With Google Health Gone, What’s Next for Personal Health Records?

July/August 2011Articles Garden State Focus

Google Health has announced that it is ending its three year venture into the world of online storing by consumers of personal electronic health records (EHR). Google Health had promoted this project as a significant application of its “cloud computing” platform. A visit to the Google Health Web site 1 reveals the following statement:

An Important Update about Google Health
Google Health will be discontinued as a service.
The product will continue service through January 1, 2012.
After this date, you will no longer be able to view, enter or edit data stored in Google Health. You will be able to download the data you stored in Google Health, in a number of useful formats, through January 1, 2013.

As a result, those subscribers who have availed themselves of the Google Health site (Subscribers) will soon find themselves with the need to take affirmative action if they wish to preserve the data base that they have placed on Google Health. Interestingly, a link 2 provided on the Google Health Web site advises Subscribers on how to transfer their EHR to Microsoft HealthVault if they wish to preserve their EHR “in the clouds”:

Using Google Health’s data download feature, you can easily export data from your Google Health profile and import it into other third-party personal health services. This page illustrates the process for transferring data to Microsoft HealthVault. . . .

On June 24, 2011 Steve Lohr provided an analysis in The New York Times3 about the Google Health shutdown and quotes a blog posting of Aaron Brown4, senior product manager for Google Health, to which the Google Health Web site also directs readers. Mr. Brown stated that the goal of Google was to “translate our successful consumer-centered approach from other domains to health care and have a real impact on the day-to-day health experiences of millions of our users.” However, Mr. Brown admitted in his blog post, “Google Health is not having the broad impact we had hoped it would.”

Mr. Lohr pointed out, “Google is by no means the only company to abandon the field of consumer health records. Revolution Health, for example, retired its personal health record service last year, citing few users.” He quoted others who attributed the lack of users to a variety of causes, including the fact that storing personal EHR in the clouds is a new concept to most people, and early users have found them difficult to use, requiring heavy and continuous demands on their time to maintain current, accurate and complete online health records.
Mr. Lohr reported that Adam Bosworth, a former manager of Google Health who left in 2007 before the service was introduced, had said the service could not overcome the obstacle of requiring people to laboriously put in their own data. The consumer technologies that catch on, according to Mr. Bosworth, inform or entertain users, or enable social communication.
A significant reason for the lack of attraction to Google Health that was not mentioned in the Lohr article may be the reasonable uneasiness that consumers have about privacy and security of their EHR. In April 2010, a posting 5 that was entered on our blog series 6 addressed EHR privacy and security problems experienced by Google Health at that time. Specifically, according to a New York Times article by John Markoff 7, Google Health suffered a breach of the password system that controlled access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.

Thus the conclusion of our April 2010 posting may have been another reason for the termination of the Google Health experiment in online personal health records:

If the reported security breach at Google is as broad and comprehensive as reported, a subscriber to Google Health is not as in control of his or her PHI as the Google [Health Privacy] Policy may lead one to believe. . . . The potential damage to subscribers is catastrophic and perhaps should be the subject of investigation for potential regulation.

Significantly, in referring its subscribers to Microsoft HealthVault as an alternative for EHR storage as described earlier, Google Health included the following caution: “Be aware that HealthVault may offer different privacy protections than the Google Health website, so make sure you’re comfortable with those protections before proceeding.” After having suffered an EHR security breach itself in 2010, the last thing that Google Health wants to incur is potential vicarious liability for some EHR security breach involving HealthVault that affects former Google Health subscribers who could assert that Google Health was responsible for suggesting that they join HealthVault.

The Lohr article points out that analysts note that what success EHR offerings to consumers have had has often been in partnership with insurers and health providers. As physicians and other covered entities continue to evaluate EHR systems, like consumers, they are struggling with the recurring question of security from intrusion or other breach. As a contrast, however, a recent blog post 8 by Michael Koploy suggests that the safest place for health data to reside may actually be “cloud-based” systems. In the post, he reviewed and broke down by causation the Department of Health and Human Services (HHS) “Wall of Shame,” 9 which lists breaches involving 500 or more individuals that are required to be reported to HHS by covered entities. Mr. Koploy noted that “physical theft and loss accounted for about 63% of the reported breaches. Unauthorized access / disclosure accounted for another 16%, while hacking was only 6%.” Only seven reported violations involved EHR systems, and none of them were off-site, cloud-based databases. The most common breaches involved loss or theft of portable devices or paper records.

As observed by my partner William H. Maruca, Esq. in a posting10 on our blog series which he serves as Editor, it is possible that the emerging cloud-based EHR storage alternative represents too small a percentage of total health records to account for significant breaches, to date. However, based on the incidents reported to HHS, there appear to be a lot less secure places to store data. Notably, however, the 2010 Google Health EHR password security breach was not posted on the HHS Wall of Shame, presumably because Google Health did not fall within the definition of a “covered entity.” It can be anticipated that much more scrutiny will be given by consumers, providers and insurers to privacy and security aspects of storage of EHR in the clouds.

________________________________________________________________

1 http://www.google.com/intl/en_us/health/about/index.html
2 http://www.google.com/support/health/bin/answer.py?hl=en&answer=1347995
3 Steve Lohr, “Google to End Health Records Service After It Fails to Attract Users,” The New York Times,
http://www.nytimes.com/2011/06/25/technology/25health.html?_r=1&nl=todaysheadlines&emc=tha26
4 Aaron Brown, “An Update on Google Health and Google Power Meter,” http://googleblog.blogspot.com/2011/06/update-on-google-health-and-google.html
5 Michael Kline, “Does the Reported Massive Theft of Password Information at Google Undermine Confidence in the Privacy and Security of Google Health,”
http://hipaahealthlaw.foxrothschild.com/2010/04/articles/google-health-1/does-the-reported-massive-theft-of-password-information-at-google-undermine-confidence-in-the-privacy-and-security-of-google-health/
6
http://hipaahealthlaw.foxrothschild.com/
7 John Markoff, “Cyberattack on Google Said to Hit Password System,” The New York Times,
http://www.nytimes.com/2010/04/20/technology/20google.html?th=&emc=th&pagewanted=print
8 Michael Koploy, “HHS Data Tells the True Story of HIPAA Violations in the Cloud,”
www.softwareadvice.com/medical/electronic-medical-record-software-comparison/
9
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
10 William H. Maruca, “Where is Your Data Safer – Your Own Server or the Cloud?”
http://hipaahealthlaw.foxrothschild.com/2011/06/articles/privacy/where-is-your-data-safer-your-own-server-or-the-cloud/