Dr. Annie Ant�n of
ThePrivacyPlace.org an organization devoted to online privacy has posted an article that raises serious privacy questions about Microsoft’s HealthVault Personal Health Record software: “…Unfortunately, what people don�t realize is that HealthVault and similar PHR systems are not subject to or governed by law. When the Health Insurance Portability and Accountability Act (HIPAA) was enacted, we did not envision that private software firms would eventually want to create databases for our health records. As a result, HealthVault and other PHR systems are not subject to the same privacy and security laws to which traditional medical records are subject to in the United States because they are not �covered entities� as specified in the HIPAA…Microsoft appears to have sought the counsel of physicians who believe that patient consent is the best indicator of privacy protections. Unfortunately, most physicians do not understand the subtleties buried within healthcare privacy statements within the context of the software that implements those statements. For this reason, I now list three primary questions that one should ask before entrusting their health records to HealthVault or any other PHR system:” Paraphrased, the questions are:
- Will my data be off shored and therefore subject to no US law?
- Will my data be merged with other non-health related information Microsoft collects about me?
- If read/write authority is granted, can the grantee give read/write authority to my data?
Surprisingly from its privacy statement the answers to the above appears to be yes. Not mentioned are other additional security concerns beyond the obvious issue that the HealthVault software cannot be examined by most 3rd parties for security and privacy flaws. It would appear that Microsoft did not look at previous efforts such as the LGPL’ed IndivoHealth PHR and others.