Warning on Storage of Health Records .... NY Times April 17, 2008

[Guest guest]

NY Times April

17, 2008 Warning on Storage of Health

Records By STEVE LOHR In

an article

in The New England Journal

of Medicine, two leading researchers warn that the entry of big companies

like Microsoft and Google into the field of

personal health records could drastically alter the practice of clinical

research and raise new challenges to the privacy of patient records. The authors, Dr.

D. Mandl and Dr. Isaac S. Kohane, are longtime proponents of the

benefits of electronic patient records to improve care and help individuals

make smarter health decisions. But their concern,

stated in the article published Wednesday and in an interview, is that the

medical profession and policy makers have not begun to grapple with the

implications of companies like Microsoft and Google becoming the hosts for vast

stores of patient information. The arrival of these

new corporate entrants, the authors write, promises to bring “a seismic

change” in the control and stewardship of patient information. Today, most patient

records remain within the health system — in doctors’ offices, hospitals, clinics,

health maintenance organizations and pharmacy networks. Federal regulations

govern how personal information can be shared among health institutions and

insurers, and the rules restrict how such information can be mined for medical

research. One requirement is that researchers have no access to individual

patients’ identities. Under the current

system, individuals can request their own health records, but it is often a

cumbersome process because information is scattered across several

institutions. As part of a push

toward greater individual control of health information, Microsoft and Google

have recently begun offering Web-based personal health records. The journal

article’s authors describe a new “personalized, health information

economy” in which consumers tell physicians, hospitals and other

providers what information to send into their personal records, stored by

Microsoft or Google. It is the individual who decides with whom to share that

information and under what terms. But Microsoft and

Google, the authors note, are not bound by the privacy restrictions of the

Health Insurance Portability and Accountability Act, or Hipaa, the main law

that regulates personal data handling and patient privacy. Hipaa, enacted in

1996, did not anticipate Web-based health records systems like the ones

Microsoft and Google now offer. The authors say that

consumer control of personal data under the new, unregulated Web systems could

open the door to all kinds of marketing and false advertising from parties

eager for valuable patient information. Despite their

warnings, Dr. Mandl and Dr. Kohane are enthusiastic about the potential

benefits of Web-based personal health records, including a patient population

of better-informed, more personally responsible health consumers. “In very short

order, a few large companies could hold larger patient databases than any

clinical research center anywhere,” Dr. Mandl said in an interview. But the authors see a

need for safeguards, suggesting a mixture of federal regulation — perhaps

extending Hipaa to online patient record hosts — contract relationships,

certification standards and consumer education programs. “I’m a

great believer in patient autonomy in general, but there is going to have to be

some measure of limited paternalism,” Dr. Kohane said in an interview. Neupert, the

vice president in charge of Microsoft’s health group, said that he

admired the authors and that they raised some important issues. But he resisted

the suggestion of extending Hipaa to newcomers like Microsoft and Google. “Philosophically

and politically, I am skeptical of the concept of paternalism,” Mr.

Neupert said in an e-mail response to the article, which he was sent, and to

the authors’ comments. “It never turns out to be ‘limited.’ ” Designing a health

records system that clearly informs consumers and requires their consent for

data use is the better approach, Mr. Neupert said. “We have to earn

the consumer’s trust for our brand,” he said. “So I can

imagine a scenario where we have a third party verify that our system works the

way we assert it does,” much as an auditor reviews a company’s

financial reporting. Dr. Mandl and Dr.

Kohane are physicians and researchers at Children’s Hospital Boston, the

primary pediatric teaching hospital of the

Harvard Medical School .

No virus found in this outgoing message.

Checked by AVG.

Version: 7.5.524 / Virus Database: 269.23.0/1381 - Release Date: 4/16/2008 9:34 AM