Data privacy remains a top concern as Google seeks more users, partners for its new personal health-record platform
About two years ago, lightning struck for SafeMed, a healthcare analytics software firm, when representatives from Google strolled by the fledgling company’s booth at a trade show.
“That initiated some discussions,” says Richard Noffsinger, chief executive officer of SafeMed. The San Diego-based company signed on as one of Google Health’s first partners, sprouting more growth and new clients.
“The partnership has helped us in all areas,” Noffsinger says, including lending financial stability. SafeMed also benefited from its collaboration with Google’s engineers so it could meet expected growing demand from the millions of Google users. “Having a customer of the stature of Google is incredible.”
Google Health, launched in May to much fanfare, allows users to store, organize and manage their personal health records and other information online. The concept is that the approach puts individuals in charge of their own health data and allows them to access that data when they switch providers, visit an emergency room or search for relevant health information.
The jury is still out on whether people will use Google Health or another consumer-driven online PHR, and Google has declined to release any numbers to date.
To make the product attractive to consumers and to ensure personal medical information is relevant, Google Health is relying extensively on third parties. Google is deploying the so-called “Long Tail” model where a large number of unique products or services are offered to a wide range of people, with the expectation that freedom of choice will drive participation.
In applying that model to healthcare, Google Health, along with Microsoft Corp., which offers a competing product called HealthVault, are rapidly shaping the health information sphere. HealthVault, launched in fall 2007, is a formidable competitor, with more than 100 partners, including leaders in the health information technology field such as Kaiser Permanente.
Visits to health information Web sites have risen 21% in the past year, more than four times the rate of the total U.S. Internet population, according to a Sept. 9 study by comScore, a Reston, Va.-based firm that measures digital usage, and improved site functionality, trust and personalization are fueling the trend. “As Google and Microsoft ramp up their efforts with their respective health sites, it will be interesting to see how the sector evolves,” says John Mangano, a senior director of the firm, in a news release.
What’s more, Google is injecting a “cool” factor into the traditionally wonky health sector.
But the search giant is also raising privacy concerns as it rapidly adds new partnerships.
The company has signed on about two dozen partners so far, and there are “a lot in the pipeline right now,” says Missy Krasner, product marketing manager for Google Health and a former senior adviser to David Brailer when he was HHS’ first national coordinator for health IT.
Some partners, such as Aetna, the Cleveland Clinic, Quest Diagnostics, Walgreen Co. and Wal-Mart Stores, already are major players in healthcare. But others are smaller startups in the Health 2.0 information space, sites that are more interactive and consumer-participatory (Dec. 10, 2007, p. 32). How they perform as partners with Google Health, and their ability to keep information secure is being closely watched by privacy advocates.
Eric Schmidt, chairman and CEO of Google, fired the first salvo in late February when he gave the keynote address at the Healthcare Information and Management Systems Society annual conference in Orlando, Fla. Schmidt invited everyone in the audience to consider partnering with Google Health. “If you’ve got an idea that can really change the world of medicine, we want you to build on top of this platform,” he said.
Schmidt’s HIMSS keynote has been viewed on YouTube (another Google property) nearly 70,000 times.
Google’s popularity has helped the Mountain View, Calif.-based search giant attract partners, says Robert Wachter, associate chairman of the University of California at San Francisco Department of Medicine, and a member of Google Health’s now-disbanded advisory group, an unpaid position. Google is expected to name a new advisory council shortly.
“My sense was the cool factor was an important part of why” the original partners were there, Wachter says. “I mean, everyone returns Google’s phone calls.”
Google’s cache extends well beyond its brand, Wachter says. “Google has sex appeal because it has a track record,” he adds. “Whenever you are starting a new enterprise, the question is, ‘What’s the likelihood of ending up with new and exciting things?’ ”
The pace at which Google Health is adding partners is worrisome to some privacy advocates because Google and many of its new partners don’t fall under the oversight of the Health Insurance Portability and Accountability Act of 1996. And while experts say they trust that Google is committed to privacy protection, they are not so sure about some of the partners.
“Oh, that’s the biggest concern,” says Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, a not-for-profit, nonpartisan group based in Washington dedicated to digital civil liberties. “The real risk is the lesser-known companies. It means we are now counting on Microsoft or Google to police those entities.”
Google’s partnerships with trusted providers that are HIPAA-covered organizations—like Aetna, 585-bed Beth Israel Deaconess Medical Center in Boston and the Cleveland Clinic—will bring more consumers into Google’s fold, McGraw says. The federal privacy law applies to health plans and providers as well as healthcare claims clearinghouses.
Those providers might lead patients to other products and services that HIPAA doesn’t regulate, and users may not know this, McGraw says. “We have this buyer-beware infrastructure that is very dangerous when talking about personal health information,” she says.
John Halamka, chief information officer at CareGroup Health System, parent of Beth Israel Deaconess, a board member of SafeMed and a Google adviser, says that Google doesn’t vet its partners based on privacy policies, but that doesn’t bother him.
“I don’t worry about Google Health,” Halamka says. “It’s totally self-contained and secure.” He says that users who sign up for Google Health opt in to share their information with partners and they can opt out at any time.
Still, others who worked closely with Google on developing Google Health have continued concerns. “It’s one thing to trust Google, but everyone should stop and think about whether they want to share with third parties,” says Paul Tang, chief medical information officer of the Palo Alto (Calif.) Medical Foundation and also a former Google Health adviser.
Just giving a date of birth, gender and ZIP code can identify 86% of people in the U.S. by name, Tang says. “And it’s very hard to be de-identified once you are identified,” he adds.
Another concern—especially considering the country has already lived through the bursting of one dot-com bubble—is that data are prime assets during mergers and bankruptcies. Even if companies say they won’t sell that data today, perhaps they will in the future, Tang says.
For partners that aren’t covered by HIPAA, Google, under its partnership agreements, prohibits them from selling user data, even in the aggregate, Krasner says. “That decision was made because we are new in this space and are using a platform model,” a model where Google provides the infrastructure and third parties provide services, data and content, she says. “But that may evolve and change down the road.” If Google found out that an application was doing something “evil,” the company would end the partnership, Krasner says. Google does not sell ads on Google Health currently, but that could change.
Certainly, the partners aren’t likely to do anything to risk their relationships with Google, the former advisers say. Several partners that were contacted for this article say they will adhere to Google’s privacy policies. “Being partners with Google gets you a lot of recognition,” says Nick Encina, president and chief operating officer of Praxeon, which operates MyDailyApple, a health search provider with six employees based in Cambridge, Mass. “It’s the recognition that has helped—to be validated by a company like Google.”
MyDailyApple works by tailoring medical searches to specific users and providing relevant health-related content to online healthcare communities. “We can scrape information from health records and provide context, then people can give that information to their physicians,” Encina says.
Encina says that the company doesn’t share user information with anyone and has no advertising, though ads are “a possibility in the future.” He says his firm is sensitive to the issue, noting that Praxeon’s contract with Google doesn’t have a noncompete clause, doesn’t involve money changing hands and is open-ended.
Google Health partnerships are coming so fast that one partner might not be aware of another. When asked his opinion of MyDailyApple, SafeMed’s Noffsinger says he had not heard of the service.
The big issue Google is dealing with now is making Google Health relevant in people’s lives, and for that, it needs partnerships. “It’s not enough for people to sign up and have an account,” Krasner says. “What we measure is transactions,” such as when people check for potential drug interactions.
Soon, Google will add a user-to-user sharing feature, allowing people to share their profiles with family members, providers and caregivers, Krasner says. The idea is that users are ultimately in charge of their private medical data and whom they trust to share them with, she says.
Still, PHRs aren’t attractive to everyone, even those partial to Google, such as the young and healthy, Halamka says. But they are of high value to providers such as himself, an emergency room physician. “Often I’m flying blind,” he says. “I would hope that a PHR would help.”
The key to Google Health’s success is making sure that users don’t have to input information themselves, but rather be able to access critical data at the click of a mouse. For instance, 40,000 patients at Beth Israel Deaconess have PHRs, but only 42 patients have added any information to those files, Halamka says.
Making it easy and relevant to users and providers is “the crux of the matter,” Wachter of UCSF agrees. “How do you create appropriate tentacles to stick to patient data so it works like an interactive filing cabinet?” he says. “There are so many interdependencies in healthcare. Google can’t do this alone.”
What do you think?
Write us with your comments. Via e-mail, it’s firstname.lastname@example.org
; by fax, 312-280-3183.