Slashdot Mirror
Google to Begin Storing Patients' Health Records
mytrip writes with news that Google's health record archive is about to be tested with the assistance of the Cleveland Clinic. Thousands of patients (who must approve the transfer of information) will have access to everything from their medical histories to lab results through what Google considers a "logical extension" of their search engine. We discussed the planning of this system last year.
"Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that's also required to use other Google services such as e-mail and personalized search tools. The health venture also will provide more fodder for privacy watchdogs who believe Google already knows too much about the interests and habits of its users as its computers log their search requests and store their e-mail discussions. Prodded by the criticism, Google last year introduced a new system that purges people's search records after 18 months. In a show of its privacy commitment, Google also successfully rebuffed the U.S. Justice Department's demand to examine millions of its users' search requests in a court battle two years ago."
Now I'm going to get TARGETED Viagra spam....
It's Cleveland Clinic, and it's pretty much in every major city. So there are more people affected then just in Cleveland.
When your email is parsed for relavent ads, many just let that go.
But when you associate my email, calendar, documents, health info and who knows what's next, I start to wonder if that might not be too many eggs in one basket?
And if you are like me, your handle/username/login is the same across many sites.
On one hand, it would be convenient to have this archive available so that we can access our records without the hassle of dealing with the healthcare system. On the other side, all that data has only the strength of your password standing between it and the Black Market.
...with the same password that you use to log in to gMail, Google Pages, your Google home page and virtually every other service they offer? Come on. It isn't like Google mandates passwords of any particular strength, or that accounts haven't been hijacked through one means or another.
Cleveland Clinic is one of the top healthcare institutions in the US and the world. Calling it "a clinic in Cleveland" is like calling the New York Times web site "some guy's blog"...
my former employer offered us the option to buy into an online health records system. the selling points were that we could easily be sure that any doctor we saw could have instant access to all of our history, and we could review treatments and billing records.
I chose not to participate, because the provider was new and unknown to me. I don't think I would want to use Google, because they ARE known to me.
I'll just keep asking for copies of records when I visit a doctor, and keep them in my filing cabinet.
Actually, HIPAA does not cover third party databases.
Actually, no, they probably won't have to comply with HIPPA. Google for it (yeah, I know).. You are authorizing the transfer of your records to a 3rd party. You have to give permission. If you give your records to a neighbour, they are not bound by HIPPA. Yes it would be stupid of them to allow anyone to see your health history, and will probably break some state laws, but HIPPA, no..
What are we going to do tonight Brain?
Can I log in and see everything myself? And can I see the list of everyone who ever accessed my records? If not, it's no good.
I'm guessing you're about 19 years old right? The 1980s called, they said you should really pay attention to the world around you.
How we know is more important than what we know.
Give people their medical records. Digitally signed by the docs that made them so they're authentic if the medical system must. If people would like to store them at Google or host them anywhere else, great. Make a standard for appending and signing that makes some kind of sense, but that is general and will work with any storage system. How is sheets of paper being faxed/mailed between docs the best possible standard? The whole system is jive, adding storing it with Google might make it slightly less jive, actually fixing it would, well, fix it. The whole system is so antiquated it make POTS look like a good standard for sending audio, but so ingrained and unquestioned that it's just there.
DeGoogle. Removes all traces of you from Google.
Caveat Utilitor
They discuss how PHR vendors may not be covered by HIPAA nor patient/provider confidentiality laws (esp subpoenas.)
They particularly note that PHR vendors that also provide email services have a lot of data that can be easily linked together (...and to you.)
I'd really like to see this sort of thing work, but am cautious.
john-norris.net
This is a very big step up from what you now have. I worked for some time in the client-server programming department of a health care organization with 20,000+ employees, on projects ranging from inventory management to patient records to corporate salaries. This company did much better than most, and I can tell you that your privacy is not terribly secure.
When you're dealing with a situation which requires thousands of people (doctors and nurses) immediate access to your records, from anywhere in the organization (spannint numerous states), even if you ruled out network security, system security, etc., the possibilities for social engineering are absolutely ENORMOUS. And more than that, with that many employees, it's simply a given that some of them will misuse their power. Just within my friends who work for the company, I know of a very good number of times when information of others was accessed, used, or disseminated for personal use or amusement. Never anything nefarious, but still, not only unethical, but against the law as well.
Google has a much better idea of how to warehouse data, manage access to it, and audit usage and access than any of the individual health care companies out there. They may not be perfect, but they'll probably do a whole lot better than what we/you have now.
Oh, you're not stuck, you're just unable to let go of the onion rings.
Just how much will they be able to access? They can already access some type of information through the MyChart website. Why do they need Google anyway? Why not keep it permanently on CCF's site?
IAALS - HIPAA does cover health information on third party systems under the "Business Associate" rule (which means, anyone doing business with a HIPAA CE (Covered Entity) must comply with HIPAA guidelines (there must be a contractual provision providing that the business associate will comply with the same HIPAA regulations that the Covered Entity must).
The REAL issue is that HIPAA has no teeth. No one has yet really had a judgment entered against them on a HIPAA privacy violation that I am aware of, and there is serious doubt that such a judgment would amount to much (a sizable recovery is highly dubious).
For a comparison of HIPAA to another country's laws, see Canada's FOIPPA (might be one less P). Which provides among other things, that no Canadian citizens health information (ePHI) can be stored on a server on US soil (because of fears that the USFG can utilize the PATRIOT act at any time to gain access to such 'confidential' patient information (ePHI)).
So all this talk about Google standing up to protect user data from the US Administration is as true and verifiable as their motto itself ("Don't be evil").
Google has done a great job in searching raw free-text data. However, healthcare data is a different beast. The sheer number of datatypes is mind-boggling -- the number of different labs, drug classes, diseases etc that can get coded in patient records runs in to millions. So over the years healthcare databases have been constructed differently - they follow an EAV (Entity Attribute Value) representation, which means that the patient databases are generally just ONE BIG TABLE! Here is the database schema used at New York Presby. Schema - all past 20 years patient data is stored in one table! oh yeah.. DB2 Baby!
Essentially all data/knowledge complexity is present in the Ontology/Terminology (such as SNOMED or LOINC) and the patient data itself instantiates from these.
Also doing NLP over medical notes is a difficult problem requiring years of tuning and domain knowledge to construct one -- which again is so specific to a given institution or region that it just does not work elsewhere.
It would be interesting to see what *real* innovations Google brings on the table.I have thought that when AQ (or even China) decides to get real serious with attacking the west, it will be via a computer attack. Most likely, they will hit a number of windows systems which have loads of our information on it. With the data on us, simply run the banks. By doing that, they could transfer not just billions out of the country, but cause such chaos here, that it would be difficult to have a unified front. WHile I really want to see Linux come on strong, I like that Gates has been pushing Windows into countries that America may have future issues with (china comes to mind). This health data typically has enough info to allow the run on the bank.
I prefer the "u" in honour as it seems to be missing these days.
Not only has Microsoft attempted such a thing, but they've succeeded and already have a working version. Its Google that's playing catch-up here, not Microsoft.
To be fair, though, I wouldn't like either company to be snooping around in my health records.
We all know what to do, but we don't know how to get re-elected once we have done it
I have to wonder how Google is approaching the legal requirements for HIPAA compliance with respect to the storage and retrieval of healthcare information. Anyone got any pointers on this?
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Sorry, I just couldn't resist.
why? Can you list other companies I could trust as much? I don't mind anyone going through my medical records. I haven't been to the doctor in years so there probably isn't anything there. And I don't think microsoft or google are interested in going through my medical records. But I would feel more secure having them on a google server than a MS server. Some companies I trust and some I don't. I trust google. I like how they do business. I don't care for microsoft. I don't feel I can trust them.
You fail to offer any standing reason why you should trust Google more than Microsoft.
At the very least, Microsoft's Live Hotmail doesn't scan your email like Gmail does. Google's policy on privacy is questionable at best. The minute Microsoft starts scanning my email to target me with ads, I'll quit defending them.
Microsoft's security division dwarfs that of Google's. In the past year, was Live Hotmail any less secure than Gmail? Microsoft has its faults too, but so does every company, including Google. It's cool to bag on Microsoft, but at the end of the day, it's no different than other large companies, such as Citibank or GE.
I sincerely hope that Obama wins the Whitehouse, and I sincerely hope that he acts to finally put a Constitutional Ammendment guaranteeing the right to Privacy on the books.
As a professor of Constitutional law at the University of Chicago, he should be abundantly aware of how fragile our right to privacy is in this country, being that it's an inferred right that rests only on precedent.
Do what you can, with what you have, where you are.
Here's some of the problems you can have when the confidentiality of your medical records is compromised.
http://www.post-gazette.com/pg/06362/749444-114.stm
WSJ, 26 Dec 2006, Medical dilemma: spread of records stirs patient fears of privacy erosion; Ms. Galvin's insurer studies psychotherapist's notes; a dispute over the rules; complaint tally hits 23,896, Theo Francis.
(My notes, for people who are too lazy to even click on the link:)
In 1996, after her fiance died suddenly, Patricia Galvin left New York for San Francisco and was hired by Heller Ehrman LLP.
In 2000, Galvin began psychotherapy sessions at Stanford Hospital & Clinics with clinical psychologist Rachel Manber, who discussed her problems at work, her fiance's death, and her relationships with family, friends and co-workers. Manber assured Galvin that her notes would be confidential.
"I would never have engaged in psychotherapy with her if she did not promise me these notes were under lock and key."
In 2001, Galvin was rear-ended at a red light and suffered 4 herniated disks, which worsened.
In 2003, she applied for long-term disability. Her employer's carrier, UnumProvident Corp., said it would deny her claim unless she signed a release.
Manber assured Galvin her therapy notes would not be turned over. 3 months later, Unum denied her claim, because of psychotherapy notes about "working on a case" and a job interview in New York, which, Unum said, showed she was able to work. Galvin says they misinterpreted the notes.
In 2004, Galvin sued Manber, Stanford and Unum for malpractice and invasion of privacy, under California law. Galvin said "my most private thoughts, my personal tragedies, secrets about other people" were exposed.
In 2005, Galvin learned that Stanford had scanned Manber's notes into its system, making them part of her basic medical record. Stanford sent this file to Unum and the other driver.
Stanford said that "psychotherapy notes that are kept together with the patient's other medical records are not defined as 'psychotherapy notes' under HIPAA." It would be "impracticable" to keep them separate.
The health-care industry is scanning documents into electronic record systems. HIPAA gives psychotherapy notes special protection, but not when mixed in with general medical records.
Peter Swire, law professor, Ohio State U., explains why they wrote the rule giving confidentiality only to separate psychotherapy notes.
Stanford refused to separate her psychotherapy notes from other medical records. "Any time anybody asks for my medical records, my psychotherapy notes are going to be turned over."
In 2006, DHHS rejected Galvan's HIPAA complaint. From Apr-Nov 2003, DHHS had 23,896 privacy complaints, but hasn't taken any action. HIPAA exceptions allow release in connection with "payment" or "health-care operations."
Galvan, 51, is representing herself, because she couldn't find a California attorney with privacy experience.
Deborah Peel, Austin TX, psychiatrist and head of Patient Privacy Rights, says, "How many women want somebody to know whether they are on birth control?"
http://online.wsj.com/article/SB116709136139859229.html
NYT, 26 Dec 2006, Costs of a crisis: Diabetics confront a tangle of workplace laws, N.R. Kleinfield.
Some companies fire diabetics for ostensible safety reasons, even though there's no evidence that they're unsafe. Courts nationwide have split on whether diabetes is a disability under the test that a "major life activity" is "substantially limited".
John Steigauf, 47, was a truck mechanic for United Parcel Service, but UPS put him on leave because of his diabetes. UPS claimed his blood sugar might plummet while he tested a truck, causing an accident, and he couldn't get an interstate commercial driver's license with insulin-dependent diabe
I've been wondering for the last few years why no one is doing this. I read about studies that are considered HUGE where there are 50,000 participants. Many studies are only in the hundreds. What happens when you can do statistical analysis on millions of patient records? It would seem to me that the potential for finding trends amongst otherwise disparate symptoms would be amazing.
As a poster above noted, finding a way to query the data is a problem. Finding ways to anonymize patient information is a problem(how many elements of medical history does it take to identify a human?) But in the end, if google were subsidizing my health care, I just might say do whatever the fuck you want with my charts!
Which brings this back to one of the question of the century: When will the consumer own it's own data? Today this might be a service Google looks to sell as "You pay us to data warehouse your medical records", but tomorrow it might be "You pay us to mine the data warehouse that we've established."
Are the inconsistencies of patients chart data too much of an obstacle to overcome? I'd hate to think that Google is just doing this as a form of Web 2.0 SAS, 'pay me to do what you used to do yourself' service. I've always imagined that Google figures, if they get enough data in one place, something magical will happen. Medical research of millions or hundreds of millions of patient histories seems like it could be magical.
At least Google censor web links you send to your friends.
Who gives a crap if a machine reads my email?!! It's going through the intertubes, EVERYONE can read my email unless I encrypt it.
It it didn't scan your email, how would it check for viruses, or even allow you to search your email, so clearly it does. Your problem might be that Google then uses that scan to provide the before mentioned services, as well as targetted advertising, which consists of nothing more than picking out keywords.
Are these records going to be freely available? One has to wonder regardlessly if employers might use it as a basis for hiring an employee. Maybe I'm paranoid, but this was really my first thought, and Its not to far from the present anyway. Employers use peoples' facebooks and myspaces as a guideline right now.
I work for a healthcare organization in IT. And don't get me wrong, being able to have access to a patients's health records at anytime is very useful (and something the government is working on implementing), this information is very sensitive and Google and Microsoft leave themselves open to numerous lawsuits if there are any issues.
Um, you were saying?
Gmail loses attachments
Gmail loses all mail
Censorship by Google
Again, a lot of mistakes that Google does get swept under the rug, because they're Google. Meanwhile, any mistake that Microsoft does gets put in the spotlight.