PrivacyPlace fisks HealthVault

PrivacyPlace fisks HealthVault

Summary: Whether HealthVault delivers on its promises is not the issue. The issue is whether anyone should trust Microsoft with their health information based on current privacy statements.


Microsoft HealthVault home page image closeupThe term fisking, a detailed rebuttal of someone else's statements and assertions, is fairly common to blogging but uncommon in health care.

Today The Privacy Place gave a good fisking to Microsoft's HealthVault.

The group's problems are these:

  1. HealthVault is not covered by HIPAA, only its own privacy statement.
  2. The privacy statement lets HealthVault move your data offshore, where there is no privacy protection.
  3. HealthVault will not promise to keep your health data separate from other data Microsoft may have on you.
  4. HealthVault access controls are easy to legally breach. If you give someone else permission to access your records, they can have them all, even change them.

It should be noted that these are not technical problems, but legal and ethical problems. Whether HealthVault delivers on its promises is not the issue. The issue is whether anyone should trust Microsoft with their health information based on current privacy statements.

The answer The Privacy Place delivers is a resounding no.

This is not just some blogger talking. The Privacy Place has a dozen major authors, and this piece was written by director Annie Anton. It is sponsored by the National Science Foundation and a unit of North Carolina State University.

It's pretty amazing that Microsoft either did not contact these people, or did not run their policies by them, before launching. Microsoft did considerable homework in advance of this launch, and the company knows its privacy policies are suspect. Microsoft also has many lawyers.

It's the kind of fiasco that could set the movement toward electronic health records back years. That kiss on the top of the HealthVault home page could prove the kiss of death.

Topics: Microsoft, CXO, Enterprise Software, Health, Software, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • EHR set back has nothing to do with HealthVault

    EHR is set back for years for so many reasons which have nothing to do with the HealthVault.

    EHR is a noble concept but in application very technically difficult to achieve and at best fragile.

    Top that off with everything Healthcare-wise being in a 'state of flux' (in the US at least) and you have a 'quiltwork' of Hospitals running their own Rail Roads in the foreeeable future.

    No single Health Care standard will prevail for the time being.

    Things may seem discouraging at times but there will always be hope for improvement.

    Temperance is a virtue!
    D T Schmitz
    • Microsoft and EHR

      For better or worse, Microsoft is a very big company, a very public company, and its EHR efforts will cause many observers to give the whole concept a thumbs-up or a thumbs-down.

      And right now it looks like a thumbs-down.
  • RE: PrivacyPlace fisks HealthVault

    Actually the concept of HealthCare banking and allowing patients to "own" their own data is exactly the direction we want to move. The problem with the Vault is that 3rd party applications will be the source of much of the data and they don't follow the same high privacy standards.. For example here is part of the American Heart Associations disclsoure for their new HV Blood Pressure Tracking Program. Clearly they are going to use your data to market to you and use your illness and name to fund raise! That is what will kill EHR's the fastest. Oh and you can't opt out once you start the sign up process. If you get to this page and realize there is not a "no" option and cancel out the data still shows up in HV and they have access.

    When you use the Blood Pressure Management Center, you can choose to allow the AHA to use and copy personal and medical information from your Microsoft Health Vault Account to an AHA database. Allowing the AHA to use and store this personal and medical information from your Microsoft Health Vault Account means that AHA can send you health educational information targeted to your health condition(s) and allows the AHA to use this information for certain research purposes described below. The information you share with the AHA includes personal demographic information such as your name, gender, ethnicity, birth date, home and e-mail addresses, zip code, and household income level. This information also includes your medical information such as height, weight, blood pressure values, nutrition values, cholesterol levels, physical activity, medication use and type, diet, renal disease and diabetes, and whether you have a family or personal history of heart attack or stroke and whether you have health insurance or a caregiver.
    • AHA not liable for release of HealthVault Information

      [i]If you want to opt out you have to call them on the phone or send them a snail mail letter versus just logging on and selecting an option. [/i]

      If you want to withdraw your consent for the AHA to copy, store, use or disclose your personal or medical information from your Microsoft Health Vault account, please

      -Call us toll-free at 1-800-242-8721, or
      -Write to us at National Service Center, American Heart Association, 7272 Greenville Avenue, Dallas, Texas 75231.

      [i]They also are not liable for the disclosure of your medical data. [/i]

      You agree that you release, and agree to indemnify, defend, save and hold harmless AHA, its affiliates, and its and their officers, directors, employees, contractors, volunteers, sponsors and agents from all claims arising out of or related to your access or your use of, or your inability to use the Blood Pressure Management Center or AHA?s collection, use, storage or disclosure of your personal or medical information. (iv) AHA'S USE OR DISCLOSURE OF YOUR PERSONAL OR MEDICAL INFORMATION OR

      [i]And will store your data on their own servers and share it as they see fit with 3 parties. [/i]

      -The personal and medical information you authorize AHA to copy from your Microsoft Health Vault account will be stored by AHA in its own databases on its own servers or servers of third parties under contract to AHA.

      -AHA, including its local affiliates, may send you personalized health educational and other materials targeted towards persons with your health conditions.

      -AHA, including its local affiliates, may send you personalized information related to research studies being conducted by third parties related to your health condition(s). If you want to participate in such studies, you will be asked to opt-in to provide information about yourself to the third party and receive additional information about the research study.

      -AHA, including its local affiliates, may send you personalized information regarding opportunities to support the mission of AHA, either financially or by volunteering for AHA events and activities.

      -AHA may share your personal and medical information with third parties under contract with the AHA to provide certain operational services to the AHA or on its behalf. Such disclosure will be made on a 'need to know' basis and AHA will require such third parties to comply with the privacy obligations set forth in this document and AHA?s Privacy Policy.