Should You Trust Your Health Records to Google and Microsoft?

Until we have laws guaranteeing the privacy of my digitized health information, I'll pass.

Discussion Policy

Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.

Erik Larkin, PC World

PC World
Saturday, April 26, 2008; 1:19 AM

Imagine being able to check your medical history as easily as you can your e-mail. Or being able to provide records to a new doctor at a moment's notice. Google, Microsoft, and others are developing promising systems for storing digital health care records--for free.

But there's a catch (of course). Both the upcomingGoogle Health, currently in private testing, andMicrosoft's public beta of HealthVaultdeal with our most personal information. The two projects will eventually enable doctors and hospitals to add records for hospitalization, doctor visits, and prescriptions (after you give your okay), and will permit you to upload data from devices that you might use at home, such as blood glucose monitors. They could be especially useful for allowing a new doctor to quickly confirm that, for instance, a prescription won't cause problems with other medications you're taking.

The drawback? TheHealth Insurance Portability and Accountability Act (HIPAA), a federal law that governs the confidentiality of health records, doesn't extend to non-health-care companies.

Microsoft and Google appear fully aware of the need to keep this data private. I have talked with both companies about their privacy policies, and it looks as though they will give users explicit control over access to and use of their data. In general, they are moving in the right direction, says Deven McGraw, director of theCenter for Democracy and Technology's Health Privacy Project. And both companies support federal legislation to establish a privacy baseline.

But absent any HIPAA or other overarching regulation, McGraw notes, you simply have to trust that the companies will do the right thing. Google and Microsoft are, for the most part, being careful with regard to privacy here, but where my health care records are concerned, I want laws that specifically define what can and can't be done with the information. And I want the company responsible to be punished if someone screws up and releases my data.

Maybe the best approach isn't to extend the reach of HIPAA, but something enforceable should be on the books. Some federal legislation is in the works, according to McGraw, but there's a good chance that nothing will happen until next year at the earliest.

Another issue: Google and Microsoft use a simple Gmail or Windows Live user name and password to access the records. That's great for convenience, but terrible for security and privacy. Internet criminals commonly try to guess or steal Web mail accounts. It's bad enough when a snoop rifles through your Web mail. Imagine one getting access to all your health records at the same time.

Faced with these potential gotchas, I'd wait for the systems and the laws to mature before jumping in. Also, if and when you do try such a health records system, create a user name and password separate from your mail account, just for the health sites.