WARNING OUT ON HEALTH DATA STORAGE SITES
In a recent San Francisco Chronicle article, the World Privacy Forum is reporting about the hazards of giving up your personal health records to companies that collect and maintain them, supposedly so you can easily manage your health needs. The catch, according to the WPF, is that most of these companies are not subject to federal regulations relating to consumer privacy and security. Doctors, hospitals and insurers must follow the guidelines of the Health Insurance Portability and Accountability Act (HIPAA) which establishes basic privacy and security standards on the handling of health information. But the same rules don’t apply to those companies outside the parameters of accepted health care givers. California, as usual, comes through with their Confidentiality of Medical Information Act that prevents these new health data collectors from marketing your private information without your permission. I did a post on one of these companies in October 2007 and learned some interesting facts. Microsoft’s Health Vault collects and stores your data, providing other health devices to manage your health, and guarantees you complete control. I wasn’t satisfied with their “Privacy Statement” in relation to how the data was secured online, so I contacted them and asked about whether or not it was encrypted, and, if so, at what level. (Lower levels of encryption are not secure against hackers) The answers I received were a series of explanations about online protocol security and the difference between high and low levels of encryption, all of which I knew. What I wanted was a commitment to what level Microsoft used in Health Vault. What I received was, and I quote: “As for the security on Microsoft's servers, I do not know. I am not a network or system administrator, but I'm sure they are using the best the industry has to offer.” Let’s see, how long would it have taken the guy to find out…five, ten minutes? Google is supposedly rolling out its own version of a medical services plan in early 2008, consisting of an online profile, a search for physicians, advice on health issues, and the ability to share this information with family and caregivers. With the recent extension of California’s data breach notification law to include medical information and insurance data, there is hope that other states with data breach laws will follow. After all, it was the Golden State’s S.B. 1386 landmark legislation that required ChoicePoint to admit to the breach in early 2005 that ushered in the identity crisis. If there was ever a need for control of private information, it is our medical records, which not only contain things like our Social Security number, but also ailments and medications taken that could prove harmful in seeking a job or health or life insurance. Not that we intend to cover it up, but rather the fact that in so many of these databases, there is so much inaccuracy. You might input your medical data correctly, but what if a doctor or a hospital makes a mistake and confuses you with someone with a life-threatening disease? But wait, that’s already happened without the help of these new databases.
More on the personal health information issue later.