Emerging Model for Online Health Records Management Raises Concerns

In a recent article in The New England Journal of Medicine, Dr Kenneth Mandl and Dr Isaac Kohane describe how the entry of large Internet companies, such as Microsoft and Google, into the field of managing patient records online may transform the way doctors and patients manage health information. They raise concerns that so much vital and intensely personal information will be stored in the hands of private companies and shunted back and forth over the Internet, and the difficulties in protecting such information. Traditionally, health data has remained within the confines of the various and disparate elements in the complex distribution chain of health services – doctors, hospitals, pharmacies, clinics etc. – usually each having its own data formats and consent requirements for access. However, as yet another example of the emerging world of "Web 2.0", a competing model is emerging – that of databases of personal health information on a single external platform, with data submitted by patients and controlled, at least nominally, by patients. In this model, health service providers would be granted access by the patient to access their online health records. One challenge with such services is that patients may not fully appreciate what they have consented to when they place their personal information in the hands of a service provider through an online portal. The service provider will have a significant interest in leveraging the accumulated data for research and clinical purposes. The consenting patient should understand to what extent their personal health information was being sold by a provider and used by third parties. Another issue is a lack of laws and regulations in the US to address collection and use of personal health information through online portals. The article notes that these Internet companies would not fall within the entities regulated by the US Health Insurance Portability and Accountability Act. In Ontario, any entity that collects, uses or stores personal health information to enable a health information custodian, such as a health care practitioner or researcher, to use personal health information, would be subject to the requirements of Personal Health Information Protection Act. That legislation specifically contemplates electronic collection and storage of health records and would likely apply to the third party online collection of personal health information. Even in Ontario, however, many observers would argue that the industry and patients alike would benefit from further regulation in this area. For the text of the Mandl/Kohane article, see: http://tinyurl.com/53uj6y For general news coverage, visit: http://www.nytimes.com/2008/04/17/business/17record.html?th&emc=th; and http://tinyurl.com/64sgce Summary by: James Kosa