Group Finds Privacy Holes in Digital Health Records

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

A consumer watchdog group is warning that many leading electronic medical record systems don't do enough to secure sensitive patient information.

"We're alarmed about the growing use of personal health information without patients' knowledge or explicit permission," Ashley Katz, executive director of Patient Privacy Rights, told reporters on a conference call.

Katz's group today released a report card evaluating the privacy protections embedded in several leading electronic medical record systems, finding that while results varied widely, many products come up short.

The push to digitize medical records, both as a means to reduce costs and improve patient outcomes, has emerged as a policy priority of the Obama administration, which backed a stimulus bill that included $19 billion to fund electronic personal health records (PHRs).

That followed the enactment of the 2008 Medicare bill, which set a timetable offering bonus payments to doctors who adopted digital technologies to relay prescriptions to the pharmacy, and introducing penalties for doctors who continue to issue paper prescriptions.

But despite virtually unanimous agreement on the benefits of electronic medical records, concerns about protecting patients' privacy have cast a long shadow over the debate.

To compile its report card, Patient Privacy Rights evaluated five individual PHRs, as well as a sampling of PHRs offered by employers and insurers, awarding each a grade ranging from "A" to "F."

The group looked at a range of criteria, including the prominence and clarity of the privacy policy, the anonymity and security of the data, and the extent to which consumers could access and control the information stored in the record.

The group gave the lowest marks to the PHRs offered by employers and insurers, though it admitted that its methodology in that category was inexact, given that access is restricted to employees and others who are enrolled in the plan. Nevertheless, an examination of the fine print contained in the privacy policies raised concerns about the extent that the PHRs claim control over patients' health information and assert the right to share that information with the employer or insurance company.

Among the commercially available plans Patient Privacy Rights examined, Google's Health product netted the poorest marks. Like Microsoft's HealthVault, Google Health was evaluated by twin criteria, with one grade awarded for the privacy of the platform, and another for the privacy of the companies' partners that can access the information.

Google's and Microsoft's privacy policies only extend to the limits of their platforms, so they don't control how their partners handle the information. As a result, both companies' offerings received an "F" for the dubious third-party programs that can access the information.

As to the on-site platforms, Patient Privacy Rights awarded Microsoft a "B," but slapped Google with a "D," giving it poor marks on the readability of its privacy policy and for failing to keep data anonymous and extend users the choice to restrict access to certain segments of information.

"Google gives multiple assurances that this data cannot personally identify an individual--that is simply false," the group said. "Data is anonymous or useful, never both."

Google did not immediately respond to a request for comment on the study.

It is worth noting that the Patient Privacy Rights study was heavily underwritten by the Rose Foundation, a group that awarded a $100,000 grant to another group, Consumer Watchdog, in what amounted to a concerted attack campaign against Google on a variety of issues, including the privacy of health information.

Patients Privacy Rights awarded the highest mark--its only "A"--to a PHR called NoMoreClipboard.

The offerings of WebMD and CapMed's icePHR both received "C" grades.

Katz made it clear that her group supports the push to digitize medical records, which could ultimately lead to a higher degree of privacy for consumers' most sensitive information.

"Technology is definitely a solution, not an impediment, to patient privacy," she said.

However, she cautioned that her group's study revealed the considerable variations in the products currently on the market, and advised consumers to do their research before committing to a PHR.

"The good news is there are companies that offer meaningful ways to control your private information," Katz said. "The bad news is other companies do not allow patients to truly control their PHRs. And that's a scary thing."

Kenneth Corbin is an associate editor at InternetNews.com.