Web-based repositories pose threat of unprotected records

April 1, 2008

As Microsoft, Google, and others enter electronic medical record derby, radiology and consumer advocates scrutinize their moves

The reluctance or inability of the healthcare industry or federal government to provide a universal online personal medical record repository mechanism has created a vacuum. This vacuum, in turn, has attracted deep-pocket giants like Google and Microsoft.

In February, Internet search titan Google stepped into the online repository arena, teaming with The Cleveland Clinic Foundation to store the personal health records of up to 10,000 enterprise patients who volunteered to have their records electronically transferred so they can be retrieved anywhere through Google Health's new service. Google may eventually open the service to everyone, although the company declined to say when the system would be expanded to general availability.

The Google move follows by four months Microsoft's appearance in the same space. Last October, the software leviathan launched HealthVault, a free online service aimed at helping people collect and manage their personal health information. Others have entered the repository race as well. AOL cofounder Steve Case established Revolution Health in 2005. WebMD, backed by Netscape cofounder Jim Clark, has been around even longer.

Users of online repositories can access their accounts from any Internet-connected personal computer, control what information goes into the profile, and regulate who is permitted to see it. While none of these new repositories currently has the ability to handle diagnostic images, that potential has radiology watching intently. Revolution Health is currently investigating how images can be uploaded in a diagnostic-quality format, according to spokesperson Audrey Chang. Microsoft is also exploring a way to achieve this with HealthVault.

"The expectation is that Microsoft will allow patients to store not only their medical text records, but also diagnostic images," said Dr. Eliot Siegel, director of radiology at the Baltimore VA Medical Center.

Indeed, Microsoft considers being able to work conveniently with diagnostic images important to HealthVault users.

"We are confident that we will be able to provide image-related functionality to HealthVault users," said Sean Nolan, chief architect and general manager of Microsoft's Health Solutions Group.

Two issues make digital imaging more challenging than other forms of medical information, Nolan said. One is the sheer size of the files. Not only must massive amounts of imaging data be stored, they must also be moved across variable Internet bandwidth channels, a problem Microsoft says it is uniquely qualified to address.

"We're not concerned about [the size of the data] at all," Nolan said.

Microsoft is positioned well with the existing HealthVault infrastructure, corporate investments in scalable cloud-based storage systems, and experience with the company's Amalga family of products, which offer a range of health solutions, he said.

The other issue as yet unresolved pertains to regulatory questions surrounding the storage of images, such as FDA rules that regulate medical imaging devices, that do not apply to other types of medical data. Microsoft intends the design of HealthVault to be such that it does not require premarket notification, according to Nolan.

"However, we are going to great lengths to ensure that we have not done anything that would cause our classification to change or be interpreted differently by regulators. If we do fall into a different class, we will follow all appropriate guidelines before making image-related functionality available," he said.

Microsoft is working with experts both inside and outside the company to determine how best to empower consumers with their imaging data, Nolan said.

"We are confident we will have progress on these issues over the coming months," he said.As currently designed, HealthVault does not appear to further complicate existing radiology workflow by requiring radiologists to upload imaging studies to a patient record repository.

"We already have that extra step in our workflow, because if patients want copies of their images, their studies must be loaded to physical media," Siegel said. "HealthVault wouldn't necessarily be an additional workflow step; it would be just an alternative to what we're already doing with physical media."

With the patient's permission, radiologists could electronically and seamlessly direct images to the patient's HealthVault account, instead of using CDs or other physical media.

"In that case, all of a sudden you have a de facto standard where Microsoft would use HealthVault as a mechanism whereby anyone with the correct password and security access would have online access to those patient images," Seigel said.

BOLD STANDARD

Radiology would greet with open arms an alternative standardized image transfer solution available to everyone, whether devised by Microsoft, Google, or someone else.

"Right now, there is a minicrisis about the way we send studies from site to site for referrals or second opinions," Siegel said. "Once, we sent film by mail or courier. Now, in the electronic age, ironically, it's become more difficult to exchange medical images."

Currently, images are written to CD, but so many different CD formats exist that the discs often cannot be read at the destination. Once a CD arrives at its destination, assuming the format can be read, most PACS don't have utilities that allow the images to be imported easily. Attribution issues can make it a challenge for physicians to verify that they have the correct images for the correct patient.

Security is another problem with CDs, which tend to stack up in back offices and have no protection. They are also easily lost.

"CDs are a transitional substitute for film," Siegel said.

He expects radiology to move to electronic access to images in five to 10 years. HealthVault, Google Health, or another service may beat traditional vendors to the punch.

The repositories are free to consumers. Financing will come by the inclusion of search engines that allow consumers to conveniently investigate health-related topics. Advertising revenues raised through the search feature support the repository. Repository search engines may also support next-generation healthcare solutions.

"If you can offer search services to mine data in patient medical records, then there is the potential for that data to contribute to research or even decision support," Siegel said.

In the future, personal health record repositories could be used to tie information together, similar to the way the National Cancer Institute's CaBIG project is trying to bind facilities together to allow researchers to query the database. They could then find out how patients with a particular pathology responded to a certain therapy given a particular DNA profile, he said.

Siegel believes Google, for one, is interested in mining patient medical records. Last year, Google bought a $3.9 million stake in a biotech company called 23andMe, a web-based service that helps consumers read and understand their own DNA.

"I think they are looking seriously at the bonanza that might be associated with being able to do the human genome and have an individual's DNA sequenced so it can be cross-correlated with other medical information," he said.

Before that, however, more mundane matters such as data privacy must be resolved.

PRIVACY CONCERNS

Migration from physical media to electronic image transfer does not inherently resolve security and privacy issues. The World Privacy Forum warned recently of the importance of understanding the privacy risks that exist before sensitive medical information is shared outside the healthcare sector, since privacy protections do not generally follow a health record. HealthVault and other online medical record repositories reside outside of the protections of the Health Insurance Portability and Accountability Act.

HIPAA rules establish minimum privacy and security standards for covered entities only. These are defined as healthcare providers, health insurers, or clearinghouses. The applicability of HIPAA's privacy protections depends on the entity that processes the healthcare record. The basic idea is that if a healthcare provider (hospital, physician, pharmacist, etc.) or a health plan maintains a healthcare record, that record is protected under HIPAA.

"For personal health records, the important thing is that unless the personal health record vendor is itself a covered entity under HIPAA, the HIPAA health privacy rule does not apply," said Pam Dixon, executive director of World Privacy Forum.

The privacy concern is that the records residing outside the healthcare system are at the very least open to commercial exploitation. While physicians may be bound by privilege and medical ethics not to exploit or divulge patient records for personal gain, commercial repositories not covered under HIPAA do not operate under the same legal and ethical constraints. It is possible, perhaps even likely, that by sharing health records with a third-party repository, consumers will be seen to have waived any privilege that previously applied to their medical records.

Use of an office computer by a consumer to access personal health records, for instance, may affect the privileged status of health information, since most employers reserve the right to monitor website visits or read electronic mail sent over an employer's network. The exposure of e-mail to the employer could jeopardize any privilege.

Records in a non-HIPAA-covered repository also lack the basic procedural subpoena protection provided by HIPAA.

"If someone wants to subpoena a consumer's health records from a covered entity, HIPAA requires that the entity seeking the records first notify the consumer," said Robert Gellman, a privacy and information policy consultant in Washington, DC.

With that notice, the consumer has the chance to contest the subpoena, argue that the request is too broad, object that the records are not relevant, or seek a protective order."Protections covering subpoenas of health records provided by HIPAA will not apply to personal health records housed in a third-party repository," Gellman said.

The biggest concern about commercial health record repositories is the possibility that private health information will leak into marketing systems, he said.

"The terms under which a record repository operates could allow the sale or rental of consumer information in the same way that magazines, catalog companies, charities, or other merchants share information with little if any consumer knowledge or consent," he said.

Marketing prohibitions of HIPAA do not apply to personal health records that are not covered entities. A 2007 study of record repository privacy policies conducted for the Department of Health and Human Services found that only one in 30 repository privacy policies stated that explicit consumer consent was necessary prior to the sharing of any personal health data by the vendor. Microsoft and others maintain that the design of their repositories provides more, not less, protection than HIPAA, but those assurances do not assuage privacy advocates' concerns.

"For one thing, HIPAA is a statute and has the force of law," Dixon said. "If health records are stored outside of HIPAA protection, then consumers must rely on repository privacy policies. Those policies can be changed at the whim of the company and can be made retroactive. Consumers would have no legal recourse."

Dixon said the healthcare sector is in transitional phase and society must make a decision: Do we want our healthcare records protected by the medical sector where they have always been, or do we want them outside where access may be more convenient but protections are less certain?

"The problem is, once those records are outside the healthcare sector, the marketing prohibition lifts, and those records can make their way into the wrong hands, such as employers or insurers," Dixon said. "That's what's at stake."

Mr. Page is a contributing editor to Diagnostic Imaging.