Consumer Watch: Trusting Your Health History to the Web

Illustration: Richard Tuschman
It can be disconcerting, even a little scary, but it's not that unusual. You're at the hospital, and the doctor, unable to find your medical records or perhaps unable to read the chicken scratches made by the medical professional who had them last, starts asking you what drugs you're taking or what tests you've undergone. It makes you wonder two things: What was the name of that medicine they gave me? And is this really the best way to share information?

Dr. Michael Oppenheim says it isn't. Oppenheim, chief medical information officer at North Shore Long Island Jewish Health System, based in Great Neck, New York, is working hard to digitize all the records at the 17 hospitals in the system. Using electronic health records, he says, "means doctors won't be running to eight different places to get information, and that's a huge safety benefit for patients."

Currently, though, only about 13 percent of U.S. hospitals use electronic medical records, primarily because it costs so much to implement them. That will likely change, eventually: The Bush administration has announced a ten-year plan to bring the nation's paper-based health records system into the digital age.

You don't have to wait, though. Dozens of companies are eager to store and manage your health records for you electronically right now. And for plenty of folks--especially those with complicated medical histories, conditions that require special treatments, or other health concerns--it's an arrangement worth considering.

The Privacy Question

Understandably, the idea of letting an outside company manage such sensitive information as medical records makes some people uncomfortable. It's reasonable to wonder whether access to digitized medical data will enable your insurance company or employer to discriminate against you based on your health. And once the information goes digital, you have to worry about hackers getting their virtual hands on it.

Different services use different approaches to storing medical data, but most put you in charge of entering and managing your own records. That means you need to work closely with your doctor to ensure that the information you have is accurate. Some services let you print complete reports to take with you when you need them. Others create cards bearing the URL and log-in information for your online account; you keep the card in your wallet or purse so you (or your doctor) can call up the information online. Still others store data in a hardware device you can keep on a keychain. These medical keys--specialized versions of the flash memory drives that have replaced floppies for casual file storage--are designed to plug into any USB port, and they generate your medical record without requiring additional software or tools.

One such device, the $75 HealthKey, comes from a company called CapMed. You can choose to password-protect the information on the HealthKey or to make it more readily accessible in case of an emergency.

"Our customers like the fact that the system is desktop-based," says CapMed marketing associate Kelly Lim. "Many consumers aren't ready to store medical information online, and feel more comfortable storing it on their own PC."

Another company, Medinfochip, sells a similar USB device. A chip that stores a single profile costs $70; you can store two separate histories for $100.

A service called WebMD Health Manager ($30 per year) is comprehensive and well organized; it's affiliated with consumer health site WebMD.com. Health Manager stores your records online and provides a wealth of medical resources such as symptom trackers and assessment tools.

Followme.com offers both online and paper-based ways to manage medical records. Online subscribers set up a password-protected Internet account in which they can store everything from immunization records to family medical histories to summaries of office visits. The service costs $35 per year for individuals, and $75 for families.

MyNetRecord is an Australian-based company that stores records online for $15 a year.

Is It Safe?

As always, security is paramount when it comes to entrusting your most sensitive personal information to an outside company. After all, it's one thing to make potentially life-saving information more accessible to doctors, but quite another to leave yourself vulnerable to privacy infringement and possible employer or insurer discrimination.

These concerns are well founded. Every day brings new stories of medical information security breaches: In September, the Privacy Rights Clearinghouse, a consumer information and advocacy organization, filed suit in California against the Albertsons supermarket chain, charging that it had illegally sold customers' confidential prescription information to drug companies. And earlier this year, a hacker infiltrated a database at the Drexel University College of Medicine and gained access to the medical records of some 5500 neurosurgical patients before the university shut down the server.

So how can you be sure that a health records company will make your medical information easily available to the people who legitimately need it while keeping it strictly off limits to those who don't?

"Unfortunately, there's no easy answer," says Emily Stewart, a policy analyst at the Health Privacy Project, a consumer advocacy group based in Washington, D.C. "But a good place to start is to be active in maintaining your own medical records, and to inform yourself on how companies share information and who they share it with."

Most health record companies let users decide exactly what information they want to include when they set up their records, so if you're very concerned about privacy, consider sticking to the essentials. For example, you might want to limit the data to a list of current illnesses, allergies, and medications, along with emergency contact information. If you're unsure what details are most critical in an emergency, consult your doctor.

When comparing health record companies, consider how they store personal information. For example, you might be more comfortable using a company that allows you to keep data on your own PC rather than storing it on the company's servers--or you might prefer the accessibility of a Web-based service.

Here are some questions to ask any medical records company before you trust it with your personal information:

  • Does the company's site have a clear, accessible listing of its privacy policy, terms and conditions of service, and company contacts (including e-mail, physical address, and phone number)? Steer clear if any of this information is missing or difficult to understand.
  • Does the company share or disclose any of its customers' information? If so, what information could be disclosed, to whom, and for what purpose? Can any of the information be traced to you personally? The posted privacy policy should clearly explain how the company uses its customer information. Many companies share "aggregate" information that can't be linked to individuals; stay away from sites that don't specify what information they share or how they share it.
  • How does the company protect its customers' information against hackers and others not authorized to access it? Make sure that the site uses SSL encryption during transactions (look for the closed lock symbol or for an "s" following "http" in the URL). The site should have a security statement that explains how it safeguards confidential customer data.
  • How easy is it to change information in your account? Obviously, you should be able to control your own records.
  • Can you opt out of receiving newsletters and other promotional materials? Before you register, determine whether the site sends third-party solicitations or other unrelated communications.
  • If you decide to cancel your service, what happens to your information? You don't want your personal health history hanging around on some old server long after you've moved elsewhere.

Like shopping and banking online, entrusting your health records to a Web site or data keychain unit requires a leap of faith. But if you have a complicated health history, that leap could save your life.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon