The HIPAA fetish may turn out to be a side show, but I am continuing my education by reading Daniel Solove’s book, Understanding Privacy. I’m only on p. 22 but I’m never going to field another broadly-worded survey question related to privacy again b/c of his insights. So if you liked his article, buy the book!

As for what appears to be a mounting fetish for HIPAA as security/privacy protection benchmark, I confess I’ve been almost as underwhelmed by the purported ‘protection’ HIPAA provides, over & above preceding legal protections for the those ever-elusive qualities, privacy & security* , as I am by the desultory enforcement of that statute. The only figures I can find indicate around 26,000 complaints, & 4 convictions over the statute’s existence. Let me be first to caution these figures may be out of date, and/or taken out of context.

Either the risks are exaggerated, or the damages have generally been less than anticipated, or the law requires substantive overhaul – or I need much better tutelage in the statute’s potency than I’ve gotten to date (from a group of people that includes at least one present at the law’s creation).

*(kudos to John for providing some links to thought-provoking if not particularly conclusive materials on those topics. I particularly enjoyed the Solove piece, and this passage in the conclusion: “…understanding privacy as a pluralistic conception reveals that we are often talking past each other when discussing privacy issues. By focusing more specifically on the related problems under the rubric of “privacy,” we can better address each problem rather than ignore or conflate them.”)

Its not quite right to say that Google is entirely unregulated. The Federal Trade Commission will enforce Google’s privacy policy, for example.

However, Google is not subject to a variety of other requirements and protections that apply to HIPAA “covered entities.” For example, Google need not comply with any standards for user authentication, which could be a real issue given the weak authentication process used by gmail.

I personally don’t know how much I’d count on the FTC to enforce anything, but even then, the point about Google’s extremely weak authentication seems quite valid.

NYT magazine: Exposed

Blogs are obviously completely different from medical records, but in reading this I realized that the author & I (being of different generations) are experiencing the world in very different ways.

Musings of a VC in NYC: Making My Personal Health Record Public
http://avc.blogs.com/a_vc/2008/05/making-my-perso.html

Google Public Policy Blog: Google Health, privacy, and HIPAA
http://googlepublicpolicy.blogspot.com/2008/05/google-health-privacy-and-hipaa.html

Are other people seeing interesting threads out there? Please share!

Since privacy is a major topic, I thought I’d share this law review article by Daniel Solove:

‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565

The article is focused on government surveillance and data mining, but I think it has implications for health care.

For example, I’m pretty taken with his taxonomy of privacy, which he developed as a way to “shift away from the rather vague label of privacy in order to prevent distinct harms and problems from being conflated or not recognized.”

Here it is:

Information Collection
- Surveillance
- Interrogation

Information Processing
- Aggregation
- Identification
- Insecurity
- Secondary Use
- Exclusion

Information Dissemination
- Breach of Confidentiality
- Disclosure
- Exposure
- Increased Accessibility
- Blackmail
- Appropriation
- Distortion

Invasion
- Intrusion
- Decisional Interference

It’s about the pros and cons of employees putting data out onto third-party Web 2.0 tools like SocialText, PBWiki etc. In a sidebar titled “Impact Assessment,” in the “Risk” column, it says:

“Whenever … information resides on third-party systems, the risk of loss increases – particularly if the information is being shared with business partners.”

If you consider your personal health data to be worth as much protection from vandals as a company’s business data, you might reflect on why InformationWeek would consider this newsworthy.

If you are ever at an event where he is listed as a speaker, run to a table up front so you can hear everything and be first in line to ask questions. He knows what he’s talking about.

I agree with John that nothing much has changed since Blogoscoped published screenshots last August. It sure looks like Bosworth’s departure took a lot of wind out of the project’s sails.

Center for Democracy & Technology
http://www.cdt.org/healthprivacy/

Health Privacy Project (now partnered with CDT)
http://www.healthprivacy.org/

Exposed Online: Why the new federal health privacy regulation doesn’t offer much protection to Internet users
(a 2001 report from the Pew Internet Project and the Health Privacy Project of the Institute for Health Care Policy and Research at Georgetown University)
http://www.pewinternet.org/PPF/r/49/report_display.asp

The real concern I have is the business model. Google does nothing just for the fun of it. Since they’ve already publicly said they won’t run advertisements on the service, you have to legitimately ask, “How do they make money from it?”

Partnering with hospitals won’t be enough (e.g., hospitals pay Google to get access to the system). The answer is simple — these third-party services that will pay to be featured by Google and allow a user to send all of their patient data to them with a simple press of the button. It’s the Facebook model of data exchange.

While that works great for Facebook apps that are largely for fun (“Be a vampire and bite a friend!”), it seems like a questionable model which to emulate serious health data exchange (especially given the broad permissions granted — write/read, or read-only — no discrimination about type of data sent to whom and under what conditions).

This is billed as a “beta” launch but it looks largely unchanged from what some of us saw from nearly a year ago. In other words, there’s not much going on in this space, and not much for consumers to get excited about.

Others are cheeky about the much-rumored likelihood of GOOG selling vendors the ability to somehow market SOMETHING to you (on an anonymized basis, I am SURE). (I mean it when I say “rumored” – I have no evidence about anything of the sort.)

Amusing wisecracks there: “I can see “Need Liver or Kidneys?” coming up in the recommended searches”, followed by “I’m concerned about what happens when they combine information about who has healthy kidneys with streetview. And then display google ads offering discounts on bathtubs and ice.”

Even without that, I had a lot to say in January. Nobody should dare have an opinion about this without understanding the CNet.com issue and caving in to the Chinese government.

It’s made much worse, I think, by Google being completely disingenuous about the privacy issues. Do they not take the subject seriously, or are they arrogant enough to think they can do anything and get away with it? Either way, I want nothing to do with it.

To me it’s an indictment of the whole company’s integrity – but maybe it’s just really bad judgment (or naivete) on the part of some middle managers.

IMO, it all boils down to whether you think you can trust Google to be responsible with your data, or whether Google can be pressured into doing whatever a government tells it to, or simply might just screw up, at which point there’s nothing you can do about it.

If you’re comfortable with that, give Google your data. If not, don’t.

What this means in reality is that a hospital won’t let themselves be held liable if you’ve transferred your health data to Google, and then had your Google password cracked or what-not. And of course Google won’t be held liable either.

This an important component buried in their 1,600 word TOS and Authorization you agree to when you sign-up for this service. Most people will miss and not understand the importance of the lack of HIPAA oversight of their health data once it’s in Google.