Fred Trotter has thrown down the gauntlet: he says Microsoft’s HealthVault privacy policy doesn’t pass muster.  He chides Deborah Peel, director of the Privacy Rights Foundation for endorsing its privacy protections.  Martin Jensen at the HIT Transition Weblog, among others, is in agreement. 

Bottom line, they’re right, but so what?

Whose privacy policy really works these days anyway?  And we’re talking about medical records, right?  Those mostly paper records that get slogged around medical offices and hospitals and nursing facilities and imaging centers . . . . It’s not as if their security has never been subject to compromise before being locked up in the HealthVault.

Fred recoils in horror upon learning that Microsoft’s posted privacy policy is subject to change.

He wonders what might happen if Microsoft isn’t around when his great-great-great-great-grandkids need to review family medical histories.

Again, while it would be nice to have perfect privacy policies and practices to go along with the brand-spanking-new HealthVault, I think we are asking too much of new technologies if we expect the old wine to be transformed simply by being decanted into new bottles.

First of all, as many others have observed, there are plenty of other hurdles that Microsoft will have to vault over before facing this one head-on.  For example: (1) likelihood of individuals bothering with complete data entry and maintenance is low, so (2) use of data from the vault by other health care providers is relatively unlikely because it will not be viewed as reliable.

A panacea offered by some to the problem of sharing patient health information across providers is the RHIO.  Unfortunately, we have witnessed the failures of numerous RHIOs, big and small (e.g., Santa Barbara and Northeast PA, to name but two); and, in fact, one limitation of the RHIO is its first name: "regional."  The perceived demand HealthVault seeks to tap into is the demand for portability of personal health data, not regionally but nationally and internationally.  RHIOs seem to be able to tackle the problem locally on a technical level (witness MAeHC; see also MAeHC CEO Micky Tripathi’s blog), but long-term viability is far from assured given the struggle RHIOs have had with settling on a sustainable busniess model — and privacy issues are a concern for RHIOs too.  HIPAA does not apply to RHIOs, and while there is legislation pending that would extend HIPAA privacy protections to RHIOs (Wired for Health Care Quality Act of 2007), it is stalled in committee and is opposed by HIMSS.

The challenge remains the same: timely development of workable interoperability standards — and products that adhere to those standards and allow for real-time access to organized health records by all providers caring for a patient.

Fred and others point to Indivo, an open source solution with perhaps greater transparency than HealthVault (auditable, etc.); however, it is ultimately subject to many of the same concerns.  Unless I’m missing something, maintaining a personal health record that is complete, and up to date, and subject to HIPAA-type protections, is still little more than a pipe dream.

David Harlow