With the announcement of a Google Personal Health Records (PHR) pilot program, the company adds medical records to the gowing dossier of information it collects about its consumers. CNN reports:
The pilot project to be announced Thursday will involve 1,500 to 10,000 patients at the Cleveland Clinic who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google’s new service, which won’t be open to the general public.
Using a secure API, patients can transfer their health records to their Google accounts, creating a transportable repository of health information. Just as one might import IMAP folders into Gmail, soon we’ll all be moving our health records to Google.
This program raises numerous privacy concerns. Primary is the question of access; when one imports one’s health records to Google, does this mean Google gets to view the records? If one reports a cigarette pack history during a physical exam, will Google now flash ads for smoking cessation products to the user?
Google engineer Above all, health data will remain yours — private and confidential. Only you have control over when to share it with family members and health providers.” What does private mean? In context, Newberger is talking about transfer control, he’s not addressing whether Google gets to peek in on your records as well. Perhaps Alan will clarify?
It would be fairly trivial for Google to design a system that is truly private. Germany, for example, uses a PHR system that stores encrypted records. Only when a patient presents her “health card”, which decrypts the records, do they become viewable. Google certainly could design a system like this, but it would be of no benefit to their core marketing business.
While this is only a pilot program, it will grow quickly. According to Newberger, “We’ve been hard at work collaborating with a number of insurance plans, medical groups, pharmacies and hospitals.” If Kaiser and Blue Cross and CVS decide to play along, almost all of us lucky enough to have health care (sigh) will have the option to import our medical histories to Google’s servers.
Assuming that Google will be able to read our records, and I’ll update this if I’m wrong, let’s consider the ethical leap this is for the company. Can I ever really give informed consent when I’m trading my health records, deeply personal and private information, for the measly tradeoff of what essentially boils down to online hosting of text files? Sure, I’ve already given Google my search and communication information, but they had to work for it. But my entire medical history just so I can access it when I want? And they can market to me with that information? This is simply too much to give away for convenience.
I hope that someone can clarify the question of privacy. Will Google read my health records, or will the be stored encrypted, supposedly blind to the Google all seeing eye?
The German system you refer to is not yet operational, and a lot of details are still unclear. AFAIK, the data will be stored encrypted, but there will be a backup key stored with the health insurance associations. It shall be used in case someone loses their “health card”. Well, or or maybe for other reasons?
Physicians and privacy advocates in Germany have therefore been protesting against the whole system for quite a while. There is always an inherent security and privacy risk if you centralize storage of data, be it emails or health records.
While I don’t think this is the metric for everything – and especially for everything related to Google – to me, this is absolutely a lesser-of-evils questions. The choice here isn’t between Google [maybe] looking over your shoulder at your health records and an optimal system as you describe in Germany – it’s between what we have now and Google. And what we have now is…. bad. Really really bad. As in: I’m not exactly sure how I’d go about finding my own medical records. I guess I’d ask BCBS? And would they really have my full records? Given the option, I’d really rather Google do the asking for me. Actually being able to easily access my medical records would definitely be worth the tradeoff in privacy. I know this isn’t true broadly, but really, I don’t mind.
My basic position is the idea of giving one’s medical records to the market-leading targeted advertising company is absurd. Just so we’re clear on that.
Let’s think about this in the long view. Federal laws protect our health records because they are amongst our most personal disclosures. Google is offering us, with a single click of a button, the ability to essentially opt out of this protective system.
And what happens if I do opt out, and send my records to Google? Can I ever take my records back? Do my records disassociate from my psychographic profile in the system if I do that? Hopefully we’ve all got many more years, and the idea of Google possessing our health records going forward – what happens when privacy norms around health records change?
I fully agree with the (impossible to disagree with) argument that the health records systems are broken. But the answer is not this, especially when encrypted records are a fairly trivial next step.
No, I’m not against progress. What I’m calling for is a higher standard of ethics, one appropriate to the sanctity of the data. Google can certainly provide a repository – hell, I’ll pay 150 a year for that. But don’t mine it, keep it encrypted, and develop a comprehensive set of rights for the data including my right to revoke Google’s ownership at any time. You think Facebook has got you locked in?
As an aside, I’m going to declare the “I don’t care, Google can see my data” classist. If you get “high” diseases, fine, you’re comfortable with people knowing your conditions. But for those who have been on the other side of our health care crisis, those people who are marginalized and get “low” diseases – these are undervoiced but equally important perspectives.
“Will Google read my health records [...]?”
Fred, I know you can do better then that antropomorphism: Google is a computer-based company, so your questions properly expressed are:
* Will Google employees have reading access to Health files at an individual level? At almost non-identifiable level? Could Google give this access to Official epidemiology experts?
* Will Google ad-targetting service use Health related information? Directly, or with anonymized statistical association?
* Who will have Kill Switches & Keys for that information? Will it be intuitive for the users?
Patients need to understand the sharing principles, so this is a challenge Google seems to be the only instituion able to solve. Whether the for-profit-through-ads should control it is an issue, not fully independent, but that can easily be made distinct by a courageous President who decides to say: it’s a great tool, but not even you want it in a corporation’s hand, and nationalise it (or give it to whatever form of institute US citizens agree they can trust).
The key personal information question certainly is the one you raise: if Google keeps the control of this thing because Companies are the only thing all Americans really trust, they should not have a full access to it. I would feel OK with a blind system that cannot be human-read, but that however can say: this medical condition is associated with a great click-through for this ad; a (college of) medical expert(s) on the condition is asked (through an anonymous process if need be) if this is medically a good thing. I’d love to have Tabacco addition treatment benefit from Google great Bayesian machine; I’d have concern with obese people viewing nothing but junk-food ads. . .
I like the “high” vs. “low” disease argument — and it certainly replies to my question on Bayesian ad filter on hashed conditions. I still think that Google can keep those safe, and be a great part-taker in framing a safer world by encouraging and filtering out temptations.
No question that we need that as an option; if it is opt-in, I doubt it will have any significant success, it will justify the setting up of a anonymous filter for medical appropriateness.
Maybe contract law could help patients enhance the privacy of their health records. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html
“As an aside, I’m going to declare the “I don’t care, Google can see my data” classist. If you get “high” diseases, fine, you’re comfortable with people knowing your conditions. But for those who have been on the other side of our health care crisis, those people who are marginalized and get “low” diseases – these are undervoiced but equally important perspectives.”
I don’t think this is really fair, Fred, and you’re conflating things here. Google being able to datamine my health records is not the same as their being publicly posted. And as I noted, I’m perfectly well aware that my position on this is not something that most people are comfortable with, and I wouldn’t suggest that anyone uncomfortable with it, utilize it. My own personal perspective is as someone who actually has a lot different data in my medical records.
“Let’s think about this in the long view. Federal laws protect our health records because they are amongst our most personal disclosures. Google is offering us, with a single click of a button, the ability to essentially opt out of this protective system.”
I’m a lot more concerned about – and have I think more well-founded suspicions of bad faith on the part of – my insurance company having access to my medical history. Unfortunately I don’t have a lot of choice there. But however much federal law protects the confidentiality of records, it doesn’t protect me from my insurer, who in the current system is basically concerned with spending a lot of money figuring out how to deny me coverage or drop me, and keeping me as much in the dark as possible about their machinations. I have basically zero confidence that they’re living up to the spirit if not the letter of the law in terms of what they’re allowed to do with my information. If Google can add an element of personal data management capabilities to my health information records – can give me greater data portability and control over my own records (which I really don’t feel I have, now), then I, personally, am okay with the tradeoff. It’s fine to disagree, but calling that view classist is a little much.
“What I’m calling for is a higher standard of ethics, one appropriate to the sanctity of the data. Google can certainly provide a repository – hell, I’ll pay 150 a year for that. But don’t mine it, keep it encrypted, and develop a comprehensive set of rights for the data including my right to revoke Google’s ownership at any time.”
That sounds good to me, too. We won’t get there without federal legislation (which I think on this issue is perfectly possible and reasonable as a digital-information extension of the “Patient’s Bill of Rights.”)