Fred Trotter

Healthcare Data Journalist

HealthVault

HealthVault: No Commitments and a Sleeping Watchdog.

Has Microsoft committed to keeping the promises that it has already made? No, just the opposite. Their privacy policy concludes:“We may occasionally update this privacy statement”

Which means that when the commitments that Microsoft has made regarding HealthVault become inconvenient, they will simply change them.

Will the data that you enter into HealthVault be secure? Would my HealthVault data be studied by my insurance company? Would access be limited to those who I choose to have access? Thank goodness Microsoft’s answer to this question was not simply “Trust Me”! Instead it is “Trust my auditor”. This is, apparently enough to satisfy the Patient Privacy Rights Foundation, and the Coalition for Patient Privacy. From a recent Patient Privacy Rights press release Dr Deborah Peel is quoted:

“Corporate claims to offer privacy mean nothing unless they are willing to take the same steps Microsoft has taken in building HealthVault,” says Peel. Microsoft has committed to independent third party audits to verify their pledge to protect privacy. “Audits are essential,” says Peel. “Technology companies have got to do better than telling consumers to just ‘trust us.’ Consumers shouldn’t trust anyone but themselves to decide who can see and use their sensitive health information.”

Microsoft’s HealthVault Privacy Policy does not have the word “audit” in it anywhere. Apparently Dr. Peel assumes that Microsoft telling her that they will get audits is sufficient to ensure that they will. Interestingly the only place that the Microsoft HealthVault press release mentions audits are when they are quoting Peel.

Apparently, this means “trust the auditors”. Of course we all know how well audits serve to protect the public from unethical corporate behavior. The alternative, which is obviously not being discussed, is the ability to inspect the code for yourself. A top GPL licensed PHR is IndivoHealth. Lets do a quick comparison.

Question: PHR Covered by HIPAA?

IndivoHealth: When it is used by a covered entity, yes.

HealthVault: No. Microsoft is not a covered entity.

Question: How is this verifiable? How can you trust that the user really has control? How can you trust that there is no proprietary back door built in to the software?

IndivoHealth: Read the IndivoHealth source code yourself. Hire an auditor of your choice to review the sourcecode. Verify that the auditor you hired is telling you the truth by hiring another auditor, again of your choice. Verify that both auditors you chose and hired are not full of… smoke… by reading the source code yourself.

HealthVault: Trust Microsoft. Trust the auditor that Microsoft pays millions of dollars a year to whistle blow on Microsoft.

I think you get the idea. Nonetheless, Deborah Peel is pretty impressed with HealthVault, from a HealthcareITNews article:

“Their model is that consumers truly should control the information and that’s the direction they want to take as a company,” said Peel. “We really think that because they are the industry leader that the rest of industry will have to follow or be left behind.”

Further:

“Microsoft has agreed to adhere to all of the privacy principles that the coalition developed in 2007, ” Peel said. “Not only adhere to them in terms of contracts but to be audited on these principles. We think they’re setting a new amazingly high bar and frankly, we think what they’re doing is really the best practice that the entire industry needs to follow.”

Well, this is good! Microsoft has agreed to follow the privacy principles! Principles are good. What are the principles? We find the principles at Patient Privacy Rights website lets go through them one at a time..

  • Recognize that patients have the right to medical privacy* (later defined as: Health information privacy is an individual’s right to control the acquisition, uses, or disclosures of his or her identifiable health data.

Microsoft’s privacy policy: ” Microsoft is committed to protecting your privacy.” I guess that settles that.

  • Recognize that user interfaces must be accessible so that health consumers with disabilities can individually manage their health records to ensure their medical privacy

Actually, Microsoft deserves credit for generally working hard in this area. Give credit where it is do. However, no commitment is made in the privacy document regarding accessibility.

  • The right to medical privacy applies to all health information regardless of the source, the form it is in, or who handles it

Microsoft’s privacy policy: “This privacy statement applies to the data collected by Microsoft through the Microsoft HealthVault beta version (the “Service”); it does not apply to data collected through other online or offline Microsoft sites, products, or services.” So much for “no matter what the source”. Microsoft’ HealthVault privacy policy contradicts this Privacy Principle

  • Give patients the right to opt-in and opt-out of electronic system

Microsoft’s policy indicates that users can quit the system and Microsoft will then delete the data after 90 days. So much for seven generations of custodianship but I guess deleting meets the “opt-out” requirement.

  • Give patients the right to segment sensitive information

No commitment of segmenting information in the privacy statement.

  • Give patients control over who can access their electronic health records

HealthVault says that users can appoint “custodians” your record. Those custodians can then pass this custodian privilege on to others. Ultimately a HealthVault record can easily get out of control of the original owner. That is not to say that this is not a cool feature, but it does not work with the principles. From the HealthVault privacy policy “Because inappropriate granting of access could allow a grantee to violate your privacy or even revoke your access to your own records, we urge you to consider all the consequences carefully before you grant access to your records.” Microsoft’ HealthVault privacy policy contradicts this Privacy Principle

  • Health information disclosed for one purpose may not be used for another purpose before informed consent has been obtained

You can give your health information to “Programs” offered by third party companies. But how will that data be used? From the HealthVault privacy policy: “Please refer to the privacy statements of those Programs for information about their privacy policies, and about how your information will be used by those Programs.” Microsoft’ HealthVault privacy policy contradicts this Privacy Principle

  • Require audit trails of every disclosure of patient information

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

  • Require that patients be notified promptly of suspected or actual privacy breaches

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

  • Ensure that consumers can not be compelled to share health information to obtain employment, insurance, credit, or admission to schools, unless required by statute

Whose statutes? If my record is in China, does that government have the right to get to it? Microsoft explicitly states ” Personal information collected on the Service may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities, and by using the Service, you consent to any such transfer of information outside of the U.S. “ Given that a US record stored in an offshore site can be compelled by a foreign government. Microsoft’ HealthVault privacy policy contradicts this Privacy Principle

  • Deny employers access to employees’ medical records before informed consent has been obtained

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

  • Preserve stronger privacy protections in state laws

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

  • No secret health databases. Consumers need a clean slate. Require all existing holders of health information to disclose if they hold a patient’s health information

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

  • Provide meaningful penalties and enforcement mechanisms for privacy violations detected by patients, advocates, and government regulators

Perhaps Microsoft will do this… Microsoft makes no commitment in the privacy policy.

In short, Microsoft’s commitment to follow the policy is a commitment that they have NOT made in their policy. Microsoft is basically saying “Trust us, this is secure and private”. Everything about Microsoft’s history indicates that commitments to privacy and security are bogus. What exactly made the Dr. Peel conclude they are the market leader in Health Record security and privacy? What made her conclude that Microsoft has “committed” to third party audits?

Perhaps Dr. Peel is discussing a subject as though she were an expert, when in fact she has had little relevant training on the subject.

3 thoughts on “HealthVault: No Commitments and a Sleeping Watchdog.

  1. Fred

    If they don’t make a commitment eventually they’ll be shooting themselves in the foot. I still believe someone (Google, Microsoft, others) need to sit down down the community and regulatory bodies and thrash out the boundaries of PHR privacy rights, HIPAA and the likes.

Comments are closed.