Protecting online medical records

SAN FRANCISCO -- Hoping to persuade more people to store their medical records online, Google Inc., Microsoft Corp. and other health care providers and insurers have agreed on ground rules for protecting the privacy of the sensitive information.

The guidelines, unveiled Wednesday, are designed to reassure patients that they can enjoy the convenience of keeping their medical histories in online filing cabinets without worrying that that will open a door for outsiders to peruse the data without their knowledge.

The privacy concerns have become more acute during the past eight months as both Google and Microsoft, two of the world's most powerful technology companies, have introduced Internet storage services for personal health records, or PHRs.

By keeping their medical histories online, patients theoretically will have more control over the information and be able to share it more easily with a doctor if they switch practitioners or are referred to a specialist.

But the concept has been slow to take off. Just 6.1 million adults in the United States have electronic PHRs, according to estimates released Wednesday by the Markle Foundation.

"Consumer demand for (PHRs) and online health services will take off when consumers trust that personal information will be protected," said Zoe Baird, Markle's president.

Like other companies outside the traditional health care industry, neither Google nor Microsoft is subject to the Health Insurance Portability and Accountability Act, or HIPAA. The 12-year-old federal law strictly shields medical records from unwelcome eyes.

That loophole has caused some privacy watchdogs to warn patients that digitizing their health records could make it easier for the government, a legal adversary or a marketing concern to obtain their medical information.

The new "Connecting For Health" guidelines aim to give electronic PHRs at least the same level of protection already governing paper medical records. The rules also call for patients to be notified in a "timely way" if their medical information is released by mistake, computer hacking or other mischief.

The Markle Foundation, which has been focusing on ways to use technology to improve health care, cobbled together the guidelines during the past 18 months with help from more than 40 companies and trade groups with a stake in the outcome.

"This is really an exemplary framework for going forward in this area," said Steve Findlay, health care analyst for Consumers Union, the publisher of Consumer Reports magazine. "I think it will enhance the trust in consumers over the next few years."

Representatives for Google, Microsoft and two other technology companies, Intuit Inc. and WebMD Health Corp., said they didn't have to make any significant changes to their existing policies to comply with Markle's privacy framework.

Others supporting the guidelines include Aetna Inc., America's Health Insurance Plans, BlueCross BlueShield Association and the American Medical Association.