinely run credit checks on prospective employees, accessing the vast stores of financial information maintained by credit bureaus.

Leadership will be needed in government to prevent discrimination on the basis of a wide range of health conditions identified in EHR. The Genetic Information Non-discrimination Act, which makes it illegal for employers and insurance companies to discriminate against people based on DNA tests that show they are genetically disposed to diseases such as cancer, heart disease and other serious illnesses, is a model for what is needed on a broad basis. As a related concern, third parties may be tempted to use the data for marketing pharmaceuticals and health treatments, or to otherwise "personalize" each individual's healthcare options.

Privacy Policies — All three EHR systems have extensive privacy policies, emphasizing the control individuals have over their own health information. However, they are not "covered entities" subject to HIPAA. Generally, account owners can view, edit and even completely delete their information. They can determine with whom information is shared; and can revoke sharing privileges at any time. The privacy policies raise some important issues of concern. They are complicated, and illustrate some of the problems with protecting privacy in large, interconnected, decentralized systems such as is envisioned for the nationwide health information network.

Ownership and Control
— While privacy policies state that the individual who created the healthcare record has control over decisions about when and with whom the information may be shared, the privacy policies create a complex system of access control. Authorized third-party Web sites may access the user's health information, and store a copy of the information. That copy will be governed by the other Web site's privacy policy. Others at the facility may be able to view the information. The original owner can designate "custodians" who may also have control over the records. Individuals can give "proxy access" to others, such as family members, who may share in or assist in the person's care. Access control becomes even more complicated when the health records are shared. In some cases, the designated custodian can change the access control designation so the original owner no longer has control.

Information Sharing — Although the privacy policies of the personal EHR system apply while the information is in that system, when information is shared with another system the privacy policies of the receiving system(s) govern. This arrangement may create a vast system of inconsistent privacy policies that may contain gaps that do not fully protect the privacy of individual patient records.

Editing and Updates — The originating system enables the patient to edit and delete information from the records. As health records are transferred from one healthcare provider to another, they may also be edited and updated; however, it may be difficult to keep the records synchronized. Deletions may not be made from all copies. When copies of the records are made in other systems and retained, the information will be subject to other privacy policies.

Information Security — Each user account is protected by an e-mail address and password for access control. Considering the sensitivity of individual EHRs, user names and passwords do not provide the security that could be achieved by two-factor authentication and biometrics. Best practice in information security requires more than user name and password for authentication. Health Vault provides a digital signature functionality to verify whether the data has been altered. Appropriate implementation of encryption is often difficult in a decentralized system.

Hospitals are a source of birth and death records, which are often used in identity theft. Data breaches in hospitals have compromised large numbers of sensitive patient records. A 2008 HIMSS Analytics Report on the Security of Patient Data commissioned by Kroll Fraud Solutions found that the most frequent cause of security breaches was unauthorized use of the information by individuals employed by the healthcare organization. It is likely that different levels of security will be applied to EHRs depending on the security policies of each healthcare provider.

Release of Protected Electronic Health Records — While in theory patients may control their own health records, they can be subpoenaed by the government and private parties in lawsuits. Many states have established programs to monitor potential abuse of narcotic prescription drugs and life-threatening illnesses with broad access to patient data; there would be a strong temptation or incentive for government organizations such as this to seek access to mine this data for medical studies or even take specific actions against offending physicians or patients. The Revolution Health and Health Vault privacy policies specify a number of instances in which patient records may be disclosed for legal reasons, including a homeland security threat (to protect the health and welfare of the public), a threat to the system or network, or cases in which it is necessary to conduct an investigation. These broad categories provide wide latitude for the release of patient records that patients believed were otherwise protected.


Lucy Thomson, Esq., CIPP/G, is an attorney with extensive experience as both a litigator in complex federal civil and criminal cases and as an expert in privacy and information security. During this past year, she served as Consumer Privacy Ombudsman in two federal bankruptcy cases to oversee the sale of electronic consumer records. In her current position as Senior Principal Engineer and Privacy Advocate at a global IT company, she works on teams building modernized information systems for very large organizations. A career Department of Justice attorney, she litigated complex healthcare fraud cases in the Criminal Division, and cases to improve conditions at healthcare institutions in the Civil Rights Division. Ms. Thomson was awarded an M.S. degree from Rensselaer Polytechnic Institute (RPI) in 2001, and earned her J.D. degree from the Georgetown University Law Center.

This article was originally printed in the June 2008 issue of Peppers & Rogers Inside1to1: Privacy newsletter.