The very long awaited Google Health may be about to launch. The New York Times and CNN have reports this morning that Google and the Cleveland Clinic are announcing a pilot program that reportedly will involve the creation of personal health profiles on Google for anywhere between 1,500 and 10,000 patients. These profiles will include health histories and other personal medical data.
The idea of a single data repository for personal health information that can be managed online and shared with selected providers is a great concept. But at the center of this concept are the issues of consumer privacy and data security. Talk to any of the third parties here — Google, Microsoft, Revolution Health — and you will likely hear statements that data are/will be secure and that consumers will have control of who sees and can access their records.
As the CNN piece points out, however, companies like Google and Microsoft would not be governed by the Health Insurance Portability and Accountability Act, or HIPAA. The act tries to safeguard the privacy of individual health records. But that law does not currently extend to third parties such as Google. More legislation would be required to extend privacy protection to release of personal health records housed on search engines and elsewhere on the internet.
There are many interests and entities, including health insurance carriers and potential employers, that might want greater access to individual health records. Most US health insurance companies are for-profit enterprises that seek ways to keep their costs down by denying coverage or minimizing their exposure, often in unscrupulous or unethical ways. The structure of health care is very different outside the US in Canada, Europe, and elsewhere. In Europe, the idea of inadvertent exposure or disclosure of personal health information might not carry the same consequences as in the US, where release or revelation of the information could have a very real impact on consumers and their lives.
Consider that there are routine breaches of data security in which consumer credit card numbers and other financial data are exposed. Recall AOL’s release of consumer search data in 2006 that allowed reporters to identify individuals based on inferences from search logs. Recall also the Bush Administration’s attempt to compel search engines to release data to allegedly help enforce anti-child pornography laws. However, the effort was broadly consistent with the administration’s larger, illegal domestic spying program.
These incidents provide a troubling backdrop for this discussion of consumer health information online and privacy. Indeed, unscrupulous health insurance carriers might have incentives to try and gain greater access to personal health histories to determine who’s a good risk and who isn’t. Employers who routinely “Google” prospective employees might find some of this information if it were leaked on the broader internet. Accordingly, an employer might decide not to hire someone who had potentially higher health care costs or, for example, a chronic condition that would potentially make that person less “productive” than others. These are not remote, hypothetical possibilities, but very real discriminatory scenarios that might come to pass if personal health histories were to be hacked, leaked, or otherwise inadvertently disclosed online.
Let’s be clear, the problem isn’t so much Microsoft or Google seeking to provide this service, which again is valuable in principle. Rather, the problem is the status and structure of the US healthcare industry and the corresponding incentives it creates. I’ll never forget a quote from a carrier representative who had turned down my wife for coverage because she had taken an expensive prescription medication in the past but hadn’t been off that medication for “at least a year.” The rep told me, “We make no apologies for being a for-profit business.”
Postscript: There are related concerns arising from these initiatives about inappropriate data mining and exploiting personal health histories for marketing purposes.
Google discusses the Cleveland Clinic pilot in this blog post, with assurances about confidentiality and security. However, it’s appropriate to be extremely cautious about participation in any such program until the structure of the US healthcare system changes (probably not in our lifetimes) or there are appropriate laws in place with strong penalties for misuse of personal health information.