Several recent PHI-related news items, including two that were commented upon by Michael Kline in this blog series in his posts dated June 27, 2011 (regarding Google Health’s announced shut down) and July 3, 2011 (regarding the Spartanburg (S.C.) Regional Health System PHI security breach), and one that was described by Bill Maruca in a post dated June 22, 2011 (regarding the safety of “cloud-based” data storage systems), share a common feature – they underscore our need to trust the keepers of our PHI. We need to trust that, whether PHI is in the cloud or on a server, in a thumb drive or on a hard drive, only those who have a right and a need to access it can and will do so. 

A recent petition (“Petition”), filed as a putative class action in federal court in St. Louis, Missouri against The Siteman Cancer Center at Barnes Jewish Center (“Siteman”) and the Washington University (St. Louis) School of Medicine provides an example of insult adding to injury when the trust in our PHI-keeper is broken. Mistakes may happen, but trust is really breached when the mistakes that involve PHI are not admitted and addressed immediately.

 

The Petition alleges that, sometime over the weekend of December 4, 2010, “an unencrypted laptop computer,” which contained the PHI of “hundreds of cancer patients,” was stolen from Siteman’s Gynecological Treatment Center.  While the exact number of individuals affected is not identified in the Petition, there has been no posting of the breach in the list maintained on the U.S. Department of Health and Human Services Web site respecting  breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”). This suggests that fewer than 500 individuals were affected. 

 

According to the Petition, Siteman did provide notice to affected individuals – but, based on allegations in the Petition, the notice was too little and too late. The Petition contends that Siteman knew about the stolen laptop immediately after the December 4, 2010 weekend, but did not notify affected individuals until it sent out a letter dated January 28, 2011.   Adding apparent insult to this delayed notice of injury, the Petition asserts that Siteman also “downplayed the seriousness of the security breach” and failed to include complete information about (and thus “misrepresented”) the type of information that was stolen. 

 

In blogging about the Spartanburg breach, Michael writes, “[i]t is perplexing that a hospital would choose to withhold disclosure of the extent of its PHI security breach, as it risks a second round of significant media coverage when the posting on the HHS List takes place one to three months later.”   I find it similarly perplexing that a hospital, such as Siteman, might choose to withhold disclosure of the extent of an especially sensitive PHI security breach, particularly when the disclosure is being made directly to the potentially affected individuals. Failure to disclose promptly and accurately the nature and extent of a breach not only erodes patient trust, but also increases the likelihood of a “second round” of patient harm and ensuing litigation.

On June 24, 2011 Steve Lohr reported in The New York Times that Google is ending its three year initiative into the world of online storing by consumers of personal health records.  Google Health had promoted this as a significant application of its “cloud computing” platform. 

A visit to the Google Health Web site reveals the following statement:

An Important Update about Google Health

Google Health will be discontinued as a service.

The product will continue service through January 1, 2012.
After this date, you will no longer be able to view, enter or edit data stored in Google Health. You will be able to download the data you stored in Google Health, in a number of useful formats, through January 1, 2013.

The Lohr article quotes a blog posting of Aaron Brown, senior product manager for Google Health, to which the Google Health Web site also directs readers. Mr. Brown states that the goal of Google was to “translate our successful consumer-centered approach from other domains to health care and have a real impact on the day-to-day health experiences of millions of our users.”  However, Mr. Brown admitted in his blog post, “Google Health is not having the broad impact we had hoped it would.”

 

Mr. Lohr points out, “Google is by no means the only company to abandon the field of consumer health records. Revolution Health, for example, retired its personal health record service last year, citing few users.”  He also quoted others who attributed the lack of users to a variety of causes, including heavy and continuous demands on the time of consumers to maintain current, accurate and complete online health records, loss of consumer appetite to other more appealing computer applications, the complexity of the health field, and greater success of online health records when providers or insurers are partnering in the process.

 

A significant reason for the lack of attraction to Google Health that was not mentioned in the Times article may be the reasonable uneasiness that consumers have about privacy and security of their personal health information (“PHI”). In April 2010, a posting was entered on our blog series entitled, “Does the Reported Massive Theft of Password Information at Google Undermine Confidence in the Privacy and Security of Google Health.” That posting addressed PHI privacy and security problems experienced by Google Health at that time. Specifically, according to a Times article by John Markoff, Google Health suffered a breach of the password system  that controlled access by millions of users worldwide to almost all of the company’s Web services, including email and business applications. 

 

Thus the conclusion of our April 2010 posting may have been another significant reason for the termination of the Google Health experiment in online personal health records:

 

If the reported security breach at Google is as broad and comprehensive as reported, a subscriber to Google Health is not as in control of his or her PHI as the Google [Health Privacy] Policy may lead one to believe. . . . The potential damage to subscribers is catastrophic and perhaps should be the subject of investigation for potential regulation. 

There has been  new information published regarding the disclosure by Google in January 2010 of theft of proprietary computer information by Internet intruders. On April 19, 2010, John Markoff wrote in The New York Times that a Google “password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications” had been breached. The article goes on to say:

The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as “cloud” computing, a single breach can lead to disastrous losses.

What is especially perplexing is that, in May 2008, Google launched Google Health, which was touted as a repository or platform for individuals to store and organize their personal health information (“PHI”) online for ease of reference and sharing at the discretion of the individual. The Google Health Web site sets forth its Google Health Privacy Policy (the “Google Policy”). Included among the statements in the Google Policy under the heading You are in control of your information” are the following:

You control who can access your personal health information. By default, you are the only user who can view and edit your information. If you choose to, you can share your information with others.

Google will not sell, rent, or share your information (identified or de-identified) without your explicit consent, except in the limited situations described in the Google Privacy Policy, such as when Google believes it is required to do so by law.

Included among the statements in the Google Policy under the heading How Google uses your information” is the following:

To store your information in Google Health, you will need a Google Account. When you create a Google Account, Google asks for your email address and a password, which is used to protect your account from unauthorized access.

If the security breach at Google is as broad and comprehensive as reported, a subscriber to Google Health is not as in control of his or her PHI as the Google Policy may lead one to believe. While HIPAA and HITECH statutes and regulations would require a “covered entity” or “business associate” to undertake massive damage control and notices of breach to affected individuals, and perhaps even subject the covered entity or business associate to heavy penalties, presumably the Google Health repository is not so regulated. The potential damage to subscribers is catastrophic and perhaps should be the subject of investigation for potential regulation.

Google Health and National Hospice and Palliative Care Organization’s Caring Connections have partnered to allow patients to store and access their advance directives on line.  Advance directives are essentially "directions" that a person gives to their medical professionals about what interventions they wish to have provided or withheld under specific circumstances — especially in emergencies and at "end-of-life" moments — when such person can not express those wishes himself or herself.  Advance directives laws vary from state-to-state, but typically require such directives to be in writing, signed and to have a personal representative listed.

GoogleHealth and Caring Connections will offer a "living will" feature that allows users to download a free state-specific advance directive and store completed and signed scanned documents securely on line in their GoogleHealth account.  By "storing" such advanced directives in GoogleHealth’s centralized repository, the hope is to offer providers with a better method to insure that a patient’s true wishes with regard to health care interventions are honored.  But, will it?

What had me wondering is how exactly will the provider access the advanced directive on Google Health without the individual (who presumably has lost his or her ability to communicate) providing his or her password?   I suppose that in instances where a personal representative has been appointed, the individual could make sure to provide such password to his/her personal representative — but watch out, because if the personal representative changes, then the password may need to change too.  Another option may be for individuals to pre-authorize their entrusted health care provider with access to their personal Google Health account.  Yet, this also has problems where one does not necessarily know which emergency room provider might end up providing them with care. 

Nevertheless, even with its limitations, Google Health’s new advanced directive feature will likely be beneficial in many circumstances.  To learn more about GoogleHealth and Caring Connection’s new advance directive feature, click here.