Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Monday, December 10, 2007

Microsoft Health Vault

By: Dino Tsibouris & Mehmet Munur

Microsoft recently launched Health Vault promises benefits in healthcare information storage and sharing online but raises concerns on privacy of this information. Health Vault is Microsoft’s “new personal health platform that lets you gather, store, and share health information online.” Service users need a Windows Live ID (previously . NET Passport) to use the service. Once users create both a sufficiently safe username and a strong password, they can enter data from health and wellness devices, or upload documents to their vault. Users can then share this information with other Windows Live ID users, such as doctors and health care professionals.

Google also has a similar website entitled Google Health that is similar to Microsoft’s consumer oriented approach to health information. While Google’s service will probably not be introduced until 2008, both companies’ focus on this field is a result of current trends. In 2007, 52 percent of adults in the US searched the web for health information compared to 29 percent in 2001. More and more, patients are confronting their health care providers with information gathered from websites such as WebMD. Both Google and Microsoft hope to leverage their expertise in web search functionality with personal health information storage and sharing.

Consolidating healthcare information online can offer many benefits to a patient as well as the doctors. Online storage reduces the risk of data loss and enables access to data regardless of where the patient resides. However, giving patients full control of their health records may mean that patients can selectively disclose healthcare information.

On the other hand, both Google and Microsoft are entering this industry to generate advertisement or software sale revenues, which creates privacy concerns. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 governs the security of personal health information. While Microsoft is aware that HIPAA may apply to it, it is not yet aware of extent of that HIPAA applies to Health Vault.

Microsoft’s Health Vault privacy statement addresses some privacy concerns while it does not specifically address HIPAA regulations. First, the privacy statement asserts that third parties, such as companies Microsoft hires to answer customer service questions, have access to personal information such as IP addresses and email addresses. However, Microsoft also states that these third party companies are required to maintain confidentiality. Second, Microsoft states that this information “may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities.” Third, the statement asserts that “aggregated information from the Service for marketing” may be disclosed. While, this aggregated information is not associated with any individual account, it may be used for marketing after an “opt-in consent” from the user. Finally, the privacy policy specifically addresses cookie use, web-beacon use, and encryption using HTTPS. While these assurances are definitely in the right direction, Microsoft will certainly want to assure compliance with HIPAA’s privacy and security rules.

Considering that Google’s use of cookies has been under the spotlight before, we are looking forward to review Google’s approach to both the privacy and security of personal health information.


Anonymous Anonymous said...

Even though health vault is being held up as the standard in patient privacy and has received the apparent seal of approval by one of my favorite patient privacy advocates Dr Deborah Peel, it member organizations don't appear to subscribe to this same standard.

Here for example is the privacy statement from the American Heart Association - one of their premier partners.

Go to health vault. click through the AHA to their web site and read their privacy statement.

"c) The AHA owns all Personal Information provided to it by individuals. When an individual provides Medical Information to the AHA, the AHA will ensure that the individual acknowledges their assignment of the right to use the data to the AHA."

(a) For disclosure of Demographic Information (e.g., rental or exchange of donor lists with other organizations), the AHA as a minimum will use the "Opt-Out" approach. An "opt-out" is obtained when the AHA, through some correspondence, gives an individual an opportunity to decline or "opt-out" of disclosures to third parties. If the individual does not opt out, permission is deemed granted. ....

Sounds to me like you will be getting fund raising mail from them using your person health information.

2:15 AM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home