Google PHR roll-out: how personal will a personal health record be?

Last week, Google and the Cleveland Clinic announced a pilot of the Google personal health record (under 10,000 patients), touted by Cleveland Clinic as a means to help its snowbird patients keep track of their medical records scattered across multiple locations (among other things).  See the party line from the Googleplex, and other interesting posts on the subject at the NY Times Bits blog, and the blogs of Michael Zimmer, Fred Stutzman and John Paczkowski.  Thanks to John at the Digital Daily for linking to the World Privacy Forum’s consumer advisory on PHRs (which links, in turn, to a more detailed analysis of PHRs and their privacy).

So, is this a good thing, or do the potential privacy breaches — including targeted ads — overshadow what Google is trying to accomplish in the world of the PHR? 

In a word: Dunno.  Google is short on details, so it’s hard to say.

The commentariat has raised all the predictable questions: If you sign into all Google services with a single username and password, won’t all your web surfing, gmail and now PHR data be cross-linked and monetized?  (Yes, it probably will.)  If you enter your data into the Google PHR won’t it be beyond the protection of HIPAA?  (Well, it depends, but it probably will — it’s being entered by an individual, not a health care provider, payor or clearinghouse.)  How private will all this PHR data be?  (Private, but, uh, well, it depends.)

So let’s assume the worst: Google will sell ads to the highest bidders for keywords in your PHR (kinda OK so long as there’s adequate disclosure up front), will sell aggregated de-identified data for population-based health studies (ditto, but this seems more like a good thing, and is really at the heart of the value of EHRs and PHRs generally — though the utility depends on how much data really finds its way into the PHR, and how it’s organized) and worst of all, will mistakenly convert your PHR into an RSS feed that ends up on every computer in America (eek! . . . but is that worse than dropping a paper record behind a file cabinet and never finding it again?).

Every innovation comes with a set of benefits and burdens.  Nobody’s twisting arms at the Cleveland Clinic to get patients to agree to enter their data into Google PHRs.  Some snowbirds — and others — will use the tool; most shut-ins — and privacy nuts — won’t.  There is some value to this new tool, and there are drawbacks to its use as well.  (See HealthBlawg discussion of Microsoft’s HealthVault — same sorts of issues — here and here.)

Update 2/25/08:  Google hasn’t signed a business associate agreement (BAA) with the Cleveland Clinic, nor has Microsoft signed a BAA with the Mayo Clinic, which is eyeing a HealthVault roll-out.  One analyst says Google would run "screaming from the room" if signing a BAA were suggested, since it’s in this biz for the marketing opportunities.  Tip of the hat to Joseph Conn, at Modern Healthcare’s Health IT Strategist  (free registration required).

We need comprehensive protections in place in order to ensure that the PHR data doesn’t fall outside of HIPAA and other privacy protection schemes, but it seems to me that the likelihood of that happening in a timely fashion through legislation or in a permanent manner through contractual provisions that won’t get changed continues to be slim to none.  Meanwhile, each of us needs to engage in a little cost-benefit analysis before buying into one of these PHR systems.

Update 2/28/08:  Google Health introduced at HIMSS.  See Information Week article.

— David Harlow