Simple – as in the example of what Google has done to create a great, yet simple to use  interface.

Automated – to automatically populate a consumer’s PHR with pertinent health data, regardless of data source, be it pharmacy, doctor, hospital, lab, you name it.

While I do not mean to discount the fine work Google has done to create a simple intuitive user interface, honestly, this is not all that hard to do.

What is extremely hard and will remain a challenge for PHRs, the vendors who create them and subsequently consumers for the foreseeable future is getting that data into a PHR automatically, rather than having to do self-entry.  But how does one get their hands on that data?

Yes, there are issues with standards adoption and more broadly, healthcare IT adoption among providers.  But it is also an issue of control.  Whoever controls the data, controls the relationship.  Thus, many a healthcare stakeholder will be reluctant to fully release such data to the care of the consumer for their PHR, even though by right, it belongs to the consumer.

Like myself, Dana Blankenhorn over at ZDNet has been in the IT industry for a number of years and like me, not just healthcare.  Dana posted a great piece on the issue of data control this morning that is well worth the read for he really hits the nail on the head as to what the real issue is and the Teutonic struggles that lie ahead between all the various stakeholders that are fighting for the mind-share and ultimately control of the consumer relationship.

Sure, it’s easy to pick on these companies, but honestly, it does not paint an accurate picture as to what the true risks are in the market today as we increasingly move to an environment where our medical records, and for that matter any information about us, will be in digital form. Yes, there are risks, but there are benefits as well, benefits which the majority of Americans are willing to accept in the pursuit of better care.

Now back to those PHR vendors. As I have stated before, the industry as a whole has not done a very good job of policing itself and insuring that the average consumer easily understands the privacy and security afforded to them in a given PHR.

But moving beyond PHR vendors, there are a number of others who also have information on your medical history. Earlier this week, one of the nation’s largest health plans, WellPoint, announced that it had a breach in security that exposed information on roughly 128,000 members. What is particularly disturbing in this case was that these records were exposed on the Internet for over a year and that this was far from an isolated incident at WellPoint.

And WellPoint is not alone. There was the stolen laptop in January that contained records of some 300,000 members of Horizon Blue Cross Blue Shield of New Jersey and the stolen laptop in late February of an NIH researcher with some 3,000 records. And there are many more such incidents you will find by simply doing a Google search.

And who said hospitals were safe? A report just released from the healthcare IT group, HIMSS (Health Information Management Systems Society) found in their survey of 263 HIT professionals that more work needs to be done to better protect and secure patients’ medical records.

This is, dare I say it, a universal issue that will affect any organization regardless of size and where they are in the broad supply chain of medical records, be they payers, providers, researchers, consumers and of course PHR vendors. There are no easy answers here and we may need to simply accept the fact that with the digitization of some of our most important and sensitive information, our medical records and history, that there will be risks which we will all share. Hopefully, the benefits that we will accrue through the adoption ad use of such digital records will outweigh those risks.

But it is always easier to point the finger at others, than at one’s self.

This week’s InformationWeek has an absolute must read feature story on the risk of peer-to-peer (P2P networks). While P2P technology is a very viable and useful technology for businesses to use, such as in a research setting sharing for example complex bioinformatics data, P2P has its share of risks as well. Unlike actual theft of data via hacking into data centers, in the P2P world data on one’s laptop is often inadvertently shared via consumer-based P2P applications such as LimeWire.

Source: InformationWeek, March 17, 2008

For example, an employee or a consultant or even you may have sensitive data on your laptop, such as health records. All the recommended security precautions have been taken, but you also have BearShare, LimeWire, Gnutella or some other consumer-centric P2P app loaded on that laptop for music and video sharing. Unbeknown to you, however, is that if you have not configured the P2P app properly prior to use, you open the doors to not only share music and video data, but other files as well, including those health records.

It was a similar situation such as this that led to the very public data breach at Pfizer last summer as well as the inadvertent release of a terrorist threat assessment report by Booz-Allen Hamilton for the Chicago Transit Authority. And despite these clear security breaches, InformationWeek demonstrated in this article just how easy it is today to go out and find all sorts of files, (the reporter even found a nice set of health records) if you know what you are doing and where to look.

Now I am a strong believer in a consumer’s right to have control over their health records and if they have those records stored within an online PHR, that security and privacy are held paramount. I have also posted previously that I believe that PHR vendors have not been pro-active enough on ths issue. But what I am increasingly having a problem with are the sensationalist organizations such as the World Privacy Forum and the general press that are looking for quick sound bites without having to do any investigative reporting. As the above issue on P2P security clearly illustrates, maybe the problem with security and privacy of sensitive records such as health records is not “out there” on Google Health, HealthVault, WebMD or some other health record service but right “in here” within our own computers, those of a consultant or even the computer my doctor is using.

Time to take some personal responsibility folks.

And by the way, are you using P2P, or more importantly, do you share your computer with other family members, say a teenager who has downloaded a P2P app on to that computer? Don’t say I didn’t warn you.

The biggest objections to this bill came from the medical establishment itself claiming that passage of the bill would stall adoption of healthcare IT (HIT) systems. In one of the more bizarre statements Kathleen Bizarro (I’m not making that name up), EVP of the NH Hospital Association stated the bill would “essentially put a halt to the development of electronic medical records.” The medical establishment went on to state that the bill was too onerous, would restrict a physicians ability to provide good care, and that it would exceed existing federal laws (HIPAA).

All of these are pretty empty statements for the following reasons:

• The bill was designed to simply provide the consumer more control over who gets to see their records. That it not a major burden for providers.  In fact, if a consumer requested an audit trail, the provider/hospital could charge the consumer a fee for providing such a report.
• Adoption of HIT is not struggling due to privacy/record access issues, nor will it be in the future. HIT is struggling simply because for most physicians, the value proposition is not there.
• In many states, laws have been passed to strengthen privacy above and beyond HIPAA as HIPAA certainly has its fair share of weaknesses. Unfortunately, most do not know this and hold up HIPAA as the be all to end all for privacy requirements.

Clearly there were other factors at play here as to why these organizations were against the bill. I have not read the bill itself and there may very well be some good reasons to oppose it, but based on the aforementioned arguments that were used, I have the feeling that this was a good bill and that special interests who have a vested interest in keeping firm control of consumers’ health records were at work here.

In a little touch of irony, legislators were granted privacy on this vote as they were able to cast their votes anonymously thereby not showing the public what side of the issue they were on. And it was a close one, defeated 166 to 150. The measure has gone back to committee for revision.

I’ve written on this topic numerous times, (just click on the “Privacy” in the tag cloud on your right) most recently calling all of this a red herring with the press being extremely lazy and not willing to look beyond the “privacy issue” to what benefits might accrue to the healthcare system via PHRs.

And it is not like the PHR vendors have done all that great  job on the issue either, though I do see that changing with Microsoft now in the market.  Google, in time, can be expected as well to have some good policies in place but to date they have not shared them.  Google missed the boat on that one and I hope they will follow Microsoft’s lead.

Obviously, was not impressed and took Microsoft to task when the aforementioned PHR privacy report was published.

Of course, Microsoft contacted me immediately to tell me that I had it all wrong, that indeed they were requiring partners to adopt the excellent HealthVault privacy policies in order to participate in the HealthVault ecosystem and that this was a part of their standard Terms & Conditions (T&C) sheet.

I responded: “Prove it.”

At first, Microsoft was reluctant to send me a copy of the privacy requirements in the T&C.   Thn, out-of-the-blue, during my briefing with Microsoft at this week’s HIMSS I was told that I would be receiving the document post-haste.  Well, guess what, they not only decided to share the document with me, but have posted the T&C privacy requirements within the HealthVault Development Center for anyone to view.

It is an impressive privacy document that clearly gives the consumer control of their records.  It requires the partner to take numerous steps to insure privacy including among others, adopting HealthVault privacy policies, using explicit opt-out policies, prominently displaying their privacy policies on all web-pages and informing the user know of any changes that are made to policies.  Here is a direct link to that partner privacy policy page.

Good example of full disclosure that others would be wise to emulate.

Speaking of which, have yet to see Google’s privacy policies for Google Health, though Schmidt yesterday did clearly state that Google takes privacy very seriously.  Well…

Prove It!

While the report does not give names of any particular PHR vendor (I could certainly name a few egregious examples), the report does make it clear that a consumer is at risk of having their privacy compromised if they are not careful.

Research for our upcoming PHR report ( due out by end of May 2008 ) concurs with this finding and it is also something I have brought up in the past. Having over the last few months reviewed countless web-based PHR solutions and where possible, their privacy policies, I have found almost zero consistency. This issue will continue to plague the industry until they, as a group, define what are best privacy and security practices and begin policing themselves through some form of industry-sponsored certification process. (Note: The existing HON certification is a joke.)

Microsoft for example, is in a perfect position to sponsor such an initiative and insure that all partners adopt the same strong privacy and security policies that Microsoft is using for HealthVault. Unfortunately, Microsoft has yet to step-up to the plate on this one, which is shameful.

My Recommendations to the PHR Industry:

Microsoft – Take a leadership role and require that all HealthVault partners adopt the same privacy and security policies that you are using. Better yet, work with Dossia and Google as well to create a common set of standards and compliance policies for the industry and a mechanism to implement them and police them. (Please refer to later post, Microsoft Comes Clean on Privacy, which commends Microsoft for taking a pro-active stance on this issue.)

PHR vendors – Establish a semi-independent organization that will create a set of best practice standards for privacy and security. Give this organization the power to use these standards as the basis of a “Good Housekeeping” seal of approval certification process for PHR vendors. This organization will fully vet PHR solutions going well beyond what HON does today. Those that comply, get a prominent seal to display on their website. Microsoft, Google and Dossia, maybe you could be lead sponsors to form such an organization.

Both of the above will take sometime to implement so what should PHR vendors do today? Here are my top seven suggestions:

• Make your privacy & security policies clear and understandable.
• Have them visible and not hidden down at the bottom of your homepage with a small font “Privacy” link.
• Allow the consumer to download your policies e.g., provide them as a PDF.
• State clearly how any data may be used.
• State clearly opt-in/opt-out policies and procedures.
• Detail how records are stored and where and what are your policies for records removal.
• Specifically state how you support portability and the process by which a consumer can retrieve their records and move them to another PHR of their choosing.

I’m sure I’ll think of more steps PHR vendors can take later, but taking these steps would be an excellent starting point. Unfortunately, I have yet to find site that supports all of the above suggestions.

If the industry does nothing, they will be leaving it to the government to create privacy regulations. My fear here is that such regulations may not achieve lofty privacy goals and instead have the perverse affect of killing an industry that is only beginning to get some traction.

Last week it was reported that a laptop with over 300,000 consumer records contained therein was stolen. Now, Horizon Blue Cross/Blue Shield of New Jersey, the owner of that laptop, is notifying these consumers that their personal information may have been compromised.

Laptops are a hot item and frequently stolen, we all know this and certainly try to safeguard our laptops while traveling. What I fail to understand with this story however, is how any company, be they provider, health plan, employer, etc., would allow an employee to load such sensitive information (and so much of it) onto a laptop and then proceed to take it outside the office.

Sure, many employees are now telecommuting and may come into the office on occasion and pick up some files. Others simply take work home with them to meet a deadline. We all do this. But carrying this amount of sensitive information outside a secure office environment, I just don’t get it, particularly with the tools now available that allow an employee to easily and securely access such files over the Web via a secure connection. If such tools were available at Horizon, and the policies to enforce their use, there would have been no reason for these records to be on a laptop in the first place.

The only conclusion I can come up with is simply a lack of foresight and good security policies at Horizon. Senior Horizon management, and in particular the CIO are on the the hook for this one.

I may quibble with some comments such as:

There are “at least 200 PHRs on the market”.  I’ve done a lot of digging and can’t come up with half that amount of viable PHRs.

Or quoting Deborah Peel of Patient Privacy that consumers should not use PHRs sponsored by insurers or employers.   This is simply too broad of a blanket statement and one needs to look closely at portability and privacy of such sponsored PHRs as not all are alike and many are worth participating in.

But by and large, the article does get it right, especially regarding the many flavors of PHRs in the market today.  The challenge for the consumer is trying to wade through the numerous choices to select the PHR most appropriate for their needs.  Unfortunately, the AHIMA, which has a website to educate the consumer on PHRs, does not provide this level of granularity to assist the consumer in their choices.  Hopefully, they recognize this shortfall and will rectify it in 2008.