Should You Trust Your Health Records to Google and Microsoft?

Imagine being able to check your medical history as easily as you can your e-mail. Or being able to provide records to a new doctor at a moment's notice. Google, Microsoft, and others are developing promising systems for storing digital health care records--for free.

But there's a catch (of course). Both the upcoming Google Health, currently in private testing, and Microsoft's public beta of HealthVault deal with our most personal information. The two projects will eventually enable doctors and hospitals to add records for hospitalization, doctor visits, and prescriptions (after you give your okay), and will permit you to upload data from devices that you might use at home, such as blood glucose monitors. They could be especially useful for allowing a new doctor to quickly confirm that, for instance, a prescription won't cause problems with other medications you're taking.

The drawback? The Health Insurance Portability and Accountability Act (HIPAA), a federal law that governs the confidentiality of health records, doesn't extend to non-health-care companies.

Microsoft and Google appear fully aware of the need to keep this data private. I have talked with both companies about their privacy policies, and it looks as though they will give users explicit control over access to and use of their data. In general, they are moving in the right direction, says Deven McGraw, director of the Center for Democracy and Technology's Health Privacy Project. And both companies support federal legislation to establish a privacy baseline.

But absent any HIPAA or other overarching regulation, McGraw notes, you simply have to trust that the companies will do the right thing. Google and Microsoft are, for the most part, being careful with regard to privacy here, but where my health care records are concerned, I want laws that specifically define what can and can't be done with the information. And I want the company responsible to be punished if someone screws up and releases my data.

Maybe the best approach isn't to extend the reach of HIPAA, but something enforceable should be on the books. Some federal legislation is in the works, according to McGraw, but there's a good chance that nothing will happen until next year at the earliest.

Another issue: Google and Microsoft use a simple Gmail or Windows Live user name and password to access the records. That's great for convenience, but terrible for security and privacy. Internet criminals commonly try to guess or steal Web mail accounts. It's bad enough when a snoop rifles through your Web mail. Imagine one getting access to all your health records at the same time.

Faced with these potential gotchas, I'd wait for the systems and the laws to mature before jumping in. Also, if and when you do try such a health records system, create a user name and password separate from your mail account, just for the health sites.

Subscribe to the Security Watch Newsletter

Comments