Microsoft and Kaiser Permanente announced plans for a pilot program that would exchange health information between the insurer’s My Health Manager service and the HealthVault personal health records service.
The partnership comes amid a push to give people greater control of and access to their medical records. The move by technology companies including Google and Microsoft to bring personal health records (PHRs) online takes advantage of the shift from paper-based medical records to electronic health records (EHRs) by hospitals, doctors’ offices and insurers backed by the federal government.
“This deal is fairly significant although not at all surprising. Kaiser is only the first of many insurers to come,” said Carlton Doty, an analyst at Forrester Research.
Kaiser’s My Health Manager serves as a one-stop source for more than 2 million users, providing access to clinical data and health management tools. Subscribers can e-mail their physician, schedule appointments and request prescription refills. Patients can also see test results that may include feedback from their doctor.
Those taking part in the pilot program will be able to transfer medical data including allergy and immunization information and prescriptions. They will also benefit from health and wellness management applications and devices such as blood pressure monitors as well as diet and exercise tracking. Participants will be able to determine what information is transferred from My Health Manager to HealthVault by setting up permissions.
The pilot program will be open to any of Kaiser’s 156,000 employees who volunteer. If successful, the health insurer will expand the program to include its 8.7 million members.
“Kaiser’s own experience with its My Health Manager service made it an obvious and attractive early partnership target for Microsoft. I am certain that other big insurers are already in the pipeline for both Microsoft and Google,” Doty told CRM Buyer.
“Insurers like Aetna have already been heading down this road — without the help of Microsoft or Google — by using their own ‘Care Engine’ solution to share members’ clinical data with their respective providers,” he continued.
Coming in the wake of the launch of Google Health in May and given Kaiser’s size, this is a fairly important announcement, Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, told CRM Buyer.
“But Google Health is competing as well, and I assume this is a response to GH’s recent announcement, so the message is that within the realm of electronic health records, the concept of the personal health record has a lot of traction,” he said.
Personal health record (PHR) services available through Google Health, Microsoft’s Health Vault, Revolution Health and WebMD are designed to give people on-demand access to their health records. It puts the patient firmly in control of records that previously were controlled largely by healthcare providers, hospitals and insurers. Online, the records become extremely portable available to patients if, for instance, they transfer to a different physician or seek a second opinion for a particular diagnosis.
That portability, however, has its drawbacks, according to Pam Dixon, executive director of the World Privacy Forum.
Although it appears that the Kaiser Microsoft program may be covered, in general, PHR services operated by technology companies do not fall under the Health Insurance Portability and Accountability Act (HIPAA).
The federal legislation passed in 1996, that went into effect in April 2003, places restrictions on who can share information in a patient’s medical records, with whom and under what circumstances. The regulations govern the dissemination of information from healthcare professionals and their staff as well as insurance companies, billing services, clearinghouses and community health information systems. Since Microsoft, Google and the like do not fall under those classifications, they are not bound by HIPAA.
“Not all PHRs are private in the same way as other health information. For example, if you’re a Kaiser employee and you have a Kaiser health record, that’s covered under HIPAA. But if you take that same information and give it to Microsoft, it’s not covered under HIPAA, and usually people don’t understand that,” Dixon told CRM Buyer.
However, HIPAA is not the only law or set of rules regarding medical privacy and confidentiality, said the EFF’s Tien. Physicians — much like lawyers — have an ethical duty not to divulge a patient’s privileged medical information.
There are also special rules or considerations for especially sensitive medical record information such as that related to alcohol, controlled substances, reproductive rights and mental illness.
“[Protecting the privacy of patient records] is in itself an enormous task and probably the hardest takes in the entire area of EHR implantation,” Tien continued.
In most sectors of business and government in the U.S., there is far too little protection of our records privacy. Companies routinely share our records without our consent or based on fictitious consent, he explained.
“Hardly a week goes by without a headline about a privacy or security breach — whether personnel on the inside invading people’s privacy or carelessness with data on laptops. If you have a national health information network the problems just get bigger,” Tien pointed out.
The Limits of Privacy
Consumers need to be very careful because certain legal issues change when personal health and medical records are not covered by HIPAA. For instance, in the case of subpoenas, HIPAA provides a process through which the person or institution demanding the records must notify the individual to whom the records belong, Dixon explained.
“When its outside of HIPAA, that goes away. Even if a company tries to recreate it, it’s not the same. It’s not by law. When you release your records to a third-party outside of HIPAA most attorneys believe the [doctor-patient] privilege goes away. That’s a pretty big deal,” she added.
As they work through the maze of privacy issues, both Dixon and Tien said companies need to make their privacy policies clear to potential users.
“They need to tell the truth and be transparent about what they do, who they do or don’t share information with, how the information is handled, etc. There will be breaches; there will be mistakes, that’s inevitable. So, if they don’t want to have major legitimacy/PR/deception issues when things happen, they had better have been very honest all along, and diligent in their efforts,” Tien concluded.