Industry Players Outline Rules for Online Health Records

Google and Microsoft have teamed with Intuit, WebMD and a consortium of more than 100 healthcare providers, insurers and consumer and privacy groups to develop a framework of practices governing online personal health record (PHR) services.

Under the leadership of the Markle Foundation, the Connecting for Health guidelines are an effort by PHR service proponents to establish a common set of principles, information practices and expectations. The adoption and implementation of these standards, the group said, will address major concerns about privacy among consumers, which a Foundation survey indicates is one impediment to the adoption of PHRs by the public.

While about 80 percent of survey respondents said PHRs were “valuable,” a scant 2.7 percent of survey respondents said they actually had one.

“Consumer demand for electronic personal health records and online health services will take off when consumers trust that personal information will be protected,” said Zoe Baird, president of the Markle Foundation. “We have broken the typical logjam in healthcare and reached a consensus among health sectors and technology innovators, so Internet health information products can flourish.”

Setting Boundaries

PHR proponents hope that providing the public with access to networked health information services will help push through important changes in the healthcare sector. Connecting for Health provides the foundation needed to create and maintain a level of trust between health data sources, consumer access services, healthcare professionals and consumers in the PHR arena, according to the Markle Foundation.

After 18 months, the various parties have settled on a framework with a set of core principles that address openness and transparency; purpose specification; collection limitation and data minimization; use limitation; individual participation and control; data quality and integrity; security safeguards and controls; accountability and oversight; and remedies in the event of a security breach or privacy violation.

Chief among the set of core principles is openness and transparency. That, according to the Foundation, means consumers should be able to know what information has been collected about them, the purpose of its use, who can access and use it and where it resides. Under the guidelines, PHR subscribers should also be informed about how they may obtain access to information collected about them and how they may control who has access to it.

“Certainly endorsing the standards is a step in the right direction, but putting these standards into practice will be critical to gaining consumer confidence,” said Lynne Dunbrack, a program director at Health Industry Insights.

“Consumer education about the implications of the Connecting for Care standards will be necessary to assuage consumers’ legitimate concern about their health information stored online in PHRs,” she told CRM Buyer.

Privacy Advocate Reactions

“The framework looks like a good starting point, but experience teaches that the devil is in the details, and in this area there are a lot of details,” said Lee Tien, senior counsel at the Electronic Frontier Foundation.

For Tien, giving consumers the ability to choose who will get access to their health information is a significant step.

“It is very good that the framework seems to recognize the necessity to opt-in consent by the consumer, and in particular that opt-in consent is only the first step. Too often, companies treat consent as an obstacle to be overcome, and in the healthcare area, the laudable mission of best treatment seems to exacerbate that problem,” he told CRM Buyer.

“I also like the recognition of the need for easily amendable, revocable, granular consent mechanisms, as opposed to an all-or-nothing approach,” Tien continued.

However, the framework at this point amounts to little more than words, Tien pointed out. He wondered whether the promises will be carried out.

“The theory and philosophy behind PHRs is valuable — I should be able to control my health data. But you have to look at the whole system and what constitutes meaningful control. This is a classic problem in privacy — once you’ve shared data with someone else, how do you control what they do?” he asked.

“In the medical area, the problem is multiplied because the very data you want to control is usually the product of a transaction with someone else, so it’s already pre-compromised — your doctor and his or her staff know; your insurer and his or her staff know; pharmacist, other actors — that’s at a minimum. So for the system to work, everyone’s got to be playing the same game, otherwise the patient thinks ‘my PHRs are safe’ but the data is flowing anyway,” Tien explained.

Record Complications

Though the Markle Foundation’s Baird pointed to the issue of privacy as a primary inhibitor preventing people from flocking to PHRs, privacy is not the only impediment PHR-backers need to confront, according to Carlton Doty, a Forrester Research analyst.

“Any movement toward standards-based interoperability is a positive step. That said, I disagree with Zoe Baird, president of the Markle Foundation, who said that consumer demand for these services will take off once the issue of trust is addressed,” Doty pointed out.

Consumer trust is just one barrier that needs to be overcome. The fact that these organizations have partnered on this framework will not necessarily translate into consumer trust, he explained.

“Trust will come in time, as it did years ago before everyone started banking online, trading online, and storing credit card numbers at merchant sites,” Doty noted.

“But let’s assume for argument sake that this framework does succeed at building consumer trust. It’s still irrelevant to the potential adoption of online PHRs, because in my opinion, the biggest barrier is not consumer trust at all, but rather the lack of a perceived need — and thus the lack of perceived value — among consumers.

“In other words, for demand to truly take off as Ms. Baird says, consumers must believe that they need an online PHR or at least that there is intrinsic value in using one,” he concluded.

While the framework is an agenda for achieving reasonable safeguards while being permissive enough to ensure the consumer can achieve value, it must be implemented through a combination of voluntary and legal efforts, according to Wes Rishel, a vice president and distinguished analyst at Gartner.

“One of the biggest obstacles to achieving the combination is inconsistency between the private and legislative efforts and among the legislative initiatives of various politicians. The inconsistency is further compounded because a great deal of privacy protection arises at the state level, but PHRs’ technology is inherently national — or really transnational,” he told CRM Buyer.