Danger: The SINGLE most important key to protecting your health records!
The most important key to protecting your health records …
One need only look at the privacy agreements, end-user licensing agreements (EULAs) and the usage agreements of Microsoft, Google and other such Internet-based service vendors to know that you are signing a “unilateral” agreement which can be modified at any time, for any reason, in which you specifically agree to hold the vendor harmless from all problems, be they failure to provide service, loss of records as well as any other errors and omissions the vendor may make. Your remedy for such a breach is sometimes limited to the amount of your monthly access fee if a charge is imposed. Many agreements mandate arbitration which has been shown, at least in the credit card industry, to be somewhat unfair to the consumer.
So the single most important key to protecting your health records is a TRUSTWORTHY UNDERSTANDING BETWEEN THE USER AND THE VENDOR: a legally-enforceable agreement backed with both civil and criminal penalties for breach of contract. Without this legal and contractual protection, you are at the mercy of the vendor.
If the vendors want to inspire confidence in their ability to manage your medical data, perhaps they need to provide a single-page legally-binding, unalterable contract that specifies your rights and provides remedies for not being able to provide the service “on demand” and for the accidental and/or deliberate loss of your data and/or the release of your medical information to any party, including the government using a non-judicial summons. In addition. providing you with positive advance notice, via certified mail, (not e-mail) of a pending request for your records by any party that you have not specifically invited to share your records -- before it is fulfilled. An agreement which provides for the correction or deletion of erroneous data by authorized medical personnel under criminal sanction against fraudulently altering medical records. Each medical information provider would be able to alter ONLY those records that they provided. Another consumer would not have the capability to alter any submitted data as that could cause great harm to the consumer. And that the records be stored in an individually encrypted file using separate keys … which may require the consumer to provide a one-time password or pin (personal identification number).
Reuters gets it right …
According to Reuters News Service …
“A major consumer group, insurers together with Google Inc and Microsoft Corp said on Wednesday they have agreed to standards intended to speed adoption of personal electronic health records.”
Personal protection …
“The electronic medical record field remains in its infancy. While U.S. privacy laws govern actions by medical providers such as doctors, there is little in the way of other established privacy, security and data usage standards despite decades of industry efforts.”
For the benefit of others …
“Backers, which also include some doctors and employer groups, said they hope to break a stalemate in moving medical records online, sparked by consumer fears that their personal information will be abused, or held against them.”
“Principles:” Sounds nice, but it is a vendor-based initiative without the force of criminal or civil legal sanctions…
“Principles for personal health records include an audit trail to track use of the data, a dispute resolution process for consumers who believe their personal information has been misused and a ban on using data to discriminate in employment.”
One should also ask about the privacy principles which it doesn’t cover.
So who else is signing on …
“Also signing on to the principles are WebMD Health Corp; Consumers Union, which publishes Consumer Reports; seniors' lobbying group AARP; and America's Health Insurance Plans, representing big insurers such as Aetna Inc.”
Practical Considerations …
There is a very large gap between the theory of good medical practice and what is practiced in the field. The question of whether or not your full medical history and supporting records is necessary to treat common ailments, accidents and other medical conditions is questionable. Most records are kept for legal protective reasons rather than being accessed to determine a pattern in a patient’s condition. There are exceptions to this rule when good records are helpful, but not always.
Most doctors spend less than fifteen minutes with a patient, especially in those medical facilities which impose a mandated production quota. It has been my personal experience that presenting records at the time of visit is disconcerting as the doctor simply asks questions and ignores the proffered data. In addition, most doctors, even if the file is available, simply leaf through the first sheets which are filed in chronological order. Most do this while standing right in front of you and the cursory scan is performed in approximately one minute. As for emergency situations, hospital ERs rely mostly on their own tests and may (depending on the doctor) glance at the information that you hand them. Unless they are stumped or need some form of baseline information (which is rare in ERs), they will not seek access to your medical history.
What’s in it for them?
For the doctors …
Little or no investment in large-capacity storage for records that must be maintained for legally-mandated retention periods. Likewise, little or no investment in costly proprietary systems which must be continually upgraded and maintained. With an Internet-based application, health records could remain online, stored at the cost of someone else, and be accessed as needed. With suitable legislation, responsibility for the maintenance of these records becomes someone else’s problem.
For the commercial Internet enterprises …
An opportunity to “monetize” your health records by providing aggregated health care statistics (without individual identifiers) to healthcare providers, insurers and researchers in addition to selling advertisers “targeted” ads to a very select and special audience. These ads might be displayed when you log on to the records site and might consist of ads for new drugs, medical equipment, exercise equipment based on what might be found in your records. It is not inconceivable that the ads could also pop-up in your “personalized” account when browsing non-medical sites. For some vendors, the ability to build and sell Internet-based doctors record-keeping systems via a monthly charge would provide an ongoing revenue stream.
For the medical insurers …
Easy access to your combined medical records as you have, in all probability, signed an access waiver as a condition of insurance. With the old system, they needed to physically produce a copy of the release and then copy the records at a doctor’s office. A request for records might be met with some resistance and all of the records were not likely to be made available; only those specified in the request. Based on easy access to your past medical history, any slight mistake in your application could result in a denial of coverage.
For healthcare vendors …
Cost-effective advertising that could reach people taking particular drugs or needing some form of home-health equipment. Not to mention sellers of vitamins and other non-prescriptive remedies.
For non-medical insurers …
The ability to access the totality of your medical records using a subpoena or motion for discovery. This could allow an insurer to potentially mitigate some of the damage award by claiming that an accident exacerbated a preexisting injury and was not the cause of the injury.
For the government …
On the healthcare level, researchers seeking information on communicable diseases (including HIV/AIDS) might be able to scan large amounts of online data and legally require the provider to surrender your identity so as to build a comprehensive registry database. Or on a less formal and intrusive basis, perform statistical research using your medical records without your explicit permission. On a political level, the government could possibly access the records of prominent (or just pesky) people and then release the information to media to discredit their actions.
For the media …
As we have recently seen, media contacts within medical facilities were able to procure the medical records of celebrities for use in the tabloid and mainstream press.
Paranoid or prudent?
I am not saying that a central repository of medical records is a bad thing, what I am saying is that adequate safeguards do not currently exist and the precautions needed to protect your data is not in place. Someday, maybe, but definitely not now.
From the Washington Post ... a similar non-medical concept:
"Charter Communications, the fourth-largest cable operator in the United States, announced yesterday that it has backed off a plan to monitor customers' Internet transmissions."
"The company had been planning to harvest the stream of data from each Internet customer for clues to their interests and then make money from advertisers who would use the information to target online pitches."
Before you provide voluntary access to your health records…
- Consider the potential medical benefits of having such a combined medical record. If you see a benefit in keeping such a record, ask for copies of your latest test results and discuss the matter with your personal physician. While many health professionals like the basic idea of having records available, there is often a great gulf between wants, needs and actual usage.
- Consider the past history of information that has accidentally been “Internet accessible” by the government, its contractors, medical facilities and commercial entities.
- Consider the past actions of certain insurers who have made a routine practice of denying claims or looking for any excuse to mitigate their damage costs.
- Review the legal agreement between you and the proposed service vendor. Is it one-sided? Does it contain an arbitration clause? Does it prohibit class action lawsuits? Does it disallow or limit damage claims? Does it reference other agreements which may modify the terms of the original agreement?
- Considering the number of cases of identity theft and financial account breaches, it the system truly hacker-proof or merely hacker resistant?
- Does system access require more than a single pin number or password? If the system claims to use multi-factor authentication, what are its defenses from a common “man-in-the-middle” intercept attack.
- Are you locking-in for a lifetime of service from a single vendor or will the vendor allow you to transfer the information to another vendor?
Bottom-line … Do you want to be an early adopter?
I personally believe that since commercial Internet-based recordkeeping is in it infancy and that there will be many improvements to come, that a wait-and-see attitude may be appropriate for most individuals.
What can YOU do?
If you feel that your medical history is unique enough or your current medical condition warrants it, by all means build your own medical history file. Ask for copies of critical baseline tests or copies of important reports. Ask your doctor to review these for completeness. You can scan them into images and place them on a DVD, place them on a USB-memory device or simply store them on your computer. You can summarize the basic information including your doctor access information and current drug list (don’t forget vitamins and over-the-counter remedies). You can have these records placed on a wallet-sized microfilm card.
If you feel compelled to make your records available, consider a specialized service such as Medic-Alert which was founded in Turlock, California and is the well-respected supplier of the ubiquitous Medic-Alert bracelets. This is a non-profit institution that actually does what others are attempting. While they are a commercial operation (actually a non-profit), I would tend to put my trust and faith in their hands than in Google, Microsoft or any other venture which wants to monetize your medical records.
Until the government has specific criminal and civil legislation in place to safeguard your individual privacy or your local physician installs a computerized record-keeping system (which can participate in a secure medical information transfer network), I would be very reluctant to hand any Internet vendor my records.
I strongly urge you to read my blog item which was written when Microsoft’s HealthVault was announced. It analyzes the practical considerations of using a commercial vendor for health records along with privacy concerns. Also the quote of the day is particularly appropriate.
It is best to remember: that information which is released to the Internet is destined to remain online, somewhere and somehow, forever and a day.
-- steve
Quote of the day:
"Ways may someday be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home." --
Supreme Court Justice Louis D. Brandeis
A reminder from OneCitizenSpeaking.com: a large improvement can result from a small change…
The object in life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane. -- Marcus Aurelius
Reference Links:
“Nullius in verba”-- take nobody's word for it!
"Acta non verba" -- actions not words
“Beware of false knowledge; it is more dangerous than ignorance.”-- George Bernard Shaw
“Progressive, liberal, Socialist, Marxist, Democratic Socialist -- they are all COMMUNISTS.”
“The key to fighting the craziness of the progressives is to hold them responsible for their actions, not their intentions.” – OCS "The object in life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius “A people that elect corrupt politicians, imposters, thieves, and traitors are not victims... but accomplices” -- George Orwell “Fere libenter homines id quod volunt credunt." (The people gladly believe what they wish to.) ~Julius Caesar “Describing the problem is quite different from knowing the solution. Except in politics." ~ OCS