Google and Microsoft want to do the same thing for personal health that software such as Quicken has already done for people’s personal finances. Google Health, which was released in May, and Microsoft HealthVault, which launched last October, allow consumers to store and manage their personal medical data online. Users will be able to gather information from doctors, hospitals, and testing laboratories and share it with new medical providers, making it easier to coördinate care for complicated conditions and spot potential drug interactions or other problems. Both Google and Microsoft will also offer links to third-party services like medication reminders and programs that track users’ blood-pressure and glucose readings over time.
Patients already have a legal right to copies of their medical data–information that they paid for and own. But in practice, that right is often difficult to exercise: patients must traipse from lab to hospital, waiting in line for photocopies of CT scans, prescription records, and discharge summaries. That’s because many doctors still do not use electronic records, and others are unwilling or unable to transfer data to patients in electronic form. In a 2007 Wall Street Journal Online/Harris Interactive poll, only about a quarter of respondents reported having electronic records, generally in their doctor’s offices; just 2 percent of all respondents said they had created and maintained medical records on their own computers, and just 1 percent reported using a “personal health record that is stored on the Internet.” HealthVault and Google Health just may push doctors and hospitals to adopt electronic records at last.
What Google and Microsoft promise to do with electronic records is also a radical departure, both conceptually and in practice. Those patients who do currently have electronic access generally use portals maintained by doctors or health-care systems. Typically, patients can view information such as prescriptions, lab results, and diagnoses; sometimes they can e-mail doctors or make appointments online. In most cases, though, patients do not control their own data, so they cannot transfer it electronically to a different health-care provider or plug it in to third-party applications.
With HealthVault and Google Health, however, consumers will have fundamental ownership of their medical data, much as they do with financial records. As more health-care providers begin participating, it will be easy for patients to share CT scans, x-rays, and lab results with new doctors. In the emergency room, “someone comes in and says I’m on 12 medications from four doctors, including the red one and the blue [pills],” says emergency-room physician John Halamka, who is chief information officer of Beth Israel Deaconess Medical Center in Boston and an advisor to Google Health. “If you gave me data that was structured and electronic, even if it was incomplete, that’s much better than I have now.”
Google Health already lets some users import medical data; so far, it has partnered with the Cleveland Clinic and Beth Israel Deaconess to give patients at both access to their electronic records. Meanwhile, pilot projects in which HealthVault users will be able to share information electronically with medical providers are in the planning stages at New York-Presbyterian Hospital and the Mayo Clinic. But “the exciting part of these systems isn’t just making data available to patients,” says Aurelia Boyer, chief information officer of New York-Presbyterian. It’s offering them tools to make use of the data on their own. “The ability to combine applications the way Facebook does is particularly exciting,” she says.
Google Health offers an interface that allows users to build comprehensive health profiles, including information on conditions, medications, allergies, and procedures. The information may be typed in directly, chosen from drop-down menus, or uploaded from participating providers. The drop-down menus contain mind-numbing lists of conditions, from Aarskog syndrome to Zollinger-Ellison syndrome. And each menu item points patients toward information that can help them manage their health. The link beside diabetes, for instance, takes users to a page featuring lists of symptoms, treatments, and complications, search results from Google Scholar, news items, and illustrations. HealthVault’s welcome page looks more like an interface for online banking, but like Google Health, HealthVault lets users link to third-party applications.
Since they deal with sensitive personal data, however, both HealthVault and Google Health raise significant privacy concerns. Such services are not covered by the Health Insurance Portability and Accountability Act, or HIPAA, under which hospitals, doctors, and third-party payers typically cannot release information without a patient’s consent. Google and Microsoft do promise not to share personal health data without consumers’ permission: “We make a very clear promise to consumers about what we will and won’t do with their data, and we’re happy to be accountable for those claims,” says Peter Neupert, corporate vice president of the Health Solutions Group at Microsoft. But those promises are not backed by law.
Privacy experts are particularly worried about the release of data to vendors of third-party applications. If a drug company offers a medication reminder, and patients opt in, giving the company information about their drug-taking routines, can that information later be used for marketing? There’s a risk of personal data “leaking out through these applications,” says Kenneth Mandl of Children’s Hospital in Boston, who cochaired the Harvard Medical School Meetings on Personally Controlled Health Record Infrastructure in 2006 and 2007. (Google and Microsoft say that vendors will have to disclose how they intend to use consumer data.) What’s more, many vendors offering advice on medications and treatments could have conflicts of interest–and their advice might not be sound in any case. There’s “really no oversight,” says Mandl. He argues that some combination of regulation and certification of third-party vendors is needed.
The privacy issues aren’t insurmountable. Microsoft and Google could be brought under HIPAA’s umbrella, or new rules could be enacted that give consumers stronger protection–and greater legal recourse if their records are leaked or improperly sold. But it needs to be recognized that medical information–histories of mental illness, paternity tests, genetic information–can be far more sensitive than browsing histories or even financial records. While Google and Microsoft promise to put users in control, they are also inserting themselves between patients and their most intimate data. Until their legal responsibilities to patients are clarified, only a very trusting soul would sign on with the new platforms, however appealing they may be.
Amanda Schaffer is a science and medical columnist for Slate and a frequent contributor to the New York Times.