Today Microsoft launched their new web portal, HealthVault to store, for free, “medical histories, immunization and other records from doctors’ offices and hospital visits, including data from devices like heart monitors. It is also tied to a health information search engine the software maker launched last month.”
Are you wondering if the U.S. Health Insurance Portability and Accountability Act (HIPAA) will apply to your protected health information (PHI) that you entrust to Microsoft? Well, ask yourself, is Microsoft a healthcare provider? NO! A healthcare insurer/payer? NO! A healthcare clearinghouse? NO! Those are the entities that must comply with HIPAA.
The article states,
“The HealthVault site itself doesn’t do much more than provide a window into stored information and a mechanism for sharing it. Microsoft hopes hospitals, doctors’ offices, advocacy groups and insurance companies will build Web applications that patients will want to use.
The American Heart Association, American Lung Association and other organizations already have applications in the works, Microsoft said. And devices including blood glucose monitoring systems made by Johnson & Johnson will be able to upload data into the system.”
Hmm…
I went to the HealthVault site to see what it’s all about.
As I read more about this “service” it sounds more and more like a privacy trainwreck waiting to happen.
They have a privacy policy for “Your Healthvault Account” and another one for “HealthVault.com & HealthVault Search.”
Huh? Why do they have two? This seems fishy…and risky for Microsoft, and their Healthvault participants, to say the least…
I did a side-by-side comparison of the two.
The one for “Your Healthvault Account” is longer and more detailed than the other.
The one for “Your Healthvault Account” states:
“After you create your Windows Live ID, you can use the same credentials to sign in to many different Microsoft sites and services, as well as those of select Microsoft partners that display the Windows Live ID or Microsoft Passport Network logos. By signing in to one Microsoft site or service, you may be automatically signed in when you visit other Microsoft sites and services.”
Red flag!! So Microsoft is allowing the users of Healthvault to use the same credentials, seeming to encourage them to actually, that they use not only on other Microsoft sites, but also on the Microsoft partner sites?
Encouraging the use of login credentials for accessing highly sensitive PHI to be the same as for other sites is careless. Do most people want to do this? Probably. However, Microsoft should clearly explain to their participants the risks of using the same credentials to access their PHI as for other sites with information that is not as sensitive.
So, if Microsoft or one of their partners has an incident with the user credential database, which is probably not encrypted…it does not say it is anywhere…everyone who has stored PHI witin their Healthvault using the same loging credentials may subsequently have bad things happen through misuse to their PHI.
Another line from “Your Healthvault Account”:
“You can use Programs to enter a wide range of health information into a record. You can also store documents. You can give Programs permission to view, add, modify, and/or delete information in a record. Please refer to the privacy statements of those Programs for information about their privacy policies, and about how your information will be used by those Programs.”
Yikes! Giving Programs unfettered access to PHI? And then be subject to yet other privacy statements, which may be conflicting, based upon each of those Programs?
The entire following section from “Your Healthvault Account” is full of red flags:
“Sharing Your Personal Health Information
A key value of the Service is the ability to share your health information with people and services who can help you meet your health-related goals. For example, you can share health information from records you control:
to co-manage the health of a family member [RED FLAG!]
to use products and services that can improve or monitor your health [RED FLAG!]
to consult with your health care provider [RED FLAG!]
to provide fitness information to coaches and trainers [RED FLAG!]
You can share information in a health record you are custodian of with another person by sending a sharing invitation e-mail through the Service. [RED FLAG!]
If the person accepts your sharing invitation and has or creates a Service account, he or she is given access to that information. You can specify how long they have access (custodian access does not expire but, like all sharing access, it can be revoked at any time) and whether they can modify the information.
You can also choose to grant custodial access to other persons, such as your spouse or health care provider, for any record that you are a custodian of.<strong> [RED FLAG!] Custodial access is the broadest level of access, so you should think carefully before you grant custodial access to a record. Every custodian of a record has the same access to the record, including accessing, modifying, deleting, and sharing all the information in the record. [RED FLAG!] A custodian can also revoke access to a record from any other custodian of the record, including you.<strong> [RED FLAG!]
You can also share personal information and health information when you use Programs.[RED FLAG!] You decide which Programs you want to use. You must approve (or deny) the Program’s specific request for a.)The type of information it needs to access in order for it to function properly and b.)What it wants to do with the information (view, add, modify). Programs are listed in the HealthVault Programs Directory at HealthVault.com, and you can also access Programs directly through their own Web sites. A Program informs you of what personal and other health record information it requires in order to function, and the Program will inform you, generally through a privacy statement, how it will use your data. [RED FLAG!] You must affirmatively authorize a Program’s access to any health record in your account for which you have the necessary access level. Microsoft obligates Program providers not to disclose your data without your express consent. [RED FLAG! How do they “obligate” them?] You can freely grant and revoke a Program’s access to your records through the Service. The access you grant a Program through the Service is valid until you revoke that access.
HealthVault users with whom you have shared your records can also give a Program access to those records.[RED FLAG!] You can see a complete history of how Programs have accessed the information in your records by using the History feature in your HealthVault account.”
Here’s another red flag loophole:
“Microsoft may access and/or disclose your personal information if we believe such action is necessary to: (a) comply with the law or legal process served on Microsoft; (b) protect and defend the rights or property of Microsoft (including the enforcement of our agreements); or (c) act in urgent circumstances to protect the personal safety and welfare of users of Microsoft services or members of the public.
Personal information collected on the Service may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities, and by using the Service, you consent to any such transfer of information outside of the U.S. The Service may be used only in the U.S.”
It is a very broad statement open to a very wide range of interpretations.
Here’s another:
“You can close your account at any time by signing into your HealthVault account and editing your account profile.. In order to help keep your health information from being accidentally or maliciously removed, we wait 90 days before permanently deleting your account information.”
Another excerpt…
“Because inappropriate granting of access could allow a grantee to violate your privacy or even revoke your access to your own records, we urge you to consider all the consequences carefully before you grant access to your records.”
This is pretty darn important! Microsoft should provide much more information about protecting PHI for the participants of this program. They should provide an entire subsite devoted to training and awareness related to privacy issues with PHI.
Another excerpt…
“Security of Your Personal Information
Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, and disclosure. For example, we store the personal information you provide on computer servers with limited access that are located in controlled facilities.
Additionally:
All communications with the Service are sent using encryption (that is, HTTPS).
We require you to use a “strong” password
You can view a history of access and actions to any Health Record that you are a custodian of.”
They do not say anything about encrypting your PHI while it is in storage or transmitted through means other than their website portal.
Saying “all communications with the service are sent using encryption (that is, HTTPS)” is not really true, is it? What if a Healthvault participant sends some PHI within an email to an address at Healthvault? They may very well do so, thinking that, somehow, it will magically be encrypted. This kind of statement is very misleading to consumers who do not have a good understanding of what encryption types there are, and what encryption can and cannot do. Most of the likely participants in this “service” will not have much, if any at all, knowledge of encryption.
And what is their definition of a “strong” password? It is odd they put “strong” in quotation marks…what does that imply?
They do not say anything about making backups of your PHI. If they do, and your close your account, how do they permanently delete all your PHI on those backups?
And now for the section on web bugs…
“Use of Web Beacons
Microsoft Web pages may contain electronic images known as Web beacons – sometimes called single-pixel gifs – that may be used:
to assist in delivering cookies on our sites
to enable us to count users who have visited those pages
to deliver co-branded services
We may include Web beacons in promotional e-mail messages or in our newsletters in order to determine whether messages have been opened and acted upon.
Microsoft may also employ Web beacons from third parties to help us compile aggregated statistics and determine the effectiveness of our promotional campaigns. We prohibit Web beacons on our sites from being used by third parties to collect or access your personal information. We may collect information about your visit to account.HealthVault.com, including the pages you view, the links you click, and other actions taken in connection with the Service. We also collect certain standard, non-personally identifiable information that your browser sends to every Web site you visit, such as your IP address, browser type and language, access times, and referring Web site addresses.”
I have just one word for this…YIKES! For more information on web bugs see my paper, “Quit Bugging Me!”
Another excerpt…
“We may occasionally update this privacy statement. When we do, we will also revise the “last updated” date at the top of the privacy statement. For material changes to this privacy statement, we will notify you either by placing a prominent notice on the home page of the HealthVault Web site or by sending you a notification directly. We encourage you to periodically review this privacy statement to stay informed about how we are helping to protect the personal information we collect. Your continued use of the service constitutes your agreement to this privacy statement and any updates. Please be aware that this privacy statement and any choices you make on the Service do not necessarily apply to personal information you may have provided to Microsoft in the context of other, separately operated, Microsoft products or services.”
Oh, boy…here’s a loaded statement, “Your continued use of the service constitutes your agreement to this privacy statement and any updates.”
So, as long as you’re using the service, even if the privacy policy changed, they are trying to obligate you to agree to the new privacy statement by default. I think there are a lot of lawyers who would have a field day with this one! This has been tried, and lost, in previous cases. Hmm…I think that would be a good research paper topic…
The other privacy statement, “HealthVault.com & HealthVault Search,” has a couple of sections not found in the other one; 1) Advertising in HealthVault Search, and 2) Use of third-party ad networks, which includes the statement, “Microsoft maintains relationships with a number of the third-party ad networks currently operating such as: Avenue A; BlueStreak; DoubleClick; Mediaplex; Pointroll; RealMedia; SendTec; TangoZebra; and Unicast. Those ad networks that use persistent cookies may offer you a way to opt out of ad targeting.”
So you MAY be able to opt-out…but then again…you MAY NOT!
Microsoft is a member of the TRUSTe Privacy Program…so what! That program does not typically cover all the backoffice activities for the data collected on a website…where so many incidents and breaches occur.
After reading through all this, I wonder; why would someone want to entrust Microsoft…a company with no experience in healthcare, in processing PHI, but much history with security problems…with information as sensitive as PHI?
Even healthcare covered entities that understand the risks involved still often don’t adequately provide protection for PHI…even when they are obligated under HIPAA!
Microsoft is not obligated by any law to specifically protect PHI.
Microsoft is obligated by the FTC Act to abide by their posted privacy policies, but as you can see by their MULTIPLE privacy policies, they have created so many loopholes and escape hatches to offput their liability…or at least it seems they have tried to…that it may be hard to find a solid judgment against them.
However, those loopholes could actually end up being their own noose in court…the FTC has shown many times they do not like companies that practice unfair and deceptive business practices.
Tags: awareness and training, FTC Act, Healthvault, HIPAA, Information Security, IT compliance, Microsoft, personally identifiable information, PHI, PII, policies and procedures, privacy, privacy incident, protected health information, risk management, security training