Yesterday, the New York Times reported that Microsoft Corp. launched "HealthVault," a website designed to allow patients to store and manage their medical and health information, and which is described by Microsoft as "part filing cabinet, part library, and part fax machine for an individual’s or a family’s medical records and notes." 


Microsoft’s HealthVault attempts to implement a "centralized model" of storing health information where patients arrange to have information downloaded to a centralized web-based data repository.  This model differs from the "decentralized model" where information remains in its original locations (e.g., the hospital, physician’s office, laboratory), but is linked through a network of connections among participating providers who have agreed to "share" information when needed to treat a patient.   Which model will prevail remains to be seen, but some interesting points should be noted. 


From a HIPAA standpoint, HealthVault, and similar models that are popping up (e.g., goggle is working on a similar "vault"), are not directly subject to the requirements set forth in the Privacy and Security rules because they are not "health care providers," "health plans" or "health care clearinghouses."  Furthermore, such "vaults" may not even be "HIPAA Business Associates" because, as I currently understand these models to be, the agreement to store the information is between the patient and HealthVault, and so the services provided will typically not be "on behalf of" the health care provider. 


One question that is being asked by some is whether health care providers should, upon request by a patient, download all records in their possession to the vault without written assurance this information will be maintained private and secure?  But even if, as proponents argue, this sort of "information download" is analogous to a provider faxing the information to a destination requested by the patient, it raises other issues such as "is the provider required to download new information about the patient when it is received, or should providers wait for the patient to request each download?"  Then, if providers only download new information when their patients make the request on a case-by-case basis, and the patient fails to do so, does that create an incomplete picture of the patient and diminish the clinical value of such vaults?  Other issues include: who will pay for the administrative cost of providers taking the time to download information to such vaults, and will providers current software be compatible and allow for easy transmission? 


Similar patient-controlled Personal Health Record (PHR) have failed miserably in the past, which has led many to try alternate models such as decentralized direct provider-linked RHIOs.  Yet, it will be interesting to see whether HealthVault can make PHRs work.