Microsoft launches personal health record site

Microsoft's HealthVault aims to record personal health details in the cloud and allow users to control access to that data

Microsoft has launched its HealthVault cloud-based health-organiser platform in the UK, nearly three years after its US launch in October 2007.

The platform is designed to allow organisations to develop applications that let individuals monitor various aspects of their physiological performance, based on user-supplied data such as body mass index, blood pressure and heart rate.

"HealthVault is aimed at the 13 percent of the UK population who are actively engaged in monitoring their wellness," Dave Coplin, Microsoft's national technology officer, told ZDNet UK. "We wanted the right kind of data store."

Individuals are given control over who can look at the data by specifying which applications and organisations have access rights, and can also audit who has accessed the data, said Coplin. The underlying system uses XML schemas to provide this control, he said.

In the UK, Microsoft has worked with Nuffield Health on applications, and hopes to talk to organisations such as the British Heart Foundation and the British Diabetic Association to develop monitoring apps.

Microsoft has provided a software development kit (SDK) for developers based on Microsoft's .Net platform. For open source and developers on different proprietary platforms, Coplin said that HealthVault had a set of application programming interfaces (APIs) available on CodePlex, Microsoft's open-source repository, which would allow coders to develop on languages including PHP and Python.

Microsoft has no plans to allow information exchange between HealthVault and NHS systems such as Summary Care Records, which hold patient medical information. In addition, Microsoft said it would not at present integrate HealthVault with the NHS health organisation suite, HealthSpace.

Applications which interact with the HealthVault database must comply with Microsoft security and privacy policy, said Coplin. The cloud platform will be hosted in the UK at the same datacentre as used by government organisation the Child Exploitation and Online Protection Centre (CEOP), said Coplin. Under European data protection law, citizen information must not be sent outside of Europe without consent. The UK datacentre is administered by UK technology company Attenda.

Law enforcement and the intelligence services will only have access to the information should they present a warrant, said Coplin.

The strength of a private sector health organisation's privacy commitment was questioned on Tuesday by Ross Anderson, professor of security engineering at Cambridge University.

Anderson said that institutions such as GPs and the Family Planning Clinic had a history of resisting demands for information access from law enforcement, if those demands contravened European human rights law. "At the moment, if the police go to a doctor and ask to see your patient records, the doctor will say: 'I'll see you in court'," said Anderson. "If the police go to a 26-year-old [Microsoft] health administrator or senior shift supervisor, that's something else."

Anderson added that there was a danger of function creep in who had access to the health data, saying that the scale of the amount of information could attract requests for information from police, health researchers and health insurance companies.

The Conservatives in August 2009 said that should they be elected, they would seek to "dismantle Labour's central NHS IT infrastructure", including putting a greater emphasis on third-party health platforms such as HealthVault.

Coplin said that Microsoft had not discussed HealthVault with the new government, but had been talking about decentralisation of services.