Slashdot Mirror
Google to Begin Storing Patients' Health Records
mytrip writes with news that Google's health record archive is about to be tested with the assistance of the Cleveland Clinic. Thousands of patients (who must approve the transfer of information) will have access to everything from their medical histories to lab results through what Google considers a "logical extension" of their search engine. We discussed the planning of this system last year.
"Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that's also required to use other Google services such as e-mail and personalized search tools. The health venture also will provide more fodder for privacy watchdogs who believe Google already knows too much about the interests and habits of its users as its computers log their search requests and store their e-mail discussions. Prodded by the criticism, Google last year introduced a new system that purges people's search records after 18 months. In a show of its privacy commitment, Google also successfully rebuffed the U.S. Justice Department's demand to examine millions of its users' search requests in a court battle two years ago."
Now I'm going to get TARGETED Viagra spam....
It's Cleveland Clinic, and it's pretty much in every major city. So there are more people affected then just in Cleveland.
When your email is parsed for relavent ads, many just let that go.
But when you associate my email, calendar, documents, health info and who knows what's next, I start to wonder if that might not be too many eggs in one basket?
And if you are like me, your handle/username/login is the same across many sites.
I know they will have to comply with HIPPA and other laws but thank you very much. Google has not business with my private health data.
If enithin kan gow rong it whil. (Murfey)
On one hand, it would be convenient to have this archive available so that we can access our records without the hassle of dealing with the healthcare system. On the other side, all that data has only the strength of your password standing between it and the Black Market.
...with the same password that you use to log in to gMail, Google Pages, your Google home page and virtually every other service they offer? Come on. It isn't like Google mandates passwords of any particular strength, or that accounts haven't been hijacked through one means or another.
Google has informed me that your psychiatrist thinks you're quite the narcissist. And there is nothing that I can do about your herpes.
Cleveland Clinic is one of the top healthcare institutions in the US and the world. Calling it "a clinic in Cleveland" is like calling the New York Times web site "some guy's blog"...
my former employer offered us the option to buy into an online health records system. the selling points were that we could easily be sure that any doctor we saw could have instant access to all of our history, and we could review treatments and billing records.
I chose not to participate, because the provider was new and unknown to me. I don't think I would want to use Google, because they ARE known to me.
I'll just keep asking for copies of records when I visit a doctor, and keep them in my filing cabinet.
What gives Google the right to retain my private information for 18 months? This is especially worrisome in light of the fact that they are venturing into the medical domain and the kinds of stunts that Facebook has been pulling.
If I want to delete all my records *now* I should be able to do so, no questions asked.
Can I log in and see everything myself? And can I see the list of everyone who ever accessed my records? If not, it's no good.
Give people their medical records. Digitally signed by the docs that made them so they're authentic if the medical system must. If people would like to store them at Google or host them anywhere else, great. Make a standard for appending and signing that makes some kind of sense, but that is general and will work with any storage system. How is sheets of paper being faxed/mailed between docs the best possible standard? The whole system is jive, adding storing it with Google might make it slightly less jive, actually fixing it would, well, fix it. The whole system is so antiquated it make POTS look like a good standard for sending audio, but so ingrained and unquestioned that it's just there.
DeGoogle. Removes all traces of you from Google.
Caveat Utilitor
google for president!
Been there, got the t-shirt
They discuss how PHR vendors may not be covered by HIPAA nor patient/provider confidentiality laws (esp subpoenas.)
They particularly note that PHR vendors that also provide email services have a lot of data that can be easily linked together (...and to you.)
I'd really like to see this sort of thing work, but am cautious.
john-norris.net
I like this idea. I wish there was something like this that was more wide spread, not government regulated (so you can opt out) and available in Australia.
One problem I have had is through switching doctors and the new one not getting the files of the old, and not being privy to the others results.
Also, this should increase the quality of peer review of your doctors notes.
This is my footer. There are many like it, but this one is mine.
This is a very big step up from what you now have. I worked for some time in the client-server programming department of a health care organization with 20,000+ employees, on projects ranging from inventory management to patient records to corporate salaries. This company did much better than most, and I can tell you that your privacy is not terribly secure.
When you're dealing with a situation which requires thousands of people (doctors and nurses) immediate access to your records, from anywhere in the organization (spannint numerous states), even if you ruled out network security, system security, etc., the possibilities for social engineering are absolutely ENORMOUS. And more than that, with that many employees, it's simply a given that some of them will misuse their power. Just within my friends who work for the company, I know of a very good number of times when information of others was accessed, used, or disseminated for personal use or amusement. Never anything nefarious, but still, not only unethical, but against the law as well.
Google has a much better idea of how to warehouse data, manage access to it, and audit usage and access than any of the individual health care companies out there. They may not be perfect, but they'll probably do a whole lot better than what we/you have now.
Oh, you're not stuck, you're just unable to let go of the onion rings.
Just how much will they be able to access? They can already access some type of information through the MyChart website. Why do they need Google anyway? Why not keep it permanently on CCF's site?
The fact that Google is even able to attempt to make something like this happen means that it understands and values what it means to offer services in a reliable way that is respectful to its users and works to preserve their rights and privacy. I don't think Microsoft could ever even attempt such a thing. No one would ever trust them enough. In fact, I can think of very few companies I would trust with all of my medical information other than Google.
So all this talk about Google standing up to protect user data from the US Administration is as true and verifiable as their motto itself ("Don't be evil").
Microsoft has already been testing there HealthVault system at http://health.live.com. There's a clear battleground here: ultimately, with an ageing population and an increasingly technological population, the market for health record keeping is huge money making opportunity. Google's goal of organizing the world's information doesn't stop at public data; the most important data to each of us is our own personal data, and of that, our health data if the most valuable. People are willing to spend their life-savings just to stay a little. The drug industry already knows that.
Google has done a great job in searching raw free-text data. However, healthcare data is a different beast. The sheer number of datatypes is mind-boggling -- the number of different labs, drug classes, diseases etc that can get coded in patient records runs in to millions. So over the years healthcare databases have been constructed differently - they follow an EAV (Entity Attribute Value) representation, which means that the patient databases are generally just ONE BIG TABLE! Here is the database schema used at New York Presby. Schema - all past 20 years patient data is stored in one table! oh yeah.. DB2 Baby!
Essentially all data/knowledge complexity is present in the Ontology/Terminology (such as SNOMED or LOINC) and the patient data itself instantiates from these.
Also doing NLP over medical notes is a difficult problem requiring years of tuning and domain knowledge to construct one -- which again is so specific to a given institution or region that it just does not work elsewhere.
It would be interesting to see what *real* innovations Google brings on the table.He has not been the type to do personal attacks, just attacks on policies and actions. In fact, overall, I would say that McCain has been the same way, and Clinton was until Wisc (sent her ppl in to do a hatchet job on obama).
I prefer the "u" in honour as it seems to be missing these days.
I have thought that when AQ (or even China) decides to get real serious with attacking the west, it will be via a computer attack. Most likely, they will hit a number of windows systems which have loads of our information on it. With the data on us, simply run the banks. By doing that, they could transfer not just billions out of the country, but cause such chaos here, that it would be difficult to have a unified front. WHile I really want to see Linux come on strong, I like that Gates has been pushing Windows into countries that America may have future issues with (china comes to mind). This health data typically has enough info to allow the run on the bank.
I prefer the "u" in honour as it seems to be missing these days.
It'd be so much better in Australia too, because Google would have to declare why they are collecting the information and what they are going to use it for and if they used it for purposes other than that they would be in violation of privacy laws.
Unlike the USA, where they are free to collect any information and not say who they are going to sell it to.
How we know is more important than what we know.
Maybe because I am part of the Facebook generation, I am more accepting of this type of system. My experience has been that it is a real pain to deal with transferring medical records between different clinics, especially when I am waiting for someone to fax something before I can get my antibiotic. I'm not ashamed of anything in my medical records (no abortions or STDs), so I am willing to take the risk that they might be stolen/sold to a third party/examined by the government/used for targeted advertising in order to gain the convenience of being able to access my medical records quickly in an emergency situation.
Fortunately, this sort of activity could become illegal in the United States.(PIPEDA [privcom.gov]), so I for one won't ever have to welcome your google overlords.
Well, Google does seem to know what the world cares about.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
This isn't going to be mandated. The only way your medical records get up there is if YOU put them there and agree to use the service.
Might as well try to say Google forces you to use Gmail or use them as a search engine. There are alternatives to those too, including abstience.
I have to wonder how Google is approaching the legal requirements for HIPAA compliance with respect to the storage and retrieval of healthcare information. Anyone got any pointers on this?
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Sorry, I just couldn't resist.
You and everyone else keeps posting about how worried they are that either Google will get a copy of your data without your permission (which they can't) or someone will see your records, which is obviously possible as you mentioned. So scam the system back. If I'm not mistaken, you have to agree to release your medicals records every time. If someone sees my medical history right now, who cares. Nothing incriminating, nothing blackmail worthy or don't hire me worthy. So let's say I go to the Dr tomorrow for some stupid made up thing or just for a physical and agree to release my medical records to google and I assume it's retroactive. Even if it isn't, google would get a copy of my awesomely perfect medical history. And from then on I say no to release my records. I assume you can sort of itemize your permissions like that because you might want to release to your employer that you were injured for something but not release that you have an STD later. It's not like they keep sending your medical history to everyone you ever gave permission to forever. So in effect, no matter what happens to you in the future, if you just keep saying no, google's records will show you are and always have been in perfect health :D You could have some attempted suicides and illegal drug related treatments and a couple physical confrontations on there and it'd still look perfect to anyone who gains access to it through google.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
You have really turned into an asshole. I am guessing that something is on your mind, but normally, you are not like this.
I prefer the "u" in honour as it seems to be missing these days.
I sincerely hope that Obama wins the Whitehouse, and I sincerely hope that he acts to finally put a Constitutional Ammendment guaranteeing the right to Privacy on the books.
As a professor of Constitutional law at the University of Chicago, he should be abundantly aware of how fragile our right to privacy is in this country, being that it's an inferred right that rests only on precedent.
Do what you can, with what you have, where you are.
Here's some of the problems you can have when the confidentiality of your medical records is compromised.
http://www.post-gazette.com/pg/06362/749444-114.stm
WSJ, 26 Dec 2006, Medical dilemma: spread of records stirs patient fears of privacy erosion; Ms. Galvin's insurer studies psychotherapist's notes; a dispute over the rules; complaint tally hits 23,896, Theo Francis.
(My notes, for people who are too lazy to even click on the link:)
In 1996, after her fiance died suddenly, Patricia Galvin left New York for San Francisco and was hired by Heller Ehrman LLP.
In 2000, Galvin began psychotherapy sessions at Stanford Hospital & Clinics with clinical psychologist Rachel Manber, who discussed her problems at work, her fiance's death, and her relationships with family, friends and co-workers. Manber assured Galvin that her notes would be confidential.
"I would never have engaged in psychotherapy with her if she did not promise me these notes were under lock and key."
In 2001, Galvin was rear-ended at a red light and suffered 4 herniated disks, which worsened.
In 2003, she applied for long-term disability. Her employer's carrier, UnumProvident Corp., said it would deny her claim unless she signed a release.
Manber assured Galvin her therapy notes would not be turned over. 3 months later, Unum denied her claim, because of psychotherapy notes about "working on a case" and a job interview in New York, which, Unum said, showed she was able to work. Galvin says they misinterpreted the notes.
In 2004, Galvin sued Manber, Stanford and Unum for malpractice and invasion of privacy, under California law. Galvin said "my most private thoughts, my personal tragedies, secrets about other people" were exposed.
In 2005, Galvin learned that Stanford had scanned Manber's notes into its system, making them part of her basic medical record. Stanford sent this file to Unum and the other driver.
Stanford said that "psychotherapy notes that are kept together with the patient's other medical records are not defined as 'psychotherapy notes' under HIPAA." It would be "impracticable" to keep them separate.
The health-care industry is scanning documents into electronic record systems. HIPAA gives psychotherapy notes special protection, but not when mixed in with general medical records.
Peter Swire, law professor, Ohio State U., explains why they wrote the rule giving confidentiality only to separate psychotherapy notes.
Stanford refused to separate her psychotherapy notes from other medical records. "Any time anybody asks for my medical records, my psychotherapy notes are going to be turned over."
In 2006, DHHS rejected Galvan's HIPAA complaint. From Apr-Nov 2003, DHHS had 23,896 privacy complaints, but hasn't taken any action. HIPAA exceptions allow release in connection with "payment" or "health-care operations."
Galvan, 51, is representing herself, because she couldn't find a California attorney with privacy experience.
Deborah Peel, Austin TX, psychiatrist and head of Patient Privacy Rights, says, "How many women want somebody to know whether they are on birth control?"
http://online.wsj.com/article/SB116709136139859229.html
NYT, 26 Dec 2006, Costs of a crisis: Diabetics confront a tangle of workplace laws, N.R. Kleinfield.
Some companies fire diabetics for ostensible safety reasons, even though there's no evidence that they're unsafe. Courts nationwide have split on whether diabetes is a disability under the test that a "major life activity" is "substantially limited".
John Steigauf, 47, was a truck mechanic for United Parcel Service, but UPS put him on leave because of his diabetes. UPS claimed his blood sugar might plummet while he tested a truck, causing an accident, and he couldn't get an interstate commercial driver's license with insulin-dependent diabe
1. If the government has the information, the black market has it.
2. The black market can simply buy the information from the people who work in the hospital.
The lesson? No information which is stored in plaintext anywhere on earth is secure. As long as a pair of eyes can see it, whoever owns that pair of eyes, can capture and sell whatever information. It's already too late.
I've been wondering for the last few years why no one is doing this. I read about studies that are considered HUGE where there are 50,000 participants. Many studies are only in the hundreds. What happens when you can do statistical analysis on millions of patient records? It would seem to me that the potential for finding trends amongst otherwise disparate symptoms would be amazing.
As a poster above noted, finding a way to query the data is a problem. Finding ways to anonymize patient information is a problem(how many elements of medical history does it take to identify a human?) But in the end, if google were subsidizing my health care, I just might say do whatever the fuck you want with my charts!
Which brings this back to one of the question of the century: When will the consumer own it's own data? Today this might be a service Google looks to sell as "You pay us to data warehouse your medical records", but tomorrow it might be "You pay us to mine the data warehouse that we've established."
Are the inconsistencies of patients chart data too much of an obstacle to overcome? I'd hate to think that Google is just doing this as a form of Web 2.0 SAS, 'pay me to do what you used to do yourself' service. I've always imagined that Google figures, if they get enough data in one place, something magical will happen. Medical research of millions or hundreds of millions of patient histories seems like it could be magical.
Look, you could store the information in encrypted form, and due to the flaw in the windows random number generator, it would still be accessed and sold by hackers. But to tell you the truth, the black market operators don't even have to go through the trouble of hiring hackers, they can just bribe the individuals who do have access to your medical records, or threaten to violently harm the children of these individuals, or use blackmail on these individuals by threatening to tell their wife what they've done, or to tell their parents that they are gay.
Do you see? The only way to secure information is to not tell anyone. Your information will be no more safe on Google than it already is, which means go ahead and put it on Google because if someone wants your medical records, they already have it. All the intelligence agencies in the world have your medical records, all the mafias have your medical records, and just powerful rich individuals who can hire private investigators can get these records by simply paying for it.
All information has a price. All information is datamined, stored in databases somewhere on the planet. Anyone who wants the information can pay for it, and whoever works in fields like data entry, or whoever maintains the databases, or whoever merely has access to the files, that individual can be pressured to copy and sell the information to whoever wants it. If you have to face the threat "Either you take our money, or we will kill someone you care about", what would you do? And telling the police might not work because they might own the chief of police too.
If the government has it, the governments get it.
If the governments get it, the corporations get it.
If the corporations get it, the mafias get it.
If the mafias get it, the rich and powerful own it.
No information is secure because powerful/rich individuals can access anything stored anywhere on earth. Just because the governments can hold the information, doesn't mean there aren't moles and terrorist cells in the US government who will sneak the information out and sell it to terrorist groups. And of course theres spies in every corporation, and of course both governments and mafias have spy networks everywhere.
It's far FAR more complicated, and cannot be solved by better laws when law enforcement is impossible. Theres too many breaches that go on, on a daily basis, to ever hope to secure the worlds information. And governments are too busy trying to protect nuclear secrets, they don't have the resources to care about your health information.
It baffles me that few people seem to realize that Google is so much more dangerous than Microsoft ever was.
...but I don't necessarily want to store them at Google or any other 3rd party vendor, unless Congress amends HIPPA to cover them. I'd rather have the option of carrying my records around on an encrypted USB or other portable device. That would mean getting health care providers to use common file formats and standard forms. Not holding my breath.
I wanted to something similar with my pets. Put their vet records on a little memory stick card I could put in a special holder in their collar. Treatment history, x-rays, shot records, license and contact information. I asked my vet if he used some type of electronic records and he looked at me like I'd just asked for directions to Mars. Since vets seldom have to deal with insurance companies, it seems electronic records are a concept in that field.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
you people have no respect for privacy or security
there is no way this can be appropriate
Don't let them Terminate you! (...or alternative technologies or your privacy) Keep your shit decentralized, especially sensitive/private information. "Don't put all of your eggs in one basket" ---mitigates basket dropping AND egg overflow (read: "adds fault-tolerance/redundancy AND malicious activity" with regards to info systems)
Are these records going to be freely available? One has to wonder regardlessly if employers might use it as a basis for hiring an employee. Maybe I'm paranoid, but this was really my first thought, and Its not to far from the present anyway. Employers use peoples' facebooks and myspaces as a guideline right now.
I work for a healthcare organization in IT. And don't get me wrong, being able to have access to a patients's health records at anytime is very useful (and something the government is working on implementing), this information is very sensitive and Google and Microsoft leave themselves open to numerous lawsuits if there are any issues.
Speaking as someone in the healthcare industry, who regularly sends appeals letters to insurance companies requesting additional payment for underpaid claims, I think this is a REALLY, REALLY, REALLY BAD IDEA. Most insurance Companies want to deny your claims as soon as possible, and if that doesn't work, pay as little as possible. All this sort of thing will do is give them more reasons to do that quicker. If they can instantly have your medical records from you, since you need to authorize them to have that info in order to get a policy, you just gave them tons of reasons to deny your hospital bills based on pre-existing conditions, Not being medically necessary, and all kinds of other reasons. A lot of hospitals are going to electronic records, but there are still lots of holes in the systems that are available... and that's not counting the potential Hippa violations and other issues. On top of all of that, there's electronic issues too. I know of at least one clinic where there is a computer in the rooms that the patients sit in to be seen... that computer has a screen saver, but not a password protected one. In other words any patient off the street can go to that place, see a doctor, and basically be left in there by themselves with that computer for 10-50 minutes behind a closed door while they sit and wait for the doctor. Most of you all know how boring that time is... and I'm sure if you had a computer in a room like that may fiddle with it a bit. The scary thing is that this computer actually has access to the Hospital's main network, including all databases, some of which are completely insecure with ids and passwords that match staff names, and occassionally is full of plain text files full of confidential info that was stupidly saved too high in the directory tree by uneducated staff moving files around... I won't say where that clinic is, but will say that it's somewhere in the midwest that just about anyone passing through on vacation could end up at if they are on an accident on a major highway.
I'm a little shy on facts and links to information, but I'm sure I read not long ago about attacks against GMail and Google Accounts where passwords were compromised, etc. It seems to me that tying this authentication into health care information is just asking for trouble...
So how is that voluntary? Its like any other action you take at the 'request' of the guy holding a loaded gun to your head.
See http://www.hhs.gov/ocr/privacyhowtofile.htm for how to report ANY event involving HIPAA violations (affecting anyone, not just you or your family).
I work for a company, that has an official policy that requires me to report to the INTERNAL legal department FIRST, instead of directly going to external entities. Find out about yours.
"I am a....."
Legal Secretary?
Local Shop?
Loan Shark?
Lost Sheep?
Love Shack?
Lowlife Scum?
Lesbian Swinger?
OK, I give up. What does it stand for?
"Life is pain Highness. Anyone who says otherwise is selling something"
Westly, The Princess Bride
Here are some factors to consider: 1) Can Google be trusted to provide reasonable protection of your information? In other words, will you have to worry about the following situations: A Google employee browsing through records for their own enjoyment, or to stalk a former acquaintance; lost backup tapes turning up for sale to identity thieves; hacked database servers; social engineering calls leading to improperly changed passwords; etc. 2) Can Google protect your information from external pressures? For example: a request for information from a potential employer; a demand for information from same, in the form of a lawsuit; a court order to turn over information; a national security letter or similar device from the government; a spouse requesting information for during a divorce trial; etc. 3) Assuming no worries about the information being released in such a way to harm you, is it of benefit to have the information available to you from any computer terminal? (I'd say that's a big fat yes, personally.) 4) Is it possible for this data, when centrally stored and analyzed, to benefit humanity in general? In other words, assuming it's all anonymized so no individual is exposed, can research be done to discover some previously unknown fact about human medicine? Would Google "lease" the data (again, anonymized) to researches? Who would own any subsequent findings? How would any profit be shared between the researches, Google, and the people whose data was used? What about when data is desired for a specific geographic location, for example a small town that's situated near a chemical plant?
I can also think of very few companies I would trust with all of my medical information other than Google.
Ahhh! 18 years younger!!
The article, or anyone else's comments (as per slashdot regulations), however, if anyone is storing my medical information, I'd prefer it to be google instead of some lowbrow, bottom-dollar dealing company, storing the data in some obscure version of DB2, where the admin FTP's in to do routine maintenance.
Special Note: I work in the medical information field.
Hi, I Boris. Hear fix bear, yes?
I'm surprised I haven't seen any discussion on the possibilities that this would provide as far as being able to data mine medical history and present an end user with something akin to a diagnosis based upon the results of tests, medical history and the judgement of individual doctors. In the past I've had what I thought were simple medical questions that I have been unable answer using existing internet medical resources. If Google could pair my medical history with a symptom and even data from the internet, it could be a pretty cool way of finding alternative treatment options for certain illnesses.
Just a though.
I've been on altavista now for a couple weeks.
Seems just as good.
And they are not so big and scummy yet.
Google seems more and more slimy the longer they exist and the bigger they get. They are setting some kind of land speed record for going from idealistic to scummy.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Not to worry. We're in good hands.
When I type in the name of a venereal disease and a zip code in Google, I will get a list of all people in the area with that disease. Wow what a great search tool for dating. We could conversely google-bomb our own name with a "very Large Penis" tag. Slashdotters and techies rejoice.
What bothers me is the user will use the same password to access all of there services including the health records. There needs to be a 2nd layer of security similar to what banks are now using when users access there accounts. This way if the users password gets snitched by a Phising site then there medical records will remain secure. I like the idea of being able to access my medical records online, but not through Google. Like the meta tag reads... what could go wrong?
When I stated that I trust Google more than Microsoft it was based on an intuitive feeling in my gut based on my experiences with each of these companies products. I have reason to believe that the way I feel is also the way a lot of other people are going to feel. A lot of people act based on feelings and not on actual reasoning. A lot of people vote for president of the US based on how the candidate makes them feel, not based on any major credentials. It is my experience that Microsoft is not the type of company that you can trust to get things done properly and in a reliable way. It is also my experience that Google has consistently provided many reliable services that are great to use and have very few strings attached. There are more in depth and logical reasons behind the philosophical functioning of each company and why I support one over the other, but I believe most people are not going to act based on similar complex analysis and tend to lean more towards their gut feelings.
Maybe consumers can use contract law to enhance the privacy of their health records. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html
Benjamin Wright, Dallas, Texas, benjaminwright.us