Tuesday, August 11, 2009

What a PHR Should Never Do

What would you do if you discovered a company you never heard of had access to your medical records? Well, if you were at the Googleplex up all night coding, you might be furiously tweeting and calling everyone on the Google Health team you can think of saying WTF. Second, you would listen to the voice at the next laptop over saying DON'T PANIC because there has to be a good explanation.

And there is, sort of.

Turns out, the system wasn't hacked, nothing was stolen, but this is still a big issue. According to HIPAA standards you must explicitly give people access to your records for a limited amount of time. You must "opt in" to every application. There's this one application, which operates on an "opt out" basis. So you install an iPhone app, sign in to your GHealth account, and voila! Your records are linked to an affiliated web application you did not install.

Bad, bad, bad.

This is exactly the fear expressed when PHRs first came on the scene, and it didn't help when Google adds to their sales pitch that btw, since we're not a healthcare organization we're not really bound by HIPAA.

Technically this is not a violation by GH, but they could make some simple changes to force explicit permission for any account linking. Allowing this implicint linking is just not acceptable. The good news is they are working on a fix.

I have plenty of complaints about GH but... BUT... they are the ONLY PHR which has a public API to encourage and foster innovation, so I'm grateful for that. Everyone working on PHR applictions in the open-source community is grateful, and face it, PHRs are so new, we need all the crowdsourcing we can get. Upcoming FOSS applications like ChiefMedicalOfficer, Health Wave, and Patient Aware Wave demoed this past weekend are proof of the value in that.

Google has been, and continues to be very responsive to the developer community. That's good news on the Don't Be Evil front.


Sean Nolan said...

Uh, the ONLY PHR with a public API to foster innovation? What about the one that hundreds of companies are building against using the tools available for free at http://msdn.com/healthvault ? The one that has released its interface under an open license (http://blogs.msdn.com/familyhealthguy/archive/2009/05/19/another-promise-delivered.aspx)?

Happy to debate merits of each, but at least acknowledge we exist! :)

asdf said...

Okay, my mistake. Have not tried the HealthVault SDK. Thanks for the correction. For the record when I looked at HealthVault I thought it was a much more mature and robust platform, that was a while ago - and I argued for a home-grown solution at the time.

It does run in something other than .NET, right? I saw a 3rd party Java API out there somewhere :)