Does Microsoft’s HealthVault really protect your privacy?

October 14, 2007 | David P. Hamilton | Comments | |

ms-healthvault-logo.JPGWhen Microsoft launched its much-ballyhooed HealthVault medical-records system for individuals (see my review here), it made such a fetish of security protections that it virtually rendered the service unusable. My own effort just to establish a HealthVault account took roughly two hours, much of that devoted to simply coming up with a password the system would accept; I documented the struggle here. One of the company’s PR reps even emailed me to note that Microsoft is taking “extra precautions at every layer of security” because “privacy and security is one of the areas that Microsoft is taking very seriously for HealthVault.”

As I wrote at the time, it’s hard to fault Microsoft for being paranoid about security, given how privacy concerns are going to be a major hurdle to widespread adoption of online health records. But is the Redmond giant really serious about protecting patient privacy?

Maybe not. Earlier this week, Annie Antón, a software professor at North Carolina State University, raised three important questions about Microsoft’s dedication to patient privacy based on a close reading of the HealthVault privacy statements (here and here). Antón’s post at the Privacy Place blog is worth reading in its entirety, but I can’t help summarizing it as well.

The big surprise (to me, at least) is that services like HealthVault aren’t covered by HIPAA, a mammoth federal law that, among other things, sets some strict standards for the privacy of medical data. Privately-managed record repositories like HealthVault apparently weren’t even envisioned when Congress passed HIPAA in 1996, and so they’re exempt from its provisions (which, to be fair, many people consider onerous).

All that makes it even more important to look at what Microsoft actually promises, and what Antón turned up is disquieting. For instance, Microsoft reserves the right to store your medical data offshore, in countries that may not have the same privacy protections as the U.S.

The software giant also plans to merge other personal information it holds about you with information stored in HealthVault. (That certainly puts the intrusive questions Microsoft’s Live.com service posed to me during registration in a new light.) Finally, HealthVault appears to open the door to a potentially unlimited line of people, entities or programs that can obtain permission to read and alter your health information, since it’s possible to delegate the ability to grant those permissions to others.

Antón also questions whether Microsoft’s decisions in these cases leave users with any legal recourse if their data does leak. It’s a great question, and one I’m in no position to answer at the moment, although I’d certainly want to take a hard look at extending HIPAA privacy provisions to these sorts of electronic records. This analysis certainly underscores the wisdom of approaching services like HealthVault very, very cautiously, because once your medical privacy has been breached, there’s virtually no way of getting it back.

Next Story: The return of Adam Bosworth
Previous Story: Bellicum’s prostate-cancer vaccine: Dendritic cells served with a genetic twist

Bookmark and Share

Tags: , , , , , ,

Photo of David P. Hamilton

About the Author, David P. Hamilton

David Hamilton has been writing for VentureBeat LifeScience since April 2007. He formerly spent 14 years as a reporter for the Wall Street Journal in its San Francisco and Tokyo bureaus. Prior to that, he spent several years as a reporter at Science Magazine and as a reporter/researcher for the New Republic, both in Washington.

  • Its my view that the only way for any organixation to pull this off is to be totally transparent and open about it. To the extent that the data holders can obtain no special benefit from owning the data. As long as the custodian of the data has some exclusivity to the data then the temptation/opportunity will always be there to make a fast buck from it.

    It seems that the only way large scale personal health records can work is to either store the data client-side (with all the problems that brings) or store the data server-side but openly and anonymously. That way everyone gets to see all the data and nobody has any special advantage.

    Commercially this is a less attractive proposition but, lets face it, thats why consumers should distrust the HealthVault type of offering anyway. The real commercial value is in the provision of a ubiquitously available health record - the vendor that provides the best on-line *service* will be the winner in this game, not the one that figures out how to sell user's data to drug companies for the most bucks.
  • Etienne is spot on. IMO data must be stored server side, but from the consumers perspective that is a huge leap of faith.

    Openness is key. However, I do think that there are a lot of policy issues that need to be resolved at this point. HIPAA, etc must be updated and data ownership issues need to be resolved.

    There is a value and a business model here, but it will require a lot of education, pin-point execution and the collaboration of a number of parties including the consumer
  • David P. Hamilton
    I think these are very interesting points, although there's also clearly an alternative mechanism that involves client-side storage on something like a USB thumb drive. (This raises a bunch of other issues such as data integrity and accidental loss, of course, but it does sidestep the privacy fears that many people probably have.)

    That said, I'd also like to question whether there is in fact a business model here. Lots of people seem to assume that there is, but I'm not sure I see it. Selling ads next to your personal medical records seems likely to be a non-starter -- something I've already seen others speculate about. So if that doesn't work, where's the revenue for the Microsofts and Googles of the world? Partnership agreements will only bring in so much, so chances are good they'll eventually try to charge consumers for these services -- which, given that the end-user value isn't immediately apparent, seems likely to be a hard sell.

    I'm totally open to being convinced otherwise, but for now this whole "personal health record" notion amounts to lots of smoke and mirrors with very little substance behind it.
  • I would extend the question a little more. What is the goal of the personalized health record? Is it meant to put the user in complete control (that has its own set of risks)? Is it meant to be a personal guide, providing information, etc to help the informed patient make decisions, while giving them access to data from tests etc.

    The latter is far more feasible. You are quite right, the business models are still uncertain. I do think that highly relevant advertising has a place in this space. What kind of returns could you get? I don't know. However, in the end, and perhaps this will help in giving these services value in the minds of the public, the freemium model might be the best one here.

    For now, I think the PHR is a bit of a toy, but I do believe that the idea has legs, BUT only in the appropriate environment. To flog a dead horse, ownership standards MUST be established first, as well as rules on advertising, etc.
  • You can tell from the name that Microsoft's strategy with HealthVault is to lock users in ;)

    They've teamed up with various medical device vendors (blood sugar monitors and the like), so if you have one of these devices you can *easily* record all your data in HealthVault. That locks you into using both the vendor's device and HealthVault - win/win. MS are also encouraging an ecosystem of applications that work with HealthVault APIs - a classic Microsoft play, and further lock in for the user.

    The hapless user will be stuck with their data in HealthVault and inertia will keep them there.

    Meanwhile at the back-end aggregated and anonomixed health data is worth big bucks to the drug companies. Look for some deals here when MS has enough data. That's where the real business model is.
  • Putting aside the privacy issues for a second ( hard for me to do but..) and take a look at the business side and where this might be valuable for both the consumer, Microsoft and it's partners...is there value in a business model similar to Mint, the money management site?

    Mint's goal appears to be to allow the consumer to aggreagate financial information and then provide advice, special savings or services opportunities, and simple financial analysis.

    Will this work for HealthVault?
  • David P. Hamilton
    Khurt, interesting question. The main problem I see is that any service that borders on medical advice typically requires a medical license, which is one reason you don't see a lot of Web sites trying to help you diagnose illness. (There seems to be a big difference between providing useful background information and offering anything remotely proactive, although I also wouldn't be surprised to see those lines blurring.)

    Perhaps there are other services a company like MS could get involved in, but I tend to think that Etienne is probably closer to something that would work when he suggests that MS will probably try to sell aggregated and anonymized health, drug/procedure and outcomes data to pharma and device companies. Which, of course, brings us back to the privacy debate :-).

    Etienne, for what it's worth, I'd also add that MS insists that data can be moved freely in and out of HealthVault. Whether that's true or not is something else entirely -- I've already chatted with one correspondent who can't seem to upload a file to HealthVault in CCR (continuity of care record) format. For more detail, see this MS comment reported in one of the Seattle P-I's blogs.
  • MS will deal with CCR just like they try to every other standard: Embrace, extend and extinguish.