Personal health record (PHR) services are gaining traction among patients who want to maintain ownership of their own health information. Such records are helpful when changing doctors or undergoing medical treatment far from a personal physician or hometown hospital.
But what happens when PHR services are unavailable? What steps do PHR providers take to assure it doesn’t happen, and what would be a patient’s recourse if it were to occur? The concern is well-grounded, given the chronic cloud computing outages that service providers have experienced in recent years.
As of this writing, the major PHR providers are Google Health, Microsoft HealthVault and Dossia. There are a number of smaller providers as well, including WebMD Health Manager, PassportMD, Revolution Health, myPHR.com and MyMedicalRecords Inc.
Rather than relying on commercial products, some health care providers, including Kaiser Permanente and Beth Israel Deaconess Medical Center in Boston, offer their own PHR services. Beth Israel CIO John Halamka rated his, which is hosted on clustered servers in two data centers, forming a private cloud, as “four nines reliable.” For what it’s worth, Halamka rated both Google’s and Microsoft’s cloud-based PHR services at “five nines reliable.”
PHR services, big and small, do not claim responsibility
Despite this level of reliability, most PHR providers are careful to disclaim any responsibility over consequences of downtime and generally avoid providing a service-level agreement (SLA). PHR services also take pains to advise users not to ask their doctors to rely on the records. Still, providers say they engineer their services to deliver high levels of availability.
“The goal is to make sure you’ve got records that are accessible no matter where you are. We work very hard to ensure that data is available to users when they need it,” said George Scriban, product manager of Microsoft HealthVault. “But you need to make sure this is not the data your doctor is relying on. Any place you’re being cared for, they would have their own records of you.”
While Scriban said Microsoft does not make a promise of uptime, he added, “It’s in our best interest to make sure data is available when people want it,” comparing the desired level of availability of PHR services to that which customers receive from online banking services. He said Microsoft stores HealthVault records in data centers that meet the ISO 27001 standard -- the same data centers that are used for other Microsoft online services. Even so, Scriban added, “We don’t claim to be an emergency service.”
Kaiser Permanente MyHealth Manager, meanwhile, offered this disclaimer: “Although we attempt to maintain the integrity and accuracy of the information on the [website], we make no guarantees as to its correctness, completeness or accuracy.”
Google adopts a similar posture with its Google Health service. Despite encouraging users to take advantage of Google Health -- stating that “saving medical information in one secure location helps you and your doctors have accurate and up-to-date information about your health when you need it the most” -- Google takes considerable pains to disclaim responsibility.
As the company states specifically in its Google Health Terms of Service: “This content should not be used during a medical emergency or for the diagnosis or treatment of any medical condition.” Google also plainly states that “use of these services and reliance on this content is solely at your own risk.” Finally, the company disclaims any warranty and extensively disclaims liability in any case not to exceed $1,000.
Responding to a query about Google’s high-availability practices, a Google spokesman declined to give the number of copies of a Google Health record that are stored.
For its part, HealthVault maintains at least two copies of each record, Scriban said, although he declined to offer more specifics. That is consistent with standard procedure for most data centers, which is to maintain at least two copies of a given piece of data, often with one of the copies at a secondary location.
HITECH Act extends HIPAA security rules to PHR providers
Providers of PHR services may not guarantee the accuracy or availability of their records, but new security regulations will mandate guarantees of information security.
Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, hospitals are typically covered entities, meaning they have to observe HIPAA guidelines with regard to preserving data and protecting patient confidentiality. PHR providers, on the other hand, assert that they are not covered entities because they do not provide health care services. The Department of Health and Human Services (HHS) has come to the same conclusion. (Health care providers who offer PHR services, such as Kaiser and Beth Israel, are covered entities under HIPAA.)
However, the HITECH Act, part of the American Recovery and Reinvestment Act of 2009, updates HIPAA security provision and does include PHR service providers in its data breach provisions. The HITECH Act mandates that individuals must be notified by the responsible party if the confidentiality of their personal data is breached. Should 500 persons be affected, HHS and news media must be notified. A data breach of encrypted data does not have to be reported.
Google said in a statement that a combination of “software, hardware and strict policies” help the company keep user health information safe and private. “The health information users store with us is protected by state-of-the-art technologies, including Secure Socket[s] Layer (SSL) encryption, firewalls, alarms and other technology we build ourselves or buy from other experts in the security industry,” according to Google. “We have extensive backup systems in place to protect the integrity of this information. Google's servers are protected by strong physical security at our facilities, including pass codes, locks and security personnel.”
Limited track record hindering PHR use
While PHR services are garnering a great deal of interest, they are not yet frequently encountered in emergency rooms, according to CIOs. More common is the patient whose medical history arrives at the hospital on a CD, according to Robert McShinsky, senior systems administrator at Dartmouth-Hitchcock Medical Center in Lebanon, N.H.
The goal is to make sure you’ve got records that are accessible no matter where you are. … But you need to make sure this is not the data your doctor is relying on.
George Scriban, product manager, Microsoft HealthVault
“Sometimes we have problems reading [CDs], but they are looked at right away,” he said. “We’re not always connected online. Google Health and Microsoft [HealthVault] have not been involved.”
Rather than rely on health records that are under the control of patients, many hospitals have been implementing electronic health record (EHR) systems that can be accessed by other hospitals through a health information exchange (HIE). When a patient appears at a hospital within the exchange, the patient’s records are accessible; the same result is the goal of PHR use, but information availability is limited to a particular geographic region.
“I can’t state one example where someone has come in to an emergency room with Google Health or something. I would have heard about it if someone had done it,” said Chris Smith, operations director and CIO at Southcentral Foundation, a health care organization in Anchorage, Alaska. However, patient records are stored in Southcentral’s Cerner EHR system, which is being linked to an HIE. “We’ll see more of that. It will become more prevalent when you can come in and verify your identity and Cerner can pull it in from an HIE,” Smith said.
PHR services for emergency scenarios
Those wishing for a higher level of protection should sign up for PHR services specifically geared to deal with medical emergencies. Microsoft has recruited partners to provide emergency services, including Vital Data Technology and Metavante as well as Medic Alert, which draw on data stored in HealthVault records.
Meanwhile, MyMedicalRecords Inc. specifically embraces the usefulness of PHR services in emergencies. The for-pay service includes an emergency password to be utilized by medical personnel to access information that would be particularly relevant in an emergency in which a patient can’t communicate. A sticker on a patient’s driver’s license contains the user ID and password.
For now, people with known medical issues such as diabetes are the most likely to subscribe to an emergency medical record service. Meanwhile, PHR providers are taking measures to ensure a high level of uptime while eschewing an SLA. Ultimately, patients with specific conditions that a doctor would need to know about in an emergency should consider printing out their health record and taking it with them before going on the road.
Over time, however, accepted usage of PHR services could change. Automated Teller Machine (ATM) technology, now well over 30 years old, started out as a convenience with no guarantees for availability. Yet the ATM system has become an international backbone to provide cash on demand around the clock. PHR services could be headed in the same direction. Over time, as people increasingly use PHR services, patients and doctors could come to rely on them to an ever-greater degree -- even in emergencies.
Stan Gibson is a contributing writer based in Boston. Let us know what you think about the story; email firstname.lastname@example.org.