Google, Cleveland Clinic Partner On Personal Health Record Service
21 02 08 - 21:43
Google says the system is secure, but several groups warn that entrusting health information to an e-health provider opens potential privacy risks.
By Thomas Claburn Marianne Kolbasuk McGee
InformationWeek
February 21, 2008 03:40 PM
Google (NSDQ: GOOG) on Thursday announced a pilot program with the Cleveland Clinic that will enable the health care organization's patients to store their health records in their Google Accounts.
"We believe patients should be able to easily access and manage their own health information," said Marissa Mayer, VP of search products and user experience at Google, in a statement. "We chose Cleveland Clinic as one of the first partners to pilot our new health offering because as a provider, they already empower their patients by giving them online tools that help them manage their medical records online and coordinate care with their doctors."
The pilot program represents a tentative first step for Google into the thorny area of health care data issues. It also gives Google a greater opportunity to cash in on the lucrative business of health care advertising. The company on Wednesday announced the availability of its Healthcare Industry Knowledge Center to AdWords advertisers offering health care-related products and services.
Google's timing could be better. The World Privacy Forum on Wednesday issued a report warning that personal health records (PHR) are not protected by federal HIPAA privacy and security rules and that entrusting such records to a PHR service -- the very thing Google is offering -- raises a number of possible risks.
One such risk, denial of insurance coverage, came into sharper focus earlier this month when medical insurance company Blue Cross of California sent a letter to physicians asking them to identify patients with pre-existing conditions. The reason for the letter, critics assume, was to limit or deny health insurance coverage to those patients.
Last year, the California Department of Managed Health Care fined Blue Cross' Wellpoint $1 million for violating state law by canceling or withdrawing individual health insurance coverage following health care claims by policy holders.
Another risk, data security, also bears consideration. According to Federal Computer Week, Department of Homeland Security analyst Mark Walker recently warned a group at the National Institute of Standards and Technology that foreign hackers, particularly those from China and Russia, are seeking to steal U.S. health care records as part of a general escalation of cyber-espionage.
Google claims it will keep user health care information safe and secure. "[O]ur health efforts will help you access, store, and communicate your health information," explained Google engineering manager Alan Newberger in a blog post. "Above all, health data will remain yours -- private and confidential. Only you have control over when to share it with family members and health providers."
But the World Privacy Forum report is skeptical that any ad-supported PHR service will really protect health information. "Advertising-supported PHRs are not necessarily likely to support or allow strict control over consumer information or to fully and readily tell consumers how personal information may be shared," the report states. "Many PHRs will only succeed if they can sell advertising, and advertisers will seek as much detailed information about PHR clients as they can obtain. Wheedling consent from consumers for the profitable sharing of records is something that some PHRs are likely to try."
Todd Chambers, chief marketing officer at Courion, an identity and access management company that works with health care industry clients, believes security and privacy worries are justified. "Obviously, it's concerning, to say the least," he said. "When you look at all the issues that hospitals and health care providers have to deal with to be compliant [with health industry regulations]... to think that there would be a business process put into place that would allow that all to be circumvented, and all that data could be put out there in the public domain, is certainly a huge concern."
Regardless of the risks, Google (NSDQ: GOOG)'s vision, or something like it, may be unavoidable. Over 100,000 of the Cleveland Clinic patients already participate in a PHR system called eCleveland Clinic MyChart. Between 1,500 and 10,000 of these will be invited to enroll in the organization's pilot program with Google, which will last between six and eight weeks. Cleveland Clinic received no funding from Google to participate in this pilot, said Dr. C. Martin Harris, Cleveland Clinic's CIO. "Google was a natural" fit to help Cleveland Clinic in this health data exchange for patients, said Harris.
In addition to the clinic's MyChart system that gives patients access to their personal e-health records, all clinic doctors also use an expanded electronic medical record for their patients. It is from this e-medical record system that data is available to patients via MyChart.
The arrangement with Google will help Cleveland Clinic patients who also receive care from non-Cleveland Clinic doctors to provide that information to the clinic's doctors. When a Cleveland Clinic patient visits a non-clinic doctor, that doctor can transmit information about that visit into the patient's Google PHR account, so that the patient can then allow access to that data to Cleveland Clinic doctors. The patients will have the choice on whether they want to provide Cleveland Clinic doctors access to the information in their Google account health record, said Harris. The exchange of information is "at the directive of the patient, and that's powerful," he said.
The partnership between Google and Cleveland Clinic alleviates the burden on patients to provide an updated medical history to their doctors at each visit, said Harris. "This is the kind of exchange that needs to happen," he said. Harris described the pilot with Google as an important part of Cleveland Clinic's longtime strategy to put health IT tools into the hands of the clinic's physicians at the point of care. With this arrangement, clinic doctors will have access to more comprehensive and complete information about their patients at point of care, he said.
"I think it's inevitable that these records will become electronic," said Chambers. "But I think there need to be rules and regulations to protect it. It surprised me that HIPAA is something that extends to health care providers but not health care data."