Everyone is talking about Googles new PHR offering vs. Microsoft HealthVault. Mostly the talk is drivel. I was able to get a seat at the Press Interview with Google CEO Eric Schmidt at HIMSS and, I kid you not, two reporters asked "Is the data in Google Health covered by HIPAA?" within five minutes of each other. Frankly, not-covered-by-HIPAA is an industry standard for PHRs, and the fact that the question was asked at all is an indication that the press covering this largely have no idea what is going on. (I will talk more about HIPAA and PHRs in a future post.)
Rather than finding drama in all of the wrong places, I wanted to highlight a couple of differences that really are worth paying attention to. I have had the privilege of speaking with the programming leads for both projects extensively, and it is not yet time to give a close blow by blow of where these two system are in comparison to each other. (that will happen after Google Health goes live) I hope that what little technical meat I was able to dig up will be interesting to you.
Privacy Policies:
Google has not published its privacy policy. However, it has historically given great weight to privacy concerns. Most notably take the Google Toolbar privacy notice. It begins "Please read this carefully, it's not the usual Yada Yada". It does a fair job of warning a user about the considerably privacy issues surrounding a tool placed directly within a browser. In fact, the sites you browse on the internet is probably as great a privacy concern as any health information you have. If you have any serious health conditions you have probably already searched for them and visited sites with content relevant to that condition. If you use toolbars, the information about where you visited was potentially transmitted back to the author of that toolbar. Google is upfront about this, and gives you an opt-out. This is much better than your average toolbar.
Microsoft's Privacy Policy is awful. It has language that includes things like: "you give us permission to host your data off-shore", and "we can change this policy anytime we like". The current HealthVault privacy policy does nothing to protect a patients privacy from future policy changes within Microsoft. Based on the current language, the privacy policy might as well not exist. I discussed this with the HealthVault team and their response was "boiler-plate language".
Frankly, the fact that ANY boiler-plate language was included in a privacy policy is a good indication that the thinking at Microsoft Legal is totally backwards. It is currently thinking "What will the market let us get away with" rather than "Hey this is a new moral sphere, if we do the right thing here, maybe the Government(s) will not make our lives completely miserable by over-regulating this industry."
Privacy Policy Verdict:
Google wins. Without even releasing a Privacy Policy. On a scale of 1-10 Healthvaults scores a -2 which in English translates "hell-no". That makes Google's lack of score actually come out ahead.
API Design:
Google Health uses a CCR record wrapped in some of its standard web-service APIs. It would be better if they could have adopted CCD. But they said it was not ready when they started, which is a fair response. Still CCR is already a popular standard and a smart move for Google.
HealthVault has released its own XML specification. While they have promised to promise not to sue the pants of people like me who decide to use those specifications, creating a "new standard" in the healthcare space is regrettable step backwards.
API Design Verdict:
Google wins for respecting current standards.
Security Architecture:
Google is using their authsub system to allow users to provide token based access to other people (care-givers etc) for temporary and limited access.
HealthVault is using a "root" user notion that is transitive. That means that if I trust bob enough to make him a "root" user on my PHR record, then he can do anything with my record. Including passing the root privilege to Jenny, who can pass it to Sam, who can pass it to Ruth who can then do anything with my PHR account. See the problem? While the HealthVault system does allow for finer grain control, there is no concept of passing along "complete control" without also passing along the ability to create other "root" users.
(updated 03-04-08 Sean Nolan from Microsoft has posted a rebuttal to the previous sentence, while the rebuttal does not address my criticisms of a "transitive root" privilege system, it does argue that this design can be considered a feature rather than a flaw)
Security Architecture Verdict:
Obviously Google has time to screw this up before coming out of beta, but it looks like its access control system has been better thought out.
Time to Market Verdict:
Obviously, Microsoft wins here. HealthVault has been out for months. However, if they do not get their act together they will not have any remaining first-mover advantage. Google is obviously making very sharp moves, in fact, maybe their best move was not coming to market before they were ready.
Now that Microsoft has made some FOSS friendly sounds, I will take a closer look at their software. When Google Health is finally released, I will do a complete comparison.
-FT